Bug 21038

Summary: poppler new security issues CVE-2017-751[15], CVE-2017-940[68], CVE-2017-977[56], CVE-2017-9865
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: mageia, marja11, sysadmin-bugs
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: advisory MGA5-64-OK
Source RPM: poppler-0.26.5-2.1.mga5.src.rpm CVE:
Status comment:
Bug Depends on: 21516    
Bug Blocks:    

Description David Walser 2017-06-07 12:43:10 CEST 
Fedora has issued an advisory on June 5:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/MPWSH7JKKVEIEQEEILCRHTF7HL7BSYW4/

Upstream patch that fixed the issue is linked from the RedHat bug:
https://bugzilla.redhat.com/show_bug.cgi?id=1456827

Patch doesn't apply cleanly for Mageia 5; will need to be rediffed.

Freeze push requested for Cauldron.
Comment 1 Marja Van Waes 2017-06-07 21:45:03 CEST 
Assigning to all packagers collectively, since there is no registered maintainer for this package.

CC: (none) => marja11
Assignee: bugsquad => pkg-bugs

Comment 2 David Walser 2017-07-07 18:03:51 CEST 
Ubuntu has issued an advisory on July 7:
https://www.ubuntu.com/usn/usn-3350-1/

CVE-2017-2820 and CVE-2017-9083 don't affect us since we building against openjpeg.

CVE-2017-7511 had previously been fixed in Cauldron.

CVE-2017-7515, CVE-2017-9406, CVE-2017-9408, CVE-2017-9775 have now been patched in Cauldron (awaiting freeze push).

Summary: poppler new security issue CVE-2017-7511 => poppler new security issues CVE-2017-7511, CVE-2017-7515, CVE-2017-9406, CVE-2017-9408, CVE-2017-9775

Comment 3 David Walser 2017-07-09 00:48:04 CEST 
Patched package uploaded for Mageia 5.

Advisory:
========================

Updated poppler packages fix security vulnerabilities:

Jiaqi Peng discovered that the poppler pdfunite tool incorrectly parsed
certain malformed PDF documents. If a user or automated system were tricked
into opening a crafted PDF file, an attacker could cause poppler to crash,
resulting in a denial of service (CVE-2017-7511).

It was discovered that the poppler pdfunite tool incorrectly parsed certain
malformed PDF documents. If a user or automated system were tricked into
opening a crafted PDF file, an attacker could cause poppler to hang,
resulting in a denial of service (CVE-2017-7515).

It was discovered that poppler incorrectly handled memory when processing
PDF documents. If a user or automated system were tricked into opening a
crafted PDF file, an attacker could cause poppler to consume resources,
resulting in a denial of service (CVE-2017-9406, CVE-2017-9408).

Alberto Garcia, Francisco Oca, and Suleman Ali discovered that the poppler
pdftocairo tool incorrectly parsed certain malformed PDF documents. If a
user or automated system were tricked into opening a crafted PDF file, an
attacker could cause poppler to crash, resulting in a denial of service
(CVE-2017-9775).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7511
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7515
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9406
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9408
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9775
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/MPWSH7JKKVEIEQEEILCRHTF7HL7BSYW4/
https://www.ubuntu.com/usn/usn-3350-1/
========================

Updated packages in core/updates_testing:
========================
poppler-0.26.5-2.2.mga5
libpoppler46-0.26.5-2.2.mga5
libpoppler-devel-0.26.5-2.2.mga5
libpoppler-cpp0-0.26.5-2.2.mga5
libpoppler-qt4-devel-0.26.5-2.2.mga5
libpoppler-qt5-devel-0.26.5-2.2.mga5
libpoppler-qt4_4-0.26.5-2.2.mga5
libpoppler-qt5_1-0.26.5-2.2.mga5
libpoppler-glib8-0.26.5-2.2.mga5
libpoppler-gir0.18-0.26.5-2.2.mga5
libpoppler-glib-devel-0.26.5-2.2.mga5
libpoppler-cpp-devel-0.26.5-2.2.mga5

poppler-0.26.5-2.2.mga5.src.rpm

Assignee: pkg-bugs => qa-bugs

Comment 4 David Walser 2017-07-17 12:28:07 CEST 
Fedora has issued an advisory for this on July 16:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/7G2XFEFF6S2H4DRDPUXBUWPEEDGE37EG/

It includes two more CVEs: CVE-2017-9776 and CVE-2017-9865.  I may need to add more patches.

Whiteboard: (none) => feedback

Comment 5 PC LX 2017-08-07 02:58:03 CEST 
Installed and tested the various pdf* commands without issues.

System: Mageia 5, x86_64, Plasma, Intel CPU, nVidia GPU using proprietary driver nvidia340.

$ uname -a
Linux marte 4.4.79-desktop-1.mga5 #1 SMP Fri Jul 28 02:50:06 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
$ rpm -qa | grep poppler | sort
lib64poppler46-0.26.5-2.2.mga5
lib64poppler-glib8-0.26.5-2.2.mga5
lib64poppler-qt4_4-0.26.5-2.2.mga5
poppler-0.26.5-2.2.mga5

Whiteboard: feedback => feedback MGA5-64-OK
CC: (none) => mageia

Comment 6 David Walser 2017-08-13 17:01:02 CEST 
Advisory:
========================

Updated poppler packages fix security vulnerabilities:

Jiaqi Peng discovered that the poppler pdfunite tool incorrectly parsed
certain malformed PDF documents. If a user or automated system were tricked
into opening a crafted PDF file, an attacker could cause poppler to crash,
resulting in a denial of service (CVE-2017-7511).

It was discovered that the poppler pdfunite tool incorrectly parsed certain
malformed PDF documents. If a user or automated system were tricked into
opening a crafted PDF file, an attacker could cause poppler to hang,
resulting in a denial of service (CVE-2017-7515).

It was discovered that poppler incorrectly handled memory when processing
PDF documents. If a user or automated system were tricked into opening a
crafted PDF file, an attacker could cause poppler to consume resources,
resulting in a denial of service (CVE-2017-9406, CVE-2017-9408).

Alberto Garcia, Francisco Oca, and Suleman Ali discovered that the poppler
pdftocairo tool incorrectly parsed certain malformed PDF documents. If a
user or automated system were tricked into opening a crafted PDF file, an
attacker could cause poppler to crash, resulting in a denial of service
(CVE-2017-9775).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7511
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7515
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9406
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9408
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9775
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9776
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9865
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/MPWSH7JKKVEIEQEEILCRHTF7HL7BSYW4/
https://www.ubuntu.com/usn/usn-3350-1/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/7G2XFEFF6S2H4DRDPUXBUWPEEDGE37EG/
========================

Updated packages in core/updates_testing:
========================
poppler-0.26.5-2.3.mga5
libpoppler46-0.26.5-2.3.mga5
libpoppler-devel-0.26.5-2.3.mga5
libpoppler-cpp0-0.26.5-2.3.mga5
libpoppler-qt4-devel-0.26.5-2.3.mga5
libpoppler-qt5-devel-0.26.5-2.3.mga5
libpoppler-qt4_4-0.26.5-2.3.mga5
libpoppler-qt5_1-0.26.5-2.3.mga5
libpoppler-glib8-0.26.5-2.3.mga5
libpoppler-gir0.18-0.26.5-2.3.mga5
libpoppler-glib-devel-0.26.5-2.3.mga5
libpoppler-cpp-devel-0.26.5-2.3.mga5

from poppler-0.26.5-2.3.mga5.src.rpm

Summary: poppler new security issues CVE-2017-7511, CVE-2017-7515, CVE-2017-9406, CVE-2017-9408, CVE-2017-9775 => poppler new security issues CVE-2017-751[15], CVE-2017-940[68], CVE-2017-977[56], CVE-2017-9865
Whiteboard: feedback MGA5-64-OK => (none)

Comment 7 David Walser 2017-08-13 17:02:06 CEST 
Patched package uploaded for Mageia 5 to fix the issues from Comment 4.

Advisory:
========================

Updated poppler packages fix security vulnerabilities:

Jiaqi Peng discovered that the poppler pdfunite tool incorrectly parsed
certain malformed PDF documents. If a user or automated system were tricked
into opening a crafted PDF file, an attacker could cause poppler to crash,
resulting in a denial of service (CVE-2017-7511).

It was discovered that the poppler pdfunite tool incorrectly parsed certain
malformed PDF documents. If a user or automated system were tricked into
opening a crafted PDF file, an attacker could cause poppler to hang,
resulting in a denial of service (CVE-2017-7515).

It was discovered that poppler incorrectly handled memory when processing
PDF documents. If a user or automated system were tricked into opening a
crafted PDF file, an attacker could cause poppler to consume resources,
resulting in a denial of service (CVE-2017-9406, CVE-2017-9408).

Alberto Garcia, Francisco Oca, and Suleman Ali discovered that the poppler
pdftocairo tool incorrectly parsed certain malformed PDF documents. If a
user or automated system were tricked into opening a crafted PDF file, an
attacker could cause poppler to crash, resulting in a denial of service
(CVE-2017-9775).

Integer overflow leading to Heap buffer overflow in JBIG2Stream.cc in
pdftocairo in Poppler allows attackers to cause a denial of service
(application crash) or possibly have unspecified other impact via a crafted
PDF document (CVE-2017-9776).

The function GfxImageColorMap::getGray in GfxState.cc in Poppler allows
attackers to cause a denial of service (stack-based buffer over-read and
application crash) via a crafted PDF document, related to missing color-map
validation in ImageOutputDev.cc (CVE-2017-9865).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7511
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7515
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9406
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9408
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9775
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9776
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9865
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/MPWSH7JKKVEIEQEEILCRHTF7HL7BSYW4/
https://www.ubuntu.com/usn/usn-3350-1/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/7G2XFEFF6S2H4DRDPUXBUWPEEDGE37EG/
========================

Updated packages in core/updates_testing:
========================
poppler-0.26.5-2.3.mga5
libpoppler46-0.26.5-2.3.mga5
libpoppler-devel-0.26.5-2.3.mga5
libpoppler-cpp0-0.26.5-2.3.mga5
libpoppler-qt4-devel-0.26.5-2.3.mga5
libpoppler-qt5-devel-0.26.5-2.3.mga5
libpoppler-qt4_4-0.26.5-2.3.mga5
libpoppler-qt5_1-0.26.5-2.3.mga5
libpoppler-glib8-0.26.5-2.3.mga5
libpoppler-gir0.18-0.26.5-2.3.mga5
libpoppler-glib-devel-0.26.5-2.3.mga5
libpoppler-cpp-devel-0.26.5-2.3.mga5

from poppler-0.26.5-2.3.mga5.src.rpm
David Walser 2017-08-13 17:29:36 CEST

Depends on: (none) => 21516

Comment 8 PC LX 2017-08-17 01:03:43 CEST 
Installed and tested the various pdf* commands without issues.

System: Mageia 5, x86_64, Plasma, Intel CPU, nVidia GPU using proprietary driver nvidia340.

$ uname -a
Linux marte 4.4.82-desktop-1.mga5 #1 SMP Sun Aug 13 18:03:58 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
$ rpm -qa | grep poppler
poppler-0.26.5-2.3.mga5
lib64poppler-qt4_4-0.26.5-2.3.mga5
lib64poppler46-0.26.5-2.3.mga5
lib64poppler-glib8-0.26.5-2.3.mga5

Whiteboard: (none) => MGA5-64-OK

Comment 9 RĂ©mi Verschelde 2017-08-17 08:02:35 CEST 
Advisory uploaded, validating.

Keywords: (none) => validated_update
Whiteboard: MGA5-64-OK => advisory MGA5-64-OK
CC: (none) => sysadmin-bugs

Comment 10 Mageia Robot 2017-08-17 10:02:43 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2017-0276.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED