Bug 11560

Summary: poppler new security issues CVE-2013-4473 and CVE-2013-4474
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: oe, sysadmin-bugs, tmb
Version: 3Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/573532/
Whiteboard: MGA2TOO has_procedure advisory mga2-32-ok mga2-64-ok mga3-32-ok mga3-64-ok
Source RPM: poppler-0.24.2-2.mga4.src.rpm CVE:
Status comment:

Description David Walser 2013-10-29 19:03:49 CET 
CVEs have been allocated for a few security issues in poppler:
http://openwall.com/lists/oss-security/2013/10/29/1

There is also CVE-2013-4472 which also affects xpdf, but we'll have to handle that later as there is not a fix available for it yet.

CVE-2013-4473 was fixed in 0.24.2 (already in Cauldron) here:
http://cgit.freedesktop.org/poppler/poppler/diff/utils/pdfseparate.cc?id=b8682d868ddf7f741e93b

CVE-2013-4474 was fixed in 0.24.3 here:
http://cgit.freedesktop.org/poppler/poppler/commit/?id=61f79b8447c3ac8ab5a26e79e0c28053ffdccf75

Reproducible: 

Steps to Reproduce:
David Walser 2013-10-29 19:04:00 CET

Whiteboard: (none) => MGA3TOO, MGA2TOO

Comment 1 Oden Eriksson 2013-10-30 14:05:19 CET 
Fixed with poppler-0.22.1-1.1.mga3 but the patch needs to be ported to poppler-0.18.4 in mga2

http://svnweb.mageia.org/packages?view=revision&revision=547921

CC: (none) => oe

Comment 2 Oden Eriksson 2013-10-30 14:06:35 CET 
And for cauldron, either submit the latest version or patch it to fix CVE-2013-4474.

cgit.freedesktop.org/poppler/poppler/commit/?id=61f79b8447c3ac8ab5a26e79e0c28053ffdccf75
Comment 3 David Walser 2013-10-30 15:03:06 CET 
Thanks Oden!

Hopefully we'll get a backported patch for 0.18.x from another distro.

Oden has also requested a freeze push for 0.24.3 for Cauldron.

Uploaded for Mageia 3:
poppler-0.22.1-1.1.mga3
libpoppler34-0.22.1-1.1.mga3
libpoppler-devel-0.22.1-1.1.mga3
libpoppler-cpp0-0.22.1-1.1.mga3
libpoppler-qt4-devel-0.22.1-1.1.mga3
libpoppler-qt4_4-0.22.1-1.1.mga3
libpoppler-glib8-0.22.1-1.1.mga3
libpoppler-gir0.18-0.22.1-1.1.mga3
libpoppler-glib-devel-0.22.1-1.1.mga3
libpoppler-cpp-devel-0.22.1-1.1.mga3

from poppler-0.22.1-1.1.mga3.src.rpm
Comment 4 David Walser 2013-10-31 17:37:36 CET 
poppler-0.24.3-1.mga4 has been uploaded for Cauldron.

Version: Cauldron => 3
Whiteboard: MGA3TOO, MGA2TOO => MGA2TOO

Comment 5 David Walser 2013-11-11 20:14:54 CET 
Fedora has issued an advisory for this on November 1:
https://lists.fedoraproject.org/pipermail/package-announce/2013-November/121297.html

URL: http://openwall.com/lists/oss-security/2013/10/26/1 => http://lwn.net/Vulnerabilities/573532/

Comment 6 David Walser 2013-11-19 00:07:49 CET 
Fedora issued an update for Fedora 18 with poppler 0.20.2, so backporting the patches from there to 0.18.4 was easy.  The CVE-2013-4473 patch applied cleanly, and the CVE-2013-4474 patch only needed a minor change.

Assigning to QA now.

Advisory:
========================

Updated poppler packages fix security vulnerabilities:

Poppler is found to be affected by a stack based buffer overflow vulnerability
in the pdfseparate utility. Successfully exploiting this issue could allow
remote attackers to execute arbitrary code in the context of the affected
application. Failed exploits may result in denial-of-service conditions
(CVE-2013-4473).

Poppler was found to have a user controlled format string vulnerability because
it fails to sanitize user-supplied input. An attacker may exploit this issue to
execute arbitrary code in the context of the vulnerable application. Failed
exploit attempts will likely result in a denial-of-service condition
(CVE-2013-4474).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4473
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4474
https://lists.fedoraproject.org/pipermail/package-announce/2013-November/121297.html
========================

Updated packages in core/updates_testing:
========================
poppler-0.18.4-2.3.mga2
libpoppler19-0.18.4-2.3.mga2
libpoppler-devel-0.18.4-2.3.mga2
libpoppler-cpp0-0.18.4-2.3.mga2
libpoppler-qt4-devel-0.18.4-2.3.mga2
libpoppler-qt4-3-0.18.4-2.3.mga2
libpoppler-glib8-0.18.4-2.3.mga2
libpoppler-gir0.18-0.18.4-2.3.mga2
libpoppler-glib-devel-0.18.4-2.3.mga2
libpoppler-cpp-devel-0.18.4-2.3.mga2
poppler-0.22.1-1.1.mga3
libpoppler34-0.22.1-1.1.mga3
libpoppler-devel-0.22.1-1.1.mga3
libpoppler-cpp0-0.22.1-1.1.mga3
libpoppler-qt4-devel-0.22.1-1.1.mga3
libpoppler-qt4_4-0.22.1-1.1.mga3
libpoppler-glib8-0.22.1-1.1.mga3
libpoppler-gir0.18-0.22.1-1.1.mga3
libpoppler-glib-devel-0.22.1-1.1.mga3
libpoppler-cpp-devel-0.22.1-1.1.mga3

from SRPMS:
poppler-0.18.4-2.3.mga2.src.rpm
poppler-0.22.1-1.1.mga3.src.rpm

Assignee: bugsquad => qa-bugs
Severity: normal => major

Comment 7 claire robinson 2013-11-19 10:44:31 CET 
Procedure: https://bugs.mageia.org/show_bug.cgi?id=9390#c3

Whiteboard: MGA2TOO => MGA2TOO has_procedure

Comment 8 claire robinson 2013-11-19 11:12:41 CET 
Advisory uploaded. Please remove 'advisory' tag from whiteboard if anything changes.

Whiteboard: MGA2TOO has_procedure => MGA2TOO has_procedure advisory

Comment 9 claire robinson 2013-11-19 13:56:40 CET 
Testing complete mga2 32

Whiteboard: MGA2TOO has_procedure advisory => MGA2TOO has_procedure advisory mga2-32-ok

Comment 10 claire robinson 2013-11-19 14:08:02 CET 
Testing complete mga2 64

Whiteboard: MGA2TOO has_procedure advisory mga2-32-ok => MGA2TOO has_procedure advisory mga2-32-ok mga2-64-ok

Comment 11 claire robinson 2013-11-19 14:33:15 CET 
Testing complete mga3 32 & 64

Validating.

Could sysadmin please push from 2&3 core/updates_testing to updates

Thanks!

Keywords: (none) => validated_update
Whiteboard: MGA2TOO has_procedure advisory mga2-32-ok mga2-64-ok => MGA2TOO has_procedure advisory mga2-32-ok mga2-64-ok mga3-32-ok mga3-64-ok
CC: (none) => sysadmin-bugs

Comment 12 Thomas Backlund 2013-11-20 21:59:32 CET 
Update pushed:
http://advisories.mageia.org/MGASA-2013-0332.html

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED