Closed Bug 1519031 Opened 6 years ago Closed 6 years ago

PDF.js dev server crashes via malformed URI

Categories

(Firefox :: PDF Viewer, defect)

Product:
Firefox
Component:
PDF Viewer
Version:
64 Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
firefox-esr60 --- unaffected
firefox-esr68 --- unaffected
firefox64 --- unaffected
firefox65 --- unaffected
firefox66 --- unaffected
firefox68 --- unaffected
firefox69 --- unaffected
firefox70 --- unaffected

People

(Reporter: mishra.dhiraj95, Unassigned)

Details

(Keywords: sec-other)

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:64.0) Gecko/20100101 Firefox/64.0

Steps to reproduce:

Hi Team,

I know PDF.js bugs should not be here but its a security vulnerability so i am not hesitating to file a bug over here.

Looks like a patch which was submitted for my bug 1505558 end up with a new issue. A format string vulnerability is observed in Mozilla-PDF.js.

Actual results:

Steps to reproduce:

  1. git clone https://github.com/mozilla/pdf.js.git
  2. cd pdf.js
  3. npm install -g gulp-cli
  4. npm install
  5. gulp server
    [12:21:34] Using gulpfile ~/Desktop/pdf.js/gulpfile.js
    [12:21:34] Starting 'server'...

Starting local server

Server running at http://localhost:8888/

Once the server is running send a malformed URI request with format string in GET or HEAD method.

curl -v http://127.0.0.1:8888/%s%s

The PDF.js server gets crash, and below is the trace for same.

Starting local server

Server running at http://localhost:8888/
[12:16:22] 'server' errored after 1.01 h
[12:16:22] URIError: URI malformed
at decodeURI (<anonymous>)
at WebServer._handler (/Users/Dhiraj/Desktop/pdf.js/test/webserver.js:86:35)
at Server.emit (events.js:188:13)
at Server.EventEmitter.emit (domain.js:459:23)
at parserOnIncoming (_http_server.js:676:12)
at HTTPParser.parserOnHeadersComplete (_http_common.js:113:17)

Expected results:

If PDF.js is still not eligible for bounty, i request if some one could vouch me for my work, that would be great :)
https://mozillians.org/en-US/u/Dhiraj_Mishra/

Component: Untriaged → PDF Viewer

Brendan, can you take a look at this? Thanks!

Flags: needinfo?(bdahl)
Keywords: sec-other

Again, the server is only intended for development and not used within Firefox. Please file an issue in the pdf.js github repo for this.

Flags: needinfo?(bdahl)

Thank you Brendan, I'll create a issue on github, however just wanted to confirm this don't affect FF right ? Because comment #4 as marked FF65,66 affected for this.

Fixed upstream in https://github.com/mozilla/pdf.js/pull/10447

Status: UNCONFIRMED → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Group: firefox-core-security → core-security-release
Summary: Format string vulnerability in pdf.js → PDF.js dev server crashes via malformed URI

Summary: It was observed that the development server used in PDF.js gets crash when a malformed URI(bad request) is sent.
Writeup: https://www.inputzero.io/2019/01/fuzzing-http-servers.html

Group: core-security-release
You need to log in before you can comment on or make changes to this bug.