Closed Bug 1407027 (CVE-2017-5095) Opened 7 years ago Closed 6 years ago

pdfium Buffer Overflow

Categories

(Core :: Printing: Output, defect, P3)

Product:
Core
Component:
Printing: Output
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
firefox-esr52 --- unaffected
firefox56 --- unaffected
firefox57 - disabled
firefox58 - disabled
firefox59 - disabled
firefox60 - disabled

People

(Reporter: tjr, Assigned: jwatt)

References

Details

(Keywords: csectype-bounds, sec-high, Whiteboard: [third-party-lib-audit] Fixed by bug 1435230) 

The Chrome team assigned CVE-2017-5095 to this bug, and since we've just incorporated their library we should reference the same one. Looks like this landed in Firefox 56 (bug 1368948) though I don't know whether it was enabled right away. Changing component to match bug 1368948

Is pdfium only used for printing the previous bug suggests? If so we can probably lower the severity to sec-high since it couldn't be exploited just by browsing a malicious page.
Alias: CVE-2017-5095
Blocks: 1368948
status-firefox56: --- → affected
status-firefox57: --- → affected
status-firefox-esr52: --- → unaffected
tracking-firefox57: --- → +
tracking-firefox58: --- → +
Component: Graphics → Printing: Output
Keywords: csectype-bounds, sec-critical
Whiteboard: [third-party-lib-audit] → [third-party-lib-audit] publicly announced vuln
:brsun doesn't seem to be around. Who should shepherd this fix in?
Flags: needinfo?(mh+mozilla)
Flags: needinfo?(jwatt)
We're not exposing users to PDFium at all since we haven't yet flipped the pref pdfium.enabled.

This does raise the question of whether or not we can get access to PDFium sec bugs that're reported against chromium before they're released though. Do we have anyone with access?
Assignee: nobody → jwatt
Flags: needinfo?(mh+mozilla)
Flags: needinfo?(jwatt)
Flags: needinfo?(dveditz)
(In reply to Jonathan Watt [:jwatt] (needinfo? me) from comment #3)
> we haven't yet flipped the pref pdfium.enabled.

Err, wrong pref. It's the hidden pref print.print_via_pdf_encoder that needs to be set to 'skia-pdf' (we don't currently ship that). Also that pref only works if mozilla is built with --enable-skia-pdf, which is currently only the case for Nightly. Anyway, regardless of the mechanism, we don't currently expose users to PDFium.
OK, sounds like I can mark 56/57 as unaffected since we shipped 56 with the pref off and with a specific build. So only 58 should be currently affected even with the pref enabled. 

dveditz, does that sound right?
status-firefox56: affectedunaffected
(In reply to Jonathan Watt [:jwatt] (needinfo? me) from comment #3)
> We're not exposing users to PDFium at all since we haven't yet flipped the pref

Great, thanks. I'll mark the current releases "not tracking" and "disabled".

> This does raise the question of whether or not we can get access to PDFium
> sec bugs that're reported against chromium before they're released though.
> Do we have anyone with access?

If I know what to look for I can query for bugs a little before they're released (when they get the label Restrict-View-SecurityNotify).
status-firefox57: affecteddisabled
status-firefox58: affecteddisabled
tracking-firefox57: +-
tracking-firefox58: +-
Flags: needinfo?(dveditz)
Priority: -- → P3
(In reply to Jonathan Watt [:jwatt] (needinfo? me) from comment #4)
> (In reply to Jonathan Watt [:jwatt] (needinfo? me) from comment #3)
> > we haven't yet flipped the pref pdfium.enabled.
> 
> Err, wrong pref. It's the hidden pref print.print_via_pdf_encoder that needs
> to be set to 'skia-pdf' (we don't currently ship that). Also that pref only
> works if mozilla is built with --enable-skia-pdf, which is currently only
> the case for Nightly. Anyway, regardless of the mechanism, we don't
> currently expose users to PDFium.

Seems like this is still disabled. Hooray.
Do you have any plans to change that?
Either way, can you update the tracking flags accordingly for us?

Thank you!
Flags: needinfo?(jwatt)
status-firefox57: wontfixdisabled
status-firefox59: --- → disabled
status-firefox60: --- → disabled
tracking-firefox59: --- → -
tracking-firefox60: --- → -
Flags: needinfo?(jwatt)
(In reply to Frederik Braun [:freddyb] from comment #7)
> Seems like this is still disabled. Hooray.
> Do you have any plans to change that?

No. Future layout plans are being worked on, but not in the near term.
Just wanted to note that I ran a script on pdfium since our last update. 2419 commits and it found the following:

Summary
-----------------
Bugtracker: Restricted Bug : 35 issues identified
Bugtracker Keyword: Security_Severity-High: 30 issues identified
Commit Message Keyword: overflow: 28 issues identified
Bugtracker Keyword: Security_Severity-Medium: 23 issues identified
Commit Message Keyword: fuzz: 21 issues identified
Commit Message Keyword: crash: 18 issues identified
Commit Message Keyword: ASAN: 7 issues identified
Bugtracker Keyword: Security_Impact: 6 issues identified
Commit Message Keyword: MSAN: 4 issues identified
Bugtracker Keyword: Security_Severity-Low: 2 issues identified
Bugtracker Keyword: CVE-: 1 issues identified
Commit Message Keyword: security: 1 issues identified
Total: 176
I'm going to use this bug to track pdfium version updates. Depending on how often they roll pdfium, I may not keep commenting since AIUI pdfium is sitting for a bit until we decide to start using it for stuff.

Update pdfium to 3ae75c2f2e5759fcf8218e59fa380c26b98aa6b6
---------
Whiteboard: [third-party-lib-audit]
Most Recent: 1346291
---------
This is a (semi-)automated bug making you aware that there is an available upgrade for an embedded third-party library. You can leave this bug open, and it will be updated if a newer version of the library becomes available. If you close it as WONTFIX, please indicate if you do not wish to receive any future bugs upon new releases of the library.

pdfium is currently at version 84213b529908d2b9095ad4c33ecc9fdf5d881df5 in mozilla-central, and the latest version of the library released is 3ae75c2f2e5759fcf8218e59fa380c26b98aa6b6.

I fetched the latest version of the library from https://chromium.googlesource.com/chromium/src/+/master/DEPS.

(Technically, this 'latest commit' is not a release, but Chromium has rolled their dependency of pdfium.)
(In reply to Jonathan Watt [:jwatt] from comment #8)
> (In reply to Frederik Braun [:freddyb] from comment #7)
> > Seems like this is still disabled. Hooray.
> > Do you have any plans to change that?
> 
> No. Future layout plans are being worked on, but not in the near term.

If we're not actively working on this, and we're lagging behind on
updating the third-party libraries to secure versions, then I suggest
we simply remove the --enable-skia-pdf from the Nightly build config
until we actually intend to ship that.  It seems better that Nightly
tests the config we actually ship, for now.

Does that sound reasonable?
Flags: needinfo?(jwatt)
We already did that for Windows (the only platform that PDFium can build for) in bug 1435230.
Flags: needinfo?(jwatt)
OK, great!  Then I don't see any reason to keep this bug since
the security issue has been solved.

Tom, please file new bug(s) for future PDFium uplifts as needed.
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Whiteboard: [third-party-lib-audit] publicly announced vuln → [third-party-lib-audit] Fixed by bug 1435230
Group: gfx-core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.