Mageia Bugzilla – Attachment 11264 Details for
Bug 25233
poppler new security issues CVE-2019-9631, CVE-2019-9903, CVE-2019-1001[89], CVE-2019-1002[13], CVE-2019-1087[23], CVE-2019-12293, CVE-2019-14494
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
Log In
[x]
|
New Account
|
Forgot Password
Before and after reports for POC listed against CVEs
poc.report (text/plain), 4.68 KB, created by
Len Lawrence
on 2019-08-27 23:15:48 CEST
(
hide
)
Description:
Before and after reports for POC listed against CVEs
Filename:
MIME Type:
Creator:
Len Lawrence
Created:
2019-08-27 23:15:48 CEST
Size:
4.68 KB
patch
obsolete
>POC tests > >*Before updates* > >CVE-2019-10018 >https://forum.xpdfreader.com/viewtopic.php?f=3&t=41276 >There are three test files >$ pdftotext fpe_0 out.txt ><Syntax errors are reported, so it probably healthy. The upstream test uses ASAN to expose the FPE and abort.> >$ pdftotext fpe_1 out.txt >$ pdftotext fpe_2 out.txt ><All three report syntax errors and exit gracefully. Using xpdf does raise the floating point exception, and core dumps, which verifies the POC files.> >-------------- >CVE-2019-10021 >https://forum.xpdfreader.com/viewtopic.php?f=3&t=41274 ><More FPEs> >$ pdftoppm fpe_3 out.ppm >$ pdftoppm fpe_3 out.ppm >Syntax Error (358): Dictionary key must be a name object >Syntax Error (360): Dictionary key must be a name object >Syntax Error (378): Dictionary key must be a name object >Bogus memory allocation size >$ pdftoppm fpe_4 out.ppm >Syntax Error (3076): Bad image parameters >$ pdftoppm fpe_5 out.ppm >Syntax Error (553): Dictionary key must be a name object >$ pdftoppm fpe_6 out.ppm >Syntax Error (541): Dictionary key must be a name object ><These all look as if they have been fixed. xpdf verifies that the POC files do raise FPEs for other applications.> >-------------- >CVE-2019-10023 >https://forum.xpdfreader.com/viewtopic.php?f=3&t=41276 ><Yet more FPEs. All three result in syntax errors and clean exits.> >$ pdftotext fpe_9 out.txt >Syntax Warning: No valid XRef size in trailer >Syntax Error: Type mismatch in PostScript function >[...] >Syntax Error (1122): Bad 'Length' attribute in stream >Syntax Error: Type mismatch in PostScript function >Syntax Error: Type mismatch in PostScript function >$ >-------------- >CVE-2019-10872 >https://gitlab.freedesktop.org/poppler/poppler/issues/750 >Renamed the PoC file Splash::blitTransparent@Splash.cc:5872-6___heap-buffer-overflow to something manageable. >$ pdftoppm -cropbox -mono heapbufferoverflow >[...] >Syntax Error (7301): Illegal character '>' >Syntax Error: font resource is not a dictionary >Segmentation fault (core dumped) >-------------- >CVE-2019-10873 (From previous list - to be ignored?) >https://gitlab.freedesktop.org/poppler/poppler/issues/748 >$ pdftoppm -cropbox -jpeg -freetype yes outofboundsread >[...] >Syntax Error (70291): Unknown operator 'C.72375' >Segmentation fault (core dumped) >-------------- >CVE-2019-12293 >https://gitlab.freedesktop.org/poppler/poppler/issues/768 >$ pdftotext id_000011_sig_06_src_000099+004407_op_splice_rep_32 >[...] >Syntax Error: End of file inside array >Syntax Error: End of file inside dictionary >Segmentation fault (core dumped) >-------------- >CVE-2019-14494 >https://gitlab.freedesktop.org/poppler/poppler/issues/802 >$ pdftoppm -cropbox -gray poc_fpe >[...] >Syntax Error (69032): Unknown operator 'l6' >Floating point exception (core dumped) >-------------- >CVE-2019-9631 >https://gitlab.freedesktop.org/poppler/poppler/issues/736 >The upstream report does not indicate which options to use so took a gamble on postscript output. >$ pdftocairo -ps radamsa_716NiagaraWineTrail_opt.pdf winetrail.ps >[...] >Syntax Error: invalid width/height >Syntax Error (1411): Bad delta-height value in JBIG2 symbol dictionary ><hung there> >$ pdftocairo -scale-to 200 -png radamsa_716NiagaraWineTrail_opt.pdf winetrail.png >[...] >Syntax Error (1411): Bad delta-height value in JBIG2 symbol dictionary >Syntax Error (144112): 1604 extraneous bytes after segment ><No conclusions to be drawn from this - the messages may well be valid if this is a corrupt file. Expecting heap buffer overflow and an abort but note that the upstream testing framework uses ASAN.> >-------------- >CVE-2019-9903 >https://gitlab.freedesktop.org/poppler/poppler/issues/741 >Stack overflow issue. >$ pdfunite sample2.pdf PPSOC_POC outfile >[...] >Syntax Error: End of file inside dictionary >Segmentation fault (core dumped) >------------- >------------- > >*After updates* > >CVE-2019-100{18,21,23} >These tests return the same results as before updating which indicates that they were already patched successfully. >-------------- >CVE-2019-10872 >Syntax errors with a clean exit. This is good because there is no segfault. >-------------- >CVE-2019-12293 >Syntax errors and no core dump. Good. >-------------- >CVE-2019-14494 >This traps the FPE but goes into an endless loop reporting syntax errors. >Good on the face of it but we do not know if the patch has introduced another problem or if this is simply an artefact resulting from the malformed file. >It should not delay this release but might require further investigation. >-------------- >CVE-2019-9631 >The same tests with pdftocairo as before fail cleanly in the same way. >I would give this the benefit of the doubt because of the uncertainty about the exact procedure to be used. >-------------- >CVE-2019-9903 >$ pdfunite sample2.pdf PPSOC_POC outfile ><Syntax errors but no segfault so this is good.> >-------------- >
POC tests *Before updates* CVE-2019-10018 https://forum.xpdfreader.com/viewtopic.php?f=3&t=41276 There are three test files $ pdftotext fpe_0 out.txt <Syntax errors are reported, so it probably healthy. The upstream test uses ASAN to expose the FPE and abort.> $ pdftotext fpe_1 out.txt $ pdftotext fpe_2 out.txt <All three report syntax errors and exit gracefully. Using xpdf does raise the floating point exception, and core dumps, which verifies the POC files.> -------------- CVE-2019-10021 https://forum.xpdfreader.com/viewtopic.php?f=3&t=41274 <More FPEs> $ pdftoppm fpe_3 out.ppm $ pdftoppm fpe_3 out.ppm Syntax Error (358): Dictionary key must be a name object Syntax Error (360): Dictionary key must be a name object Syntax Error (378): Dictionary key must be a name object Bogus memory allocation size $ pdftoppm fpe_4 out.ppm Syntax Error (3076): Bad image parameters $ pdftoppm fpe_5 out.ppm Syntax Error (553): Dictionary key must be a name object $ pdftoppm fpe_6 out.ppm Syntax Error (541): Dictionary key must be a name object <These all look as if they have been fixed. xpdf verifies that the POC files do raise FPEs for other applications.> -------------- CVE-2019-10023 https://forum.xpdfreader.com/viewtopic.php?f=3&t=41276 <Yet more FPEs. All three result in syntax errors and clean exits.> $ pdftotext fpe_9 out.txt Syntax Warning: No valid XRef size in trailer Syntax Error: Type mismatch in PostScript function [...] Syntax Error (1122): Bad 'Length' attribute in stream Syntax Error: Type mismatch in PostScript function Syntax Error: Type mismatch in PostScript function $ -------------- CVE-2019-10872 https://gitlab.freedesktop.org/poppler/poppler/issues/750 Renamed the PoC file Splash::blitTransparent@Splash.cc:5872-6___heap-buffer-overflow to something manageable. $ pdftoppm -cropbox -mono heapbufferoverflow [...] Syntax Error (7301): Illegal character '>' Syntax Error: font resource is not a dictionary Segmentation fault (core dumped) -------------- CVE-2019-10873 (From previous list - to be ignored?) https://gitlab.freedesktop.org/poppler/poppler/issues/748 $ pdftoppm -cropbox -jpeg -freetype yes outofboundsread [...] Syntax Error (70291): Unknown operator 'C.72375' Segmentation fault (core dumped) -------------- CVE-2019-12293 https://gitlab.freedesktop.org/poppler/poppler/issues/768 $ pdftotext id_000011_sig_06_src_000099+004407_op_splice_rep_32 [...] Syntax Error: End of file inside array Syntax Error: End of file inside dictionary Segmentation fault (core dumped) -------------- CVE-2019-14494 https://gitlab.freedesktop.org/poppler/poppler/issues/802 $ pdftoppm -cropbox -gray poc_fpe [...] Syntax Error (69032): Unknown operator 'l6' Floating point exception (core dumped) -------------- CVE-2019-9631 https://gitlab.freedesktop.org/poppler/poppler/issues/736 The upstream report does not indicate which options to use so took a gamble on postscript output. $ pdftocairo -ps radamsa_716NiagaraWineTrail_opt.pdf winetrail.ps [...] Syntax Error: invalid width/height Syntax Error (1411): Bad delta-height value in JBIG2 symbol dictionary <hung there> $ pdftocairo -scale-to 200 -png radamsa_716NiagaraWineTrail_opt.pdf winetrail.png [...] Syntax Error (1411): Bad delta-height value in JBIG2 symbol dictionary Syntax Error (144112): 1604 extraneous bytes after segment <No conclusions to be drawn from this - the messages may well be valid if this is a corrupt file. Expecting heap buffer overflow and an abort but note that the upstream testing framework uses ASAN.> -------------- CVE-2019-9903 https://gitlab.freedesktop.org/poppler/poppler/issues/741 Stack overflow issue. $ pdfunite sample2.pdf PPSOC_POC outfile [...] Syntax Error: End of file inside dictionary Segmentation fault (core dumped) ------------- ------------- *After updates* CVE-2019-100{18,21,23} These tests return the same results as before updating which indicates that they were already patched successfully. -------------- CVE-2019-10872 Syntax errors with a clean exit. This is good because there is no segfault. -------------- CVE-2019-12293 Syntax errors and no core dump. Good. -------------- CVE-2019-14494 This traps the FPE but goes into an endless loop reporting syntax errors. Good on the face of it but we do not know if the patch has introduced another problem or if this is simply an artefact resulting from the malformed file. It should not delay this release but might require further investigation. -------------- CVE-2019-9631 The same tests with pdftocairo as before fail cleanly in the same way. I would give this the benefit of the doubt because of the uncertainty about the exact procedure to be used. -------------- CVE-2019-9903 $ pdfunite sample2.pdf PPSOC_POC outfile <Syntax errors but no segfault so this is good.> --------------
View Attachment As Raw
Actions:
View
Attachments on
bug 25233
: 11264