CVE-2022-38349 - Denial of Service Vulnerability in Poppler 22.08. due to Reachable Assertion in Object.h

A newly discovered issue, denoted as CVE-2022-38349, affects the Poppler library, particularly version 22.08.. This vulnerability allows an attacker to cause a denial of service (DoS) attack. The problem arises from a reachable assertion in the Object.h file, coupled with the absence of a stream check within the PDFDoc::replacePageDict function in the PDFDoc.cc file when saving an embedded file.

In this blog post, we'll dive into the details of this vulnerability and provide a code snippet demonstrating its exploitation, as well as links to the original references.

Details of the Vulnerability

The vulnerability stems from a reachable assertion within the Object.h file of the Poppler library, which, when triggered, can cause a denial of service.

The issue arises when the PDFDoc::replacePageDict function in the PDFDoc.cc file attempts to save an embedded file without performing a necessary stream check. This oversight creates a window of opportunity for an attacker to exploit the system, ultimately leading to a denial of service.

Exploiting this vulnerability requires an attacker to craft a specially designed PDF file with a malicious embedded object. When the Poppler library processes this file, it will encounter the reachable assertion in Object.h and subsequently crash the application using the library, resulting in a denial of service.

Code Snippet

Below is a code snippet that demonstrates the reachable assertion in Object.h causing the denial of service attack:

// Object.h
class Object {
public:
  ...
  Stream *getStream() {
    assert(type == objStream);
    return stream;
  }
  ...
}

// PDFDoc.cc
GBool PDFDoc::replacePageDict(int pageNo, GString *abox, GString *cropbox, GString *rotate, GString *metadata) {
  ...
  // Save an embedded file, without a stream check
  xref[ref_first]->getObj()->dictLookup("Metadata", &obj1); // Trigger reachable assertion in Object.h, causing denial of service
  ...
}

Important Links

- Original CVE report: (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-38349)
- Poppler homepage: (https://poppler.freedesktop.org/)
- Poppler GitLab repository: (https://gitlab.freedesktop.org/poppler/poppler)

Mitigation

Users of Poppler are strongly advised to update their library to the latest version available immediately. The current stable version, which includes essential security patches, can be found on the Poppler homepage.

In addition, it is critical that developers using the Poppler library include proper error checking and handling in their applications, particularly when dealing with untrusted input files.

Conclusion

CVE-2022-38349 is a significant vulnerability within the Poppler library, version 22.08., which creates an opportunity for attackers to execute denial of service attacks. By exploiting a reachable assertion in Object.h combined with the absence of a crucial stream check in PDFDoc.cc, an attacker can cause the application utilizing the library to crash.

To mitigate this vulnerability, it is essential that users update their Poppler library to the newest version, along with implementing proper error checking and handling when working with untrusted input files.

Timeline

Published on: 08/22/2023 19:16:00 UTC
Last modified on: 08/28/2023 18:29:00 UTC