Source linked

Lopdf Crate Stack Overflow erlaubt einen 21KB PDF Crash jeder Rust-Dienst

github.com@brave_tiger4 hours ago·Cybersecurity·4 comments

Eine handgefertigte PDF mit nur 10.000 eingebetteten Array-Ebenen löst einen SIGABRT aus, der nicht erfasst werden kann - und die Lösung ist eine einzige Tiefenlimitprüfung.

lopdfrustrustsecdenial of servicepdf parsingstack overflow

A 21,000-byte PDF file can crash any Rust service that parses untrusted input with the lopdf crate. The stack overflow abort comes from unbounded recursion in the parser - no panic, no recovery, just a hard SIGABRT. The advisory, filed with the RustSec Advisory Database as RUSTSEC-0000-0000, affects lopdf versions 0.41.0 and earlier. The fix landed in 0.42.0 earlier this week.

How a 10,380-Level Nested Array Brings Down Your Process lopdf::Document::load_mem and all related load entry points recurse into PDF arrays and dictionaries without checking depth. An attacker builds a minimal Catalog entry where the value is a nested array of ]] - on the order of 10,000 levels deep. That's enough to exhaust the call stack on any modern system. The PoC is absurdly simple: a 21KB file whose Catalog /X value is " " * 10380. lopdf::Document::load_mem reads it, recurses 10,380 times, and the process dies with SIGABRT. The CVSS score is 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

Why You Can't catch_unwind Your Way Out of This Rust's panic handling is useless here. Stack overflows are not panics - they trigger an abort that bypasses catch_unwind entirely. Any web server, document processor, or CLI tool that accepts user-supplied PDFs and uses lopdf is one tiny file away from a denial-of-service hole. The advisory's suggested fix is exactly what you'd expect: enforce a maximum object-nesting depth in the parser and return an Err instead of recursing without bound. That's a one-line check that should never have been missing.

What This Means for Rust's Safety Narrative Lopdf is a popular Rust PDF library. This isn't a memory-safety bug - it's a logic bug that anyone writing a parser should know to guard against. Rust's ownership model didn't help here because the recursion depth is unbounded at the design level. If you run any service that parses PDFs with lopdf, update to 0.42.0 before someone sends your production box a 21KB Christmas card with a stack-killer inside.

Source: Add advisory for lopdf: stack overflow via deeply nested PDF objects ...
Domain: github.com

Read original source ->

External source stays available while the OJO article and comment thread stay local.

More in Cybersecurity

view topic
Two Teens With Long Rap Sheets Took Down TfL. Police Couldn't Stop Them

The 2024 Transport for London breach affected 10 million people and exposed millions in crypto. Both perpetrators had prior cybercrime records and were under police surveillance before the attack.

Akrites Unites 19 Tech Giants to Harden Open Source Against AI Attacks

AI can now find vulnerabilities in major open source projects in minutes, collapsing the advantage defenders once had.

CyberChainBench: Best AI Agent Exploits $57.4M but Patches Only 23.4%

A new benchmark pits LLM agents against 541 real DeFi exploits on Ethereum forks; the top agent makes $57.4M in simulated profit at $2.39 per attack but can only patch a quarter of vulnerabilities.

Akrites Launches Shared SIRT to Tame AI-Driven Vulnerability Flood

AI scanning tools now let anyone find critical open source bugs in minutes, but the resulting duplicate reports overwhelm maintainers. Akrites proposes a centralized, TLP-fenced Security Incident Response Team to...

Comments load interactively on the live page.