Mageia Bugzilla – Attachment 9997 Details for
Bug 22586
qpdf new security issues fixed upstream in 7.0.0
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
Log In
[x]
|
New Account
|
Forgot Password
POC tests and quick tests of qpdf
report.22586 (text/plain), 6.29 KB, created by
Len Lawrence
on 2018-02-20 18:59:41 CET
(
hide
)
Description:
POC tests and quick tests of qpdf
Filename:
MIME Type:
Creator:
Len Lawrence
Created:
2018-02-20 18:59:41 CET
Size:
6.29 KB
patch
obsolete
>Mageia 6 :: x86_64 >Issue 149 has been assigned a CVE but none of the others. >Some POCs are available. > >issue 51: >https://crashes.fuzzing-project.org/qpdf-crash.pdf >$ qpdf qpdf-crash.pdf dump >WARNING: qpdf-crash.pdf: reported number of objects (0) inconsistent with actual number of objects (9) >WARNING: qpdf-crash.pdf (object 7 0, file position 553): expected endobj >WARNING: qpdf-crash.pdf (object 1 0, file position 359): expected endobj >WARNING: qpdf-crash.pdf (file position 70): loop detected resolving object 2 0 >WARNING: qpdf-crash.pdf (object 2 0, file position 26): /Length key in stream dictionary is not an integer >WARNING: qpdf-crash.pdf (object 2 0, file position 71): attempting to recover stream length >WARNING: qpdf-crash.pdf (object 2 0, file position 71): unable to recover stream data; treating stream as empty >WARNING: qpdf-crash.pdf (object 2 0, file position 977): EOF while reading token >qpdf: operation succeeded with warnings; resulting file may have some problems > >issue 143: >https://github.com/qpdf/qpdf/issues/143 >$ qpdf stackoverflow.pdf dump >WARNING: stackoverflow.pdf: can't find PDF header >WARNING: stackoverflow.pdf: file is damaged >WARNING: stackoverflow.pdf: can't find startxref >WARNING: stackoverflow.pdf: Attempting to reconstruct cross-reference table >stackoverflow.pdf: unable to find trailer dictionary while recovering damaged file > >issue 147: >https://github.com/qpdf/qpdf/issues/147 >$ qpdf qpdf-stack-oob-iterate_rc4.pdf dump >WARNING: qpdf-stack-oob-iterate_rc4.pdf: can't find PDF header >WARNING: qpdf-stack-oob-iterate_rc4.pdf: file is damaged >WARNING: qpdf-stack-oob-iterate_rc4.pdf: can't find startxref >WARNING: qpdf-stack-oob-iterate_rc4.pdf: Attempting to reconstruct cross-reference table >WARNING: qpdf-stack-oob-iterate_rc4.pdf (trailer, file position 9): expected dictionary key but found non-name object; inserting key /QPDFFake1 >WARNING: qpdf-stack-oob-iterate_rc4.pdf (object 62 0, file position 88): expected endobj >WARNING: qpdf-stack-oob-iterate_rc4.pdf (trailer, file position 90): invalid /ID in trailer dictionary >qpdf-stack-oob-iterate_rc4.pdf (encryption dictionary, file position 90): incorrect length for /O and/or /U in encryption dictionary > >issue 150 >https://github.com/qpdf/qpdf/issues/150 >$ qpdf qpdf-heapoob-Pl_Buffer_write.pdf dump >WARNING: qpdf-heapoob-Pl_Buffer_write.pdf: can't find PDF header >WARNING: qpdf-heapoob-Pl_Buffer_write.pdf: file is damaged >WARNING: qpdf-heapoob-Pl_Buffer_write.pdf: can't find startxref >WARNING: qpdf-heapoob-Pl_Buffer_write.pdf: Attempting to reconstruct cross-reference table >qpdf-heapoob-Pl_Buffer_write.pdf: unable to find trailer dictionary while recovering damaged file > >CVE-2017-18186 >issue 149: >https://github.com/qpdf/qpdf/issues/149 >$ qpdf loop_edited.pdf dump >^C >Had to crash out of an infinite loop. >------------------------------------------------------------------------------- >Afterwards: > >51: >$ qpdf qpdf-crash.pdf dump >< the same output as before > > >143: >$ qpdf stackoverflow.pdf dump >WARNING: stackoverflow.pdf: can't find PDF header >WARNING: stackoverflow.pdf (xref stream: object 3 0, file position 654): stream keyword not followed by proper line terminator >WARNING: stackoverflow.pdf (xref stream: object 3 0, file position 607): stream dictionary lacks /Length key >WARNING: stackoverflow.pdf (xref stream: object 3 0, file position 654): attempting to recover stream length >WARNING: stackoverflow.pdf (xref stream: object 3 0, file position 654): unable to recover stream data; treating stream as empty >WARNING: stackoverflow.pdf: file is damaged >WARNING: stackoverflow.pdf (file position 600): xref not found >WARNING: stackoverflow.pdf: Attempting to reconstruct cross-reference table >stackoverflow.pdf: unable to find trailer dictionary while recovering damaged file >< more verbose > > >147: >$ qpdf qpdf-stack-oob-iterate_rc4.pdf dump >WARNING: qpdf-stack-oob-iterate_rc4.pdf: can't find PDF header >WARNING: qpdf-stack-oob-iterate_rc4.pdf: file is damaged >WARNING: qpdf-stack-oob-iterate_rc4.pdf: can't find startxref >WARNING: qpdf-stack-oob-iterate_rc4.pdf: Attempting to reconstruct cross-reference table >WARNING: qpdf-stack-oob-iterate_rc4.pdf (trailer, file position 9): expected dictionary key but found non-name object; inserting key /QPDFFake1 >WARNING: qpdf-stack-oob-iterate_rc4.pdf (object 62 0, file position 88): expected endobj >WARNING: qpdf-stack-oob-iterate_rc4.pdf (trailer, file position 90): invalid /ID in trailer dictionary >qpdf-stack-oob-iterate_rc4.pdf: invalid password >< different > > >150: >$ qpdf qpdf-heapoob-Pl_Buffer_write.pdf dump >WARNING: qpdf-heapoob-Pl_Buffer_write.pdf: can't find PDF header >overflow/underflow converting 9900000000000000000 to 64-bit integer >< better > > >149: >$ qpdf loop_edited.pdf dump >WARNING: loop_edited.pdf: reported number of objects (11) inconsistent with actual number of objects (7) >qpdf: operation succeeded with warnings; resulting file may have some problem >< handles the infinite loop > > >After the updates the POC results tend to indicate that problem files are handled better but a couple are equivocal. >------------------------------------------------------------------------------- >Ran a few simple tests. >Use 'qpdf --help' for a summary of the options. > >$ qpdf --show-npages books/MySQLForTheInternetOfThings.pdf >329 >$ qpdf --check books/metaprogramming-ruby-2_p3_0.pdf >checking books/metaprogramming-ruby-2_p3_0.pdf >PDF Version: 1.5 >File is not encrypted >File is not linearized >No syntax or stream encoding errors found; the file may still contain >errors that qpdf cannot detect >$ qpdf networking_guide.pdf output.pdf >This simply copies the file. >$ ll networking_guide.pdf output.pdf >-rw-r--r-- 1 lcl lcl 149289 Jun 22 2013 networking_guide.pdf >-rw-r--r-- 1 lcl lcl 150314 Feb 20 17:39 output.pdf >$ qpdf --show-xref UsingDocker.pdf >1/0: uncompressed; offset = 15 >2/0: uncompressed; offset = 192 >3/0: uncompressed; offset = 0 >4/0: uncompressed; offset = 0 >5/0: uncompressed; offset = 0 >6/0: uncompressed; offset = 0 >7/0: uncompressed; offset = 0 >8/0: uncompressed; offset = 0 >9/0: uncompressed; offset = 0 >10/0: uncompressed; offset = 0 >11/0: uncompressed; offset = 312 >12/0: uncompressed; offset = 899369 >..... snip ............ >$ qpdf --show-pages UsingDocker.pdf >page 1: 6080 0 R > content: > 6464 0 R > 6110 0 R >..... snip .......... > 6466 0 R >page 2: 6099 0 R > content: > 6470 0 R > 6100 0 R >..... snip ........... > >OK for 64 bits. > >
Mageia 6 :: x86_64 Issue 149 has been assigned a CVE but none of the others. Some POCs are available. issue 51: https://crashes.fuzzing-project.org/qpdf-crash.pdf $ qpdf qpdf-crash.pdf dump WARNING: qpdf-crash.pdf: reported number of objects (0) inconsistent with actual number of objects (9) WARNING: qpdf-crash.pdf (object 7 0, file position 553): expected endobj WARNING: qpdf-crash.pdf (object 1 0, file position 359): expected endobj WARNING: qpdf-crash.pdf (file position 70): loop detected resolving object 2 0 WARNING: qpdf-crash.pdf (object 2 0, file position 26): /Length key in stream dictionary is not an integer WARNING: qpdf-crash.pdf (object 2 0, file position 71): attempting to recover stream length WARNING: qpdf-crash.pdf (object 2 0, file position 71): unable to recover stream data; treating stream as empty WARNING: qpdf-crash.pdf (object 2 0, file position 977): EOF while reading token qpdf: operation succeeded with warnings; resulting file may have some problems issue 143: https://github.com/qpdf/qpdf/issues/143 $ qpdf stackoverflow.pdf dump WARNING: stackoverflow.pdf: can't find PDF header WARNING: stackoverflow.pdf: file is damaged WARNING: stackoverflow.pdf: can't find startxref WARNING: stackoverflow.pdf: Attempting to reconstruct cross-reference table stackoverflow.pdf: unable to find trailer dictionary while recovering damaged file issue 147: https://github.com/qpdf/qpdf/issues/147 $ qpdf qpdf-stack-oob-iterate_rc4.pdf dump WARNING: qpdf-stack-oob-iterate_rc4.pdf: can't find PDF header WARNING: qpdf-stack-oob-iterate_rc4.pdf: file is damaged WARNING: qpdf-stack-oob-iterate_rc4.pdf: can't find startxref WARNING: qpdf-stack-oob-iterate_rc4.pdf: Attempting to reconstruct cross-reference table WARNING: qpdf-stack-oob-iterate_rc4.pdf (trailer, file position 9): expected dictionary key but found non-name object; inserting key /QPDFFake1 WARNING: qpdf-stack-oob-iterate_rc4.pdf (object 62 0, file position 88): expected endobj WARNING: qpdf-stack-oob-iterate_rc4.pdf (trailer, file position 90): invalid /ID in trailer dictionary qpdf-stack-oob-iterate_rc4.pdf (encryption dictionary, file position 90): incorrect length for /O and/or /U in encryption dictionary issue 150 https://github.com/qpdf/qpdf/issues/150 $ qpdf qpdf-heapoob-Pl_Buffer_write.pdf dump WARNING: qpdf-heapoob-Pl_Buffer_write.pdf: can't find PDF header WARNING: qpdf-heapoob-Pl_Buffer_write.pdf: file is damaged WARNING: qpdf-heapoob-Pl_Buffer_write.pdf: can't find startxref WARNING: qpdf-heapoob-Pl_Buffer_write.pdf: Attempting to reconstruct cross-reference table qpdf-heapoob-Pl_Buffer_write.pdf: unable to find trailer dictionary while recovering damaged file CVE-2017-18186 issue 149: https://github.com/qpdf/qpdf/issues/149 $ qpdf loop_edited.pdf dump ^C Had to crash out of an infinite loop. ------------------------------------------------------------------------------- Afterwards: 51: $ qpdf qpdf-crash.pdf dump < the same output as before > 143: $ qpdf stackoverflow.pdf dump WARNING: stackoverflow.pdf: can't find PDF header WARNING: stackoverflow.pdf (xref stream: object 3 0, file position 654): stream keyword not followed by proper line terminator WARNING: stackoverflow.pdf (xref stream: object 3 0, file position 607): stream dictionary lacks /Length key WARNING: stackoverflow.pdf (xref stream: object 3 0, file position 654): attempting to recover stream length WARNING: stackoverflow.pdf (xref stream: object 3 0, file position 654): unable to recover stream data; treating stream as empty WARNING: stackoverflow.pdf: file is damaged WARNING: stackoverflow.pdf (file position 600): xref not found WARNING: stackoverflow.pdf: Attempting to reconstruct cross-reference table stackoverflow.pdf: unable to find trailer dictionary while recovering damaged file < more verbose > 147: $ qpdf qpdf-stack-oob-iterate_rc4.pdf dump WARNING: qpdf-stack-oob-iterate_rc4.pdf: can't find PDF header WARNING: qpdf-stack-oob-iterate_rc4.pdf: file is damaged WARNING: qpdf-stack-oob-iterate_rc4.pdf: can't find startxref WARNING: qpdf-stack-oob-iterate_rc4.pdf: Attempting to reconstruct cross-reference table WARNING: qpdf-stack-oob-iterate_rc4.pdf (trailer, file position 9): expected dictionary key but found non-name object; inserting key /QPDFFake1 WARNING: qpdf-stack-oob-iterate_rc4.pdf (object 62 0, file position 88): expected endobj WARNING: qpdf-stack-oob-iterate_rc4.pdf (trailer, file position 90): invalid /ID in trailer dictionary qpdf-stack-oob-iterate_rc4.pdf: invalid password < different > 150: $ qpdf qpdf-heapoob-Pl_Buffer_write.pdf dump WARNING: qpdf-heapoob-Pl_Buffer_write.pdf: can't find PDF header overflow/underflow converting 9900000000000000000 to 64-bit integer < better > 149: $ qpdf loop_edited.pdf dump WARNING: loop_edited.pdf: reported number of objects (11) inconsistent with actual number of objects (7) qpdf: operation succeeded with warnings; resulting file may have some problem < handles the infinite loop > After the updates the POC results tend to indicate that problem files are handled better but a couple are equivocal. ------------------------------------------------------------------------------- Ran a few simple tests. Use 'qpdf --help' for a summary of the options. $ qpdf --show-npages books/MySQLForTheInternetOfThings.pdf 329 $ qpdf --check books/metaprogramming-ruby-2_p3_0.pdf checking books/metaprogramming-ruby-2_p3_0.pdf PDF Version: 1.5 File is not encrypted File is not linearized No syntax or stream encoding errors found; the file may still contain errors that qpdf cannot detect $ qpdf networking_guide.pdf output.pdf This simply copies the file. $ ll networking_guide.pdf output.pdf -rw-r--r-- 1 lcl lcl 149289 Jun 22 2013 networking_guide.pdf -rw-r--r-- 1 lcl lcl 150314 Feb 20 17:39 output.pdf $ qpdf --show-xref UsingDocker.pdf 1/0: uncompressed; offset = 15 2/0: uncompressed; offset = 192 3/0: uncompressed; offset = 0 4/0: uncompressed; offset = 0 5/0: uncompressed; offset = 0 6/0: uncompressed; offset = 0 7/0: uncompressed; offset = 0 8/0: uncompressed; offset = 0 9/0: uncompressed; offset = 0 10/0: uncompressed; offset = 0 11/0: uncompressed; offset = 312 12/0: uncompressed; offset = 899369 ..... snip ............ $ qpdf --show-pages UsingDocker.pdf page 1: 6080 0 R content: 6464 0 R 6110 0 R ..... snip .......... 6466 0 R page 2: 6099 0 R content: 6470 0 R 6100 0 R ..... snip ........... OK for 64 bits.
View Attachment As Raw
Actions:
View
Attachments on
bug 22586
: 9997