| Summary: | poppler new denial of service issue fixed upstream in 0.24.5 (CVE-2013-7296) | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED INVALID | QA Contact: | Sec team <security> |
| Severity: | major | ||
| Priority: | Normal | CC: | olivier.delaune, wrw105 |
| Version: | 3 | ||
| Target Milestone: | --- | ||
| Hardware: | i586 | ||
| OS: | Linux | ||
| URL: | http://lwn.net/Vulnerabilities/579347/ | ||
| Whiteboard: | has_procedure mga3-64-ok feedback | ||
| Source RPM: | poppler-0.22.1-1.1.mga3.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2014-01-07 22:15:40 CET
poppler-0.24.3-2.mga4 uploaded for Cauldron. Patched package uploaded for Mageia 3. Note to QA: see the KDE bugzilla link in Comment 0 for a PoC. Advisory: ======================== Updated poppler packages fix security vulnerability: Poppler before 0.24.5 is vulnerable to a flaw, which can be exploited by malicious people to cause a DoS (Denial of Service) in an application using the library. The vulnerability is caused due to a format string error when handling extraneous bytes within a segment in the "JBIG2Stream::readSegments()" method in JBIG2Stream.cc, which can be exploited to cause a crash. References: https://lists.fedoraproject.org/pipermail/package-announce/2014-January/125710.html ======================== Updated packages in core/updates_testing: ======================== poppler-0.22.1-1.2.mga3 libpoppler34-0.22.1-1.2.mga3 libpoppler-devel-0.22.1-1.2.mga3 libpoppler-cpp0-0.22.1-1.2.mga3 libpoppler-qt4-devel-0.22.1-1.2.mga3 libpoppler-qt4_4-0.22.1-1.2.mga3 libpoppler-glib8-0.22.1-1.2.mga3 libpoppler-gir0.18-0.22.1-1.2.mga3 libpoppler-glib-devel-0.22.1-1.2.mga3 libpoppler-cpp-devel-0.22.1-1.2.mga3 from poppler-0.22.1-1.2.mga3.src.rpm Assignee:
bugsquad =>
qa-bugs Testing done on Mageia 3, 64-bits. I dit not manage to reproduce the crash described in the KDE bug report. So I do not know if the new package solves the problem (I guess it does :) ). Anyway, everything works fine with the latest packages of poppler. CC:
(none) =>
olivier.delaune Just noting that mga3 should indeed be vulnerable to this as Fedora has issued an advisory for this for mingw-poppler 0.22.x for Fedora 19. I was not able to reproduce the crash for poppler-0.22.1-1.1 under x86_64. Downloaded and paged through the file listed in the KDE PoC. The document itself appears to be a scan of a QT4 programming manual. CC:
(none) =>
wrw105 Scanned the test file mga3-64. No regressions noted. Whiteboard:
(none) =>
has_procedure mga3-64-ok Tested mga3-32. Prior to update, test file scrolls normally. After update, okular crashes at page 94, which is the problem noted in the original KDE bug, so regression noted. Whiteboard:
has_procedure mga3-64-ok =>
has_procedure mga3-64-ok feedback A CVE has been assigned for this: http://openwall.com/lists/oss-security/2014/01/17/7 Summary:
poppler new denial of service issue fixed upstream in 0.24.5 =>
poppler new denial of service issue fixed upstream in 0.24.5 (CVE-2013-7296) Tested mga3-32 again, just to verify I hadn't done anything silly. Kde dropped a bug report, backtrace is as follows: Application: Okular (okular), signal: Segmentation fault Using host libthread_db library "/lib/i686/libthread_db.so.1". [Current thread is 1 (Thread 0xb4985740 (LWP 7959))] Thread 2 (Thread 0xae18db40 (LWP 8056)): [KCrash Handler] #6 0xb5c627bf in __strlen_ia32 () from /lib/i686/libc.so.6 #7 0xb003f02f in GooString::appendfv(char const*, char*) () from /lib/libpoppler.so.34 #8 0xb003f154 in GooString::formatv(char const*, char*) () from /lib/libpoppler.so.34 #9 0xaff9ab96 in error(ErrorCategory, int, char const*, ...) () from /lib/libpoppler.so.34 #10 0xaffef5db in JBIG2Stream::readSegments() () from /lib/libpoppler.so.34 #11 0xaffef9d8 in JBIG2Stream::reset() () from /lib/libpoppler.so.34 #12 0xb0008561 in ImageStream::reset() () from /lib/libpoppler.so.34 #13 0xaff6de13 in SplashOutputDev::drawImage(GfxState*, Object*, Stream*, int, int, GfxImageColorMap*, bool, int*, bool) () from /lib/libpoppler.so.34 #14 0xaffb82a4 in Gfx::doImage(Object*, Stream*, bool) () from /lib/libpoppler.so.34 #15 0xaffb9001 in Gfx::opXObject(Object*, int) () from /lib/libpoppler.so.34 #16 0xaffad156 in Gfx::execOp(Object*, Object*, int) () from /lib/libpoppler.so.34 #17 0xaffb484c in Gfx::go(bool) () from /lib/libpoppler.so.34 #18 0xaffb4d42 in Gfx::display(Object*, bool) () from /lib/libpoppler.so.34 #19 0xafffb90b in Page::displaySlice(OutputDev*, double, double, int, bool, bool, int, int, int, int, bool, bool (*)(void*), void*, bool (*)(Annot*, void*), void*) () from /lib/libpoppler.so.34 #20 0xb0002b4c in PDFDoc::displayPageSlice(OutputDev*, int, double, double, int, bool, bool, bool, int, int, int, int, bool (*)(void*), void*, bool (*)(Annot*, void*), void*) () from /lib/libpoppler.so.34 #21 0xb01372a7 in Poppler::Page::renderToImage(double, double, int, int, int, int, Poppler::Page::Rotation) const () from /lib/libpoppler-qt4.so.4 #22 0xb01a71fc in PDFGenerator::image(Okular::PixmapRequest*) () from /usr/lib/kde4/okularGenerator_poppler.so #23 0x0a4f4688 in ?? () Backtrace stopped: previous frame inner to this frame (corrupt stack?) Thread 1 (Thread 0xb4985740 (LWP 7959)): #0 0xb770f424 in __kernel_vsyscall () #1 0xb5cc9b8b in read () from /lib/i686/libc.so.6 #2 0xb541421e in g_wakeup_acknowledge () from /lib/libglib-2.0.so.0 #3 0xb53d367b in g_main_context_check () from /lib/libglib-2.0.so.0 #4 0xb53d3ad2 in g_main_context_iterate.isra.22 () from /lib/libglib-2.0.so.0 #5 0xb53d3ca1 in g_main_context_iteration () from /lib/libglib-2.0.so.0 #6 0xb60ae5a1 in QEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) () from /lib/libQtCore.so.4 #7 0xb66ad3ba in QGuiEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) () from /lib/libQtGui.so.4 #8 0xb607af6c in QEventLoop::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) () from /lib/libQtCore.so.4 #9 0xb607b261 in QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) () from /lib/libQtCore.so.4 #10 0xb608071a in QCoreApplication::exec() () from /lib/libQtCore.so.4 #11 0xb65f9c44 in QApplication::exec() () from /lib/libQtGui.so.4 #12 0x0804e68e in main () LWN has made a new page for this as they didn't have the CVE before: http://lwn.net/Vulnerabilities/584001/ I've asked them to merge them. OpenSuSE has issued an advisory for this on February 3: http://lists.opensuse.org/opensuse-updates/2014-02/msg00005.html Their update for OpenSuSE 12.3 is also for poppler 0.22.1, and they used the same patch I have committed. I've e-mailed the Fedora and OpenSuSE packagers for the mingw-poppler and poppler (respectively) 0.22.x updates that they issued. Hopefully they'll have some insight on this. The PoC file is no longer available, the Fedora packager didn't have anything to add on this, the OpenSuSE packager didn't respond, and Debian has 0.22.x in sid and doesn't have a patch for this and seems to think they're unaffected, and given Bill's testing results, that seems likely. Closing as INVALID. Status:
NEW =>
RESOLVED Could you see about getting the packages removed from testing please David |