IETF Logo Mail Archive

Re: [Tools-discuss] RFC PDF crashes viewer

Erik Auerswald <auerswal@unix-ag.uni-kl.de> Fri, 26 June 2020 16:51 UTC

Return-Path: <auerswal@unix-ag.uni-kl.de>
X-Original-To: tools-discuss@ietfa.amsl.com
Delivered-To: tools-discuss@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 38B103A0BB6 for <tools-discuss@ietfa.amsl.com>; Fri, 26 Jun 2020 09:51:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vUvIessozTQ9 for <tools-discuss@ietfa.amsl.com>; Fri, 26 Jun 2020 09:51:28 -0700 (PDT)
Received: from mailgw1.uni-kl.de (mailgw1.uni-kl.de [IPv6:2001:638:208:120::220]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 06C5A3A0BB2 for <tools-discuss@ietf.org>; Fri, 26 Jun 2020 09:51:26 -0700 (PDT)
Received: from sushi.unix-ag.uni-kl.de (sushi.unix-ag.uni-kl.de [IPv6:2001:638:208:ef34:0:ff:fe00:65]) by mailgw1.uni-kl.de (8.14.4/8.14.4/Debian-8+deb8u2) with ESMTP id 05QGpNf7069808 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for <tools-discuss@ietf.org>; Fri, 26 Jun 2020 18:51:23 +0200
Received: from sushi.unix-ag.uni-kl.de (ip6-localhost [IPv6:::1]) by sushi.unix-ag.uni-kl.de (8.14.4/8.14.4/Debian-4+deb7u1) with ESMTP id 05QGpNuq028746 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) for <tools-discuss@ietf.org>; Fri, 26 Jun 2020 18:51:23 +0200
Received: (from auerswal@localhost) by sushi.unix-ag.uni-kl.de (8.14.4/8.14.4/Submit) id 05QGpN6O028745 for tools-discuss@ietf.org; Fri, 26 Jun 2020 18:51:23 +0200
Date: Fri, 26 Jun 2020 18:51:23 +0200
From: Erik Auerswald <auerswal@unix-ag.uni-kl.de>
To: tools-discuss@ietf.org
Message-ID: <20200626165123.GA24364@unix-ag.uni-kl.de>
References: <0DE4B90E-B03A-45BB-959B-89B695217188@tzi.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <0DE4B90E-B03A-45BB-959B-89B695217188@tzi.org>
User-Agent: Mutt/1.5.21 (2010-09-15)
Archived-At: <https://mailarchive.ietf.org/arch/msg/tools-discuss/QWzWMLttOct9dHj8rBoeG2K1uLg>
Subject: Re: [Tools-discuss] RFC PDF crashes viewer
X-BeenThere: tools-discuss@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF Tools Discussion <tools-discuss.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tools-discuss>, <mailto:tools-discuss-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tools-discuss/>
List-Post: <mailto:tools-discuss@ietf.org>
List-Help: <mailto:tools-discuss-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tools-discuss>, <mailto:tools-discuss-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 26 Jun 2020 16:51:30 -0000

Hi,

On Fri, Jun 26, 2020 at 05:44:35PM +0200, Carsten Bormann wrote:
> This is undoubtedly a bug in the viewer, but I have received a report
> the PDF viewer evince (tested with versions 3.30.2 and 3.36.5, i.e.,
> newer than CVE-2019-1010006) crashes when trying to view:
>   
> https://www.rfc-editor.org/rfc/rfc8798.pdf
> 
> I have no further data at this time.

I can confirm this for evince in Ubuntu 18.04 LTS with current updates:

    $ evince --version
    GNOME Document Viewer 3.28.4
    $ evince rfc8798.pdf 
    Segmentation fault (core dumped)

CVE-2019-1010006 should be fixed there, too, see:
https://usn.ubuntu.com/4067-1/

The apport report shows a SIGSEGV during a function to free a string,
just as it did back in 2019 when the first RFC PDFs from xml2rfc v3 were
published:

    evince crashed with SIGSEGV in g_string_free()

Sadly my Ubuntu bug report from back then has disappeared, so I cannot
provide a reference.  Perhaps they did understand that this kind of
program behavior has security implications. ;-)

I have opened a new bug report for this file:

https://bugs.launchpad.net/ubuntu/+source/evince/+bug/1885313

Back then I noticed the problem with RFC 8655.  This problem still exists
(a further hint that my original bug report might have been hidden
because it may point to a still open security vulnerability):

    $ evince rfc8655.pdf 
    Segmentation fault (core dumped)

There were more PDF renderings of RFCs evince could not handle (or rather
cannot handle since) then, e.g. RFC 8650 and RFC 8651:

    $ evince rfc8650.pdf 
    Segmentation fault (core dumped)
    $ evince rfc8651.pdf 
    Segmentation fault (core dumped)

Those examples and more were included in my 2019 Ubuntu bug report.

Thanks,
Erik
-- 
Simplicity is prerequisite for reliability.
                        -- Edsger W. Dijkstra

v2.23.0 | Report a Bug | By Email