A bug discovered in an obscure PDF parsing library back in 2011 is also present in most of today’s top PDF viewers, according to German software developer Hanno Böck.
The original bug affected the PDF parser component included with Evince, a document viewer app for Linux. It was discovered by fellow German software developer Andreas Bogk, who helped Evince fixed the flaw, and presented his findings at the 2011 Chaos Communication Camp.
Bogk discovered that PDF documents with a certain structure — PDF files cross-referencing internal xref tables — would cause the Evince app to enter a continuous loop that would take up all of the local CPU’s resources, and quickly run out of memory, crashing the Evince app.
The bug was mostly ignored since it was never deemed a major security issue and only affected a small app installed only on Linux desktops.
Six-year-old bug resurfaces in popular PDF viewer apps
Six years later, this turned into a big issue after Böck discovered similar behavior in a large number of well-known PDF viewers.
For example, Böck found Bogk’s “loop” bug in PDFium, the library that allows Chrome to render PDF documents inside the browser without any plugins.
The pdf.js library, used in a similar capacity in Firefox, is also affected. Pdf.js is also used at GitHub to render PDF documents inside the website’s interface, without needing users to download the file and view it inside a third-party app. GitHub’s implementation is also vulnerable to endless loops that break PDF rendering on the site.
The Windows Runtime PDF Renderer library, or WinRT PDF, is also affected. This is Edge’s built-in PDF viewer, but also the default PDF parser for the Windows “Reader App,” the default PDF viewer app on Windows 8 and all later versions.
Similarly, open-source PDF parsers such as Ghostscript and QPDF are also affected, meaning the issue most likely trickles down to many other web and desktop PDF viewer apps where these two projects have been deployed.
Böck has reported the old bug to all affected products, who are now preparing to roll out patches.
Adobe Reader not affected
Adobe Reader and Apple’s OS X built-in PDF viewer app are not affected.
The researcher said he discovered the bug by using a fuzzing library to analyze each project. Fuzzing is a basic security testing technique that feeds vast quantities of random input data in order to analyze a program’s output responses for abnormalities. Google’s security experts are big fans of fuzzing and recommend the technique to anyone interested in listening to their advice.
Böck also blames the administrators of the affected projects for not running updated test suites. Test suites are collections of problematic files that PDF viewers should be able to open without crashing. In a perfect world, software developers should not release new versions of their apps without successfully going through a test suite. Böck recommends that PDF apps add the Bogk “loop bug” demo file to their test cases.