New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 4 users

Issue metadata

Status: Verified
Owner:
Closed: Aug 2
Cc:
Components:
EstimatedDays: ----
NextAction: 2018-10-01
OS: Linux , Windows , Chrome , Mac
Pri: 1
Type: Bug-Security


Show other hotlists

Hotlists containing this issue:
pdfium-issues


Sign in to add a comment
link

Issue 867501: Security: Talos Security Advisory for Google PDFium (TALOS-2018-0639)

Reported by regiw...@sourcefire.com, Jul 25 2018

Issue description

### Summary

An exploitable out-of-bounds read on the heap vulnerability exists in the JBIG2 parsing code of Google Chrome version 67.0.3396.99. A specially crafted PDF document can trigger an out-of-bounds read, which can possibly lead to an information leak that could be used as part of an exploit. An attacker needs to trick the user into visiting a malicious site to trigger the vulnerability.### Summary

An exploitable out-of-bounds read on the heap vulnerability exists in the JBIG2 parsing code of Google Chrome version 67.0.3396.99. A specially crafted PDF document can trigger an out-of-bounds read, which can possibly lead to an information leak that could be used as part of an exploit. An attacker needs to trick the user into visiting a malicious site to trigger the vulnerability.
 
Google Vulnerability Report.TALOS 2018 0639.zip
8.4 KB Download

Comment 1 by ClusterFuzz, Jul 25 2018

Project Member
ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://clusterfuzz.com/testcase?key=5804313709117440.

Comment 2 by mbarbe...@chromium.org, Jul 25 2018

Components: Internals>Plugins>PDF

Comment 3 by hnakashima@chromium.org, Jul 25 2018

Labels: Pri-1
Owner: tsepez@chromium.org

Comment 4 by thestig@chromium.org, Jul 25 2018

Labels: OS-Chrome OS-Linux OS-Mac OS-Windows
Status: Untriaged (was: Unconfirmed)
I can repro with ASAN pdfium_test at ToT.

Comment 5 by ClusterFuzz, Jul 25 2018

Project Member
Labels: Security_Impact-Stable Security_Severity-Medium
Detailed report: https://clusterfuzz.com/testcase?key=5804313709117440

Job Type: linux_asan_pdfium
Platform Id: linux

Crash Type: Heap-buffer-overflow READ 1
Crash Address: 0x609000014908
Crash State:
  CJBig2_Image::ComposeToOpt2WithRect
  CJBig2_Context::ParseGenericRegion
  CJBig2_Context::ProcessingParseSegmentData
  
Sanitizer: address (ASAN)

Recommended Security Severity: Medium

Regressed: https://clusterfuzz.com/revisions?job=linux_asan_pdfium&range=487701:487743

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5804313709117440

See https://github.com/google/clusterfuzz-tools for more information.

A recommended severity was added to this bug. Please change the severity if it is inaccurate.

Comment 6 by sheriffbot@chromium.org, Jul 26 2018

Project Member
Labels: M-68 Target-68

Comment 7 by sheriffbot@chromium.org, Jul 26 2018

Project Member
Status: Assigned (was: Untriaged)

Comment 8 by tsepez@chromium.org, Jul 31 2018

CL at https://pdfium-review.googlesource.com/c/pdfium/+/39310 to check the immediate issue at hand,

Comment 9 by bugdroid1@chromium.org, Aug 1

Project Member
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/0cb45daf738064de834f2c048e37dafffc700ae3

commit 0cb45daf738064de834f2c048e37dafffc700ae3
Author: pdfium-chromium-autoroll <pdfium-chromium-autoroll@skia-buildbots.google.com.iam.gserviceaccount.com>
Date: Wed Aug 01 22:37:45 2018

Roll src/third_party/pdfium 2563fc3895f2..0562ff4f6e2e (2 commits)

https://pdfium.googlesource.com/pdfium.git/+log/2563fc3895f2..0562ff4f6e2e


git log 2563fc3895f2..0562ff4f6e2e --date=short --no-merges --format='%ad %ae %s'
2018-08-01 tsepez@chromium.org Bounds check lineSrc in JBig2_Image.cpp.
2018-08-01 rharrison@chromium.org Add in support for using .evt in make_expected.sh


Created with:
  gclient setdep -r src/third_party/pdfium@0562ff4f6e2e

The AutoRoll server is located here: https://pdfium-roll.skia.org

Documentation for the AutoRoller is here:
https://skia.googlesource.com/buildbot/+/master/autoroll/README.md

If the roll is causing failures, please contact the current sheriff, who should
be CC'd on the roll, and stop the roller if necessary.



BUG= chromium:867501 
TBR=dsinclair@chromium.org

Change-Id: I9e03617e8c2be4be678a25c82fac6bff19e722ae
Reviewed-on: https://chromium-review.googlesource.com/1159241
Reviewed-by: pdfium-chromium-autoroll <pdfium-chromium-autoroll@skia-buildbots.google.com.iam.gserviceaccount.com>
Commit-Queue: pdfium-chromium-autoroll <pdfium-chromium-autoroll@skia-buildbots.google.com.iam.gserviceaccount.com>
Cr-Commit-Position: refs/heads/master@{#579968}
[modify] https://crrev.com/0cb45daf738064de834f2c048e37dafffc700ae3/DEPS

Comment 10 by ClusterFuzz, Aug 2

Project Member
ClusterFuzz has detected this issue as fixed in range 579967:579969.

Detailed report: https://clusterfuzz.com/testcase?key=5804313709117440

Job Type: linux_asan_pdfium
Platform Id: linux

Crash Type: Heap-buffer-overflow READ 1
Crash Address: 0x609000014908
Crash State:
  CJBig2_Image::ComposeToOpt2WithRect
  CJBig2_Context::ParseGenericRegion
  CJBig2_Context::ProcessingParseSegmentData
  
Sanitizer: address (ASAN)

Recommended Security Severity: Medium

Regressed: https://clusterfuzz.com/revisions?job=linux_asan_pdfium&range=487701:487743
Fixed: https://clusterfuzz.com/revisions?job=linux_asan_pdfium&range=579967:579969

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5804313709117440

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Comment 11 by ClusterFuzz, Aug 2

Project Member
Labels: ClusterFuzz-Verified
Status: Verified (was: Assigned)
ClusterFuzz testcase 5804313709117440 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Comment 12 by sheriffbot@chromium.org, Aug 2

Project Member
Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify

Comment 13 by regiw...@sourcefire.com, Aug 2

Thanks for the update on the issue. Is there a planned public disclosure date?

Comment 14 by tsepez@chromium.org, Aug 2

Labels: reward-topanel
Not yet.

Comment 15 by regiw...@sourcefire.com, Aug 3

As soon as a release date is planned, please let us know. We prefer 1-2 business days notice. Please also send CVE when assigned.  Thank you.

Comment 16 by sheriffbot@chromium.org, Aug 4

Project Member
Labels: Merge-Request-69

Comment 17 by sheriffbot@chromium.org, Aug 4

Project Member
Labels: -Merge-Request-69 Merge-Review-69 Hotlist-Merge-Review
This bug requires manual review: DEPS changes referenced in bugdroid comments.
Please contact the milestone owner if you have questions.
Owners: amineer@(Android), kariahda@(iOS), cindyb@(ChromeOS), govind@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 18 by gov...@chromium.org, Aug 4

Cc: awhalley@chromium.org
+awhalley@ (Security TPM) for M69 merge review

Comment 19 by gov...@chromium.org, Aug 4

Cc: abdulsyed@chromium.org
Is this also need a merge to M68?

Comment 20 by awhalley@chromium.org, Aug 6

Labels: -M-68 -Target-68 M-69 Target-69
69 is fine.

Comment 21 by gov...@chromium.org, Aug 6

Labels: -Merge-Review-69 Merge-Approved-69
Approving merge to M69 branch 3497 based on comment 20 and per offline chat with awhalley@. Pls merge ASAP. Thank you.

Comment 22 by tsepez@chromium.org, Aug 7

Labels: -Merge-Approved-69 Merge-Merged

Comment 23 by gov...@chromium.org, Aug 7

Labels: -Merge-Merged merge-merged-3497

Comment 24 by thestig@chromium.org, Aug 10

 Issue 873042  has been merged into this issue.

Comment 25 by awhalley@chromium.org, Aug 13

Labels: -reward-topanel reward-unpaid reward-2000
*** Boilerplate reminders! ***
Please do NOT publicly disclose details until a fix has been released to all our users. Early public disclosure may cancel the provisional reward. Also, please be considerate about disclosure when the bug affects a core library that may be used by other products. Please do NOT share this information with third parties who are not directly involved in fixing the bug. Doing so may cancel the provisional reward. Please be honest if you have already disclosed anything publicly or to third parties. Lastly, we understand that some of you are not interested in money. We offer the option to donate your reward to an eligible charity. If you prefer this option, let us know and we will also match your donation - subject to our discretion. Any rewards that are unclaimed after 12 months will be donated to a charity of our choosing.
*********************************

Comment 26 by awhalley@google.com, Aug 13

Thanks for the report regiwils@! The VRP panel decided to award $2,000 for this report. A member of our finance team will be in touch to arrange next steps.  Would you confirm how you'd like to be credited in the release notes?

Comment 27 by regiw...@sourcefire.com, Aug 13

Please mark credit as follows:
Discovered by Aleksandar Nikolic of Cisco Talos.

Comment 28 by awhalley@google.com, Aug 13

Labels: -reward-unpaid reward-inprocess

Comment 29 by awhalley@google.com, Aug 16

Labels: Release-0-M69

Comment 30 by awhalley@chromium.org, Sep 4

Labels: CVE-2018-16076 CVE_description-missing

Comment 31 by regiw...@sourcefire.com, Sep 5

Is there a release date or this issue?

Comment 32 by regiw...@sourcefire.com, Sep 5

*for this issue

Comment 33 by awhalley@google.com, Sep 5

The automation will open the bug up on Thu Nov 08 2018. We could open it up sooner if you wish, but ideally after September 25th.

Comment 34 by regiw...@sourcefire.com, Sep 5

The issue reaches 90 days on Oct 25 2018. If a timeframe is set after Sept 25th but prior to Oct 25th, that would be good.

Comment 35 by awhalley@google.com, Sep 5

NextAction: 2018-10-01
Sounds good - let's say 1st October. I've set the next action date to then.

Comment 36 by regiw...@sourcefire.com, Sep 5

Confirmed. Thanks for the update.

Comment 37 by monor...@bugs.chromium.org, Oct 1

The NextAction date has arrived: 2018-10-01

Comment 38 by awhalley@google.com, Oct 3

Labels: -Restrict-View-SecurityNotify allpublic

Comment 39 by regiw...@sourcefire.com, Oct 3

Any updates for the public disclosure timeline?

Comment 40 by awhalley@google.com, Oct 3

It's now public!

Comment 41 by regiw...@sourcefire.com, Oct 3

Thanks for the update. We will prepare for public disclosure on our end.

Comment 42 by awhalley@chromium.org, Jan 4

Labels: -CVE_description-missing CVE_description-submitted

Sign in to add a comment