Bug 18211

Summary: poppler new DoS security issue (CVE-2015-8868)
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: sysadmin-bugs, tarazed25
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/683995/
Whiteboard: has_procedure advisory MGA5-64-OK MGA5-32-OK
Source RPM: poppler-0.26.5-2.mga5.src.rpm CVE:
Status comment:
Attachments: PoC test file

Description David Walser 2016-04-15 21:09:33 CEST 
Fedora has issued an advisory today (April 15):
https://lists.fedoraproject.org/pipermail/package-announce/2016-April/182399.html

The issue was fixed upstream in 0.40, already in Cauldron.

A CVE was requested and PoC posted here:
http://seclists.org/oss-sec/2016/q2/56

Patched package uploaded for Mageia 5.

Advisory:
========================

Updated poppler packages fix security vulnerability:

A heap buffer overflow vulnerability was found in the poppler library. A
maliciously crafted file could cause the application to crash (fdo#93476).

References:
https://bugs.freedesktop.org/show_bug.cgi?id=93476
https://lists.fedoraproject.org/pipermail/package-announce/2016-April/182399.html
========================

Updated packages in core/updates_testing:
========================
poppler-0.26.5-2.1.mga5
libpoppler46-0.26.5-2.1.mga5
libpoppler-devel-0.26.5-2.1.mga5
libpoppler-cpp0-0.26.5-2.1.mga5
libpoppler-qt4-devel-0.26.5-2.1.mga5
libpoppler-qt5-devel-0.26.5-2.1.mga5
libpoppler-qt4_4-0.26.5-2.1.mga5
libpoppler-qt5_1-0.26.5-2.1.mga5
libpoppler-glib8-0.26.5-2.1.mga5
libpoppler-gir0.18-0.26.5-2.1.mga5
libpoppler-glib-devel-0.26.5-2.1.mga5
libpoppler-cpp-devel-0.26.5-2.1.mga5

from poppler-0.26.5-2.1.mga5.src.rpm
Comment 1 Len Lawrence 2016-04-17 18:13:58 CEST 
Mageia5  x86_64  Mate

Installed all the components before updating and used the downloaded crash.pdf file in okular and evince.  Both crashed immediately.

The PoC script would not run because it needed the miniPDF python module.  It probably does not matter because it looks like all it does is generate the test PDF anyway.

After updating poppler and the libraries evince and okular worked although okular required the bash command '$ export $(dbus-launch)' before it would run.
Other applications like epdfview and xournal also displayed the test file OK.
They also worked fine with other PDF documents on disk.

OK for 64bits.

CC: (none) => tarazed25

Len Lawrence 2016-04-17 18:14:44 CEST

Whiteboard: (none) => has_procedure MGA5-64-OK

Comment 2 Len Lawrence 2016-04-17 18:16:16 CEST 
Created attachment 7683 [details]
PoC test file
Comment 3 Len Lawrence 2016-04-17 20:26:44 CEST 
i586 in virtualbox  Mate

Before updating:
okular reported a crash when reading crash.pdf but it was possible to restart the application.
evince reports that it cannot get information for the file.  On x86_64 it segfaulted.
xournal segfaults, so does epdfview.

All twelve update packages installed cleanly.
None of evince, okular, epdfview, or xournal had any problem displaying crash.pdf.

This looks fine for both architectures so can be validated.
Len Lawrence 2016-04-17 20:27:24 CEST

Keywords: (none) => validated_update
Whiteboard: has_procedure MGA5-64-OK => has_procedure MGA5-64-OK MGA5-32-OK
CC: (none) => sysadmin-bugs

Comment 4 claire robinson 2016-04-19 10:19:40 CEST 
Advisory uploaded.

Whiteboard: has_procedure MGA5-64-OK MGA5-32-OK => has_procedure advisory MGA5-64-OK MGA5-32-OK

Comment 5 Mageia Robot 2016-04-21 16:53:14 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2016-0145.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Comment 6 David Walser 2016-04-25 11:54:15 CEST 
This has been assigned CVE-2015-8868:
http://openwall.com/lists/oss-security/2016/04/24/2

Summary: poppler new DoS security issue => poppler new DoS security issue (CVE-2015-8868)