Bug 21516

Summary: poppler new security issues CVE-2017-9776 and CVE-2017-9865
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: herman.viaene, lewyssmith, sysadmin-bugs
Version: 6Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA6-32-OK advisory MGA6-64-OK
Source RPM: poppler-0.52.0-3.mga6.src.rpm CVE:
Status comment:
Bug Depends on:    
Bug Blocks: 21038    
Attachments: Test case for CVE-2017-9865

Description David Walser 2017-08-13 17:29:20 CEST
Fedora has issued an advisory on July 16:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/7G2XFEFF6S2H4DRDPUXBUWPEEDGE37EG/

Patched package uploaded for Mageia 6.

Advisory:
========================

Updated poppler packages fix security vulnerabilities:

Integer overflow leading to Heap buffer overflow in JBIG2Stream.cc in
pdftocairo in Poppler allows attackers to cause a denial of service
(application crash) or possibly have unspecified other impact via a crafted
PDF document (CVE-2017-9776).

The function GfxImageColorMap::getGray in GfxState.cc in Poppler allows
attackers to cause a denial of service (stack-based buffer over-read and
application crash) via a crafted PDF document, related to missing color-map
validation in ImageOutputDev.cc (CVE-2017-9865).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9776
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9865
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/7G2XFEFF6S2H4DRDPUXBUWPEEDGE37EG/
========================

Updated packages in core/updates_testing:
========================
poppler-0.52.0-3.1.mga6
libpoppler66-0.52.0-3.1.mga6
libpoppler-devel-0.52.0-3.1.mga6
libpoppler-cpp0-0.52.0-3.1.mga6
libpoppler-qt4-devel-0.52.0-3.1.mga6
libpoppler-qt5-devel-0.52.0-3.1.mga6
libpoppler-qt4_4-0.52.0-3.1.mga6
libpoppler-qt5_1-0.52.0-3.1.mga6
libpoppler-glib8-0.52.0-3.1.mga6
libpoppler-gir0.18-0.52.0-3.1.mga6
libpoppler-glib-devel-0.52.0-3.1.mga6
libpoppler-cpp-devel-0.52.0-3.1.mga6

from poppler-0.52.0-3.1.mga6.src.rpm
David Walser 2017-08-13 17:29:36 CEST

Blocks: (none) => 21038

Comment 1 Lewis Smith 2017-08-31 20:55:46 CEST
Before trying M6/64

Looking at what requires poppler (PDF routines), the handiest candidates for testing it seem to me 'epdfview':
"ePDFView is a free lightweight PDF document viewer using
Poppler and GTK+ libraries.The aim of ePDFView is to make
a simple PDF document viewer, in the lines of Evince but
without using the Gnome libraries."
and 'cups-pdf', always handy to have for a pseudo-printer. So installed them both, which pulled in poppler. I was surprised that with a 6-desktop M6 Classic installation, poppler was *not* already installed! It offers the following binaries to play with:
 /usr/bin/pdfdetach
 /usr/bin/pdffonts
 /usr/bin/pdfimages
 /usr/bin/pdfinfo
 /usr/bin/pdfseparate
 /usr/bin/pdfsig
 /usr/bin/pdftocairo
 /usr/bin/pdftohtml
 /usr/bin/pdftoppm
 /usr/bin/pdftops
 /usr/bin/pdftotext
 /usr/bin/pdfunite

There is a test case for CVE-2017-9865 which I attach.

CC: (none) => lewyssmith

Comment 3 Herman Viaene 2017-09-01 09:58:53 CEST
MGA6-32 on Asus A6000VM MATE
No installation issues.
While installing edpf, found that poppler was already installed. So before updating poppler using above attachment:
$ pdfinfo attachment.cgi 
Title:          file_layout.graffle
Author:         Guillaume Lazzara
Creator:        OmniGraffle Professional 5.1.1
Producer:       Mac OS X 10.5.8 Quartz PDFContext
CreationDate:   Thu Oct  1 14:16:00 2009 CEST
ModDate:        Thu Oct  1 15:21:00 2009 CEST
Tagged:         no
UserProperties: no
Suspects:       no
Form:           none
JavaScript:     no
Pages:          1
Encrypted:      no
Page size:      384 x 764 pts
Page rot:       0
File size:      26680 bytes
Optimized:      no
PDF version:    1.3
seems OK
$ epdfview
Gtk-Message: Failed to load module "canberra-gtk-module"

** (epdfview:5873): WARNING **: Couldn't load config file '/home/tester6/.config/epdfview/main.conf': Bestand of map bestaat niet
Seems OK for first run of epdf, document opened and seems normal.
After update did same runs with same results, plus (after renaming attachment.cgi to attachment.pdf just for convenience)
$ pdftotext attachment.pdf attachment.txt
Resulting txt file has all text info from PDF, so OK for me.

Whiteboard: (none) => MGA6-32-OK
CC: (none) => herman.viaene

Lewis Smith 2017-09-02 11:12:27 CEST

Whiteboard: MGA6-32-OK => MGA6-32-OK advisory

Comment 4 Lewis Smith 2017-09-02 11:19:31 CEST
I propose to test this for M6/64-bit.
Comment 5 Lewis Smith 2017-09-03 11:00:03 CEST
Testing Mageia 6 x64 using epdfview

BEFORE UPDATE
 poppler-0.52.0-3.mga6
 lib64poppler66-0.52.0-3.mga6
 lib64poppler-glib8-0.52.0-3.mga6
 lib64poppler-qt5_1-0.52.0-3.mga6
Same result as Comment 3 [test file cited]:
 $ epdfview stack-buffer-overflow-in-GfxImageColorMap_getGray-1.pdf 
...
** (epdfview:5001): WARNING **: Couldn't load config file '/home/lewis/.config/epdfview/main.conf': No such file or directory

This error only showed if the filename is given on the command line. Just launching epdfview and opening a file from its GUI does not throw the error.
But the test case did (alas) display correctly. Also genuine PDF docuemnts.

 $ strace epdfview 2>&1 | grep poppler
 open("/lib64/libpoppler-glib.so.8", O_RDONLY|O_CLOEXEC) = 3
 open("/lib64/libpoppler.so.66", O_RDONLY|O_CLOEXEC) = 3
shows these 2 libraries at least are invoked.

AFTER UPDATE
 poppler-0.52.0-3.1.mga6
 lib64poppler-qt5_1-0.52.0-3.1.mga6
 lib64poppler66-0.52.0-3.1.mga6
 lib64poppler-glib8-0.52.0-3.1.mga6

 $ epdfview tmp/stack-buffer-overflow-in-GfxImageColorMap_getGray-1.pdf
did not show the previous WARNING. Again this test file, and other genuine PDFs, displayed correctly. Same library accesses:
 open("/lib64/libpoppler-glib.so.8", O_RDONLY|O_CLOEXEC) = 3
 open("/lib64/libpoppler.so.66", O_RDONLY|O_CLOEXEC) = 3

OKing & validating.

Keywords: (none) => validated_update
Whiteboard: MGA6-32-OK advisory => MGA6-32-OK advisory MGA6-64-OK
CC: (none) => sysadmin-bugs

Comment 6 Nicolas Lécureuil 2017-09-03 16:12:44 CEST
Update ID assignment failed

Checking for QA validation keyword⦠  â
Checking dependent bugs⦠             â (None found)
Checking SRPMs⦠                      â (5/core/poppler-0.52.0-3.1.mga6) 


'validated_update' keyword reset.

Keywords: validated_update => (none)

Comment 7 David Walser 2017-09-03 16:23:01 CEST
Fixed.

Keywords: (none) => validated_update

Comment 8 Mageia Robot 2017-09-03 17:11:59 CEST
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2017-0329.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED