Bug 21516

Summary:	poppler new security issues CVE-2017-9776 and CVE-2017-9865
Product:	Mageia	Reporter:	David Walser <luigiwalser>
Component:	Security	Assignee:	QA Team <qa-bugs>
Status:	RESOLVED FIXED	QA Contact:	Sec team <security>
Severity:	normal
Priority:	Normal	CC:	herman.viaene, lewyssmith, sysadmin-bugs
Version:	6	Keywords:	validated_update
Target Milestone:	---
Hardware:	All
OS:	Linux
Whiteboard:	MGA6-32-OK advisory MGA6-64-OK
Source RPM:	poppler-0.52.0-3.mga6.src.rpm	CVE:
Status comment:
Bug Depends on:
Bug Blocks:	21038
Attachments:	Test case for CVE-2017-9865

Description David Walser 2017-08-13 17:29:20 CEST

Fedora has issued an advisory on July 16:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/7G2XFEFF6S2H4DRDPUXBUWPEEDGE37EG/

Patched package uploaded for Mageia 6.

Advisory:
========================

Updated poppler packages fix security vulnerabilities:

Integer overflow leading to Heap buffer overflow in JBIG2Stream.cc in
pdftocairo in Poppler allows attackers to cause a denial of service
(application crash) or possibly have unspecified other impact via a crafted
PDF document (CVE-2017-9776).

The function GfxImageColorMap::getGray in GfxState.cc in Poppler allows
attackers to cause a denial of service (stack-based buffer over-read and
application crash) via a crafted PDF document, related to missing color-map
validation in ImageOutputDev.cc (CVE-2017-9865).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9776
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9865
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/7G2XFEFF6S2H4DRDPUXBUWPEEDGE37EG/
========================

Updated packages in core/updates_testing:
========================
poppler-0.52.0-3.1.mga6
libpoppler66-0.52.0-3.1.mga6
libpoppler-devel-0.52.0-3.1.mga6
libpoppler-cpp0-0.52.0-3.1.mga6
libpoppler-qt4-devel-0.52.0-3.1.mga6
libpoppler-qt5-devel-0.52.0-3.1.mga6
libpoppler-qt4_4-0.52.0-3.1.mga6
libpoppler-qt5_1-0.52.0-3.1.mga6
libpoppler-glib8-0.52.0-3.1.mga6
libpoppler-gir0.18-0.52.0-3.1.mga6
libpoppler-glib-devel-0.52.0-3.1.mga6
libpoppler-cpp-devel-0.52.0-3.1.mga6

from poppler-0.52.0-3.1.mga6.src.rpm

David Walser 2017-08-13 17:29:36 CEST

Blocks: (none) => 21038

Comment 1 Lewis Smith 2017-08-31 20:55:46 CEST

Before trying M6/64

Looking at what requires poppler (PDF routines), the handiest candidates for testing it seem to me 'epdfview':
"ePDFView is a free lightweight PDF document viewer using
Poppler and GTK+ libraries.The aim of ePDFView is to make
a simple PDF document viewer, in the lines of Evince but
without using the Gnome libraries."
and 'cups-pdf', always handy to have for a pseudo-printer. So installed them both, which pulled in poppler. I was surprised that with a 6-desktop M6 Classic installation, poppler was *not* already installed! It offers the following binaries to play with:
 /usr/bin/pdfdetach
 /usr/bin/pdffonts
 /usr/bin/pdfimages
 /usr/bin/pdfinfo
 /usr/bin/pdfseparate
 /usr/bin/pdfsig
 /usr/bin/pdftocairo
 /usr/bin/pdftohtml
 /usr/bin/pdftoppm
 /usr/bin/pdftops
 /usr/bin/pdftotext
 /usr/bin/pdfunite

There is a test case for CVE-2017-9865 which I attach.

CC: (none) => lewyssmith

Comment 2 Lewis Smith 2017-08-31 20:59:52 CEST

Created attachment 9652 [details]
Test case for CVE-2017-9865

Found at https://bugs.freedesktop.org/show_bug.cgi?id=100774 ->
 https://bugs.freedesktop.org/attachment.cgi?id=131001

Comment 3 Herman Viaene 2017-09-01 09:58:53 CEST

MGA6-32 on Asus A6000VM MATE
No installation issues.
While installing edpf, found that poppler was already installed. So before updating poppler using above attachment:
$ pdfinfo attachment.cgi 
Title:          file_layout.graffle
Author:         Guillaume Lazzara
Creator:        OmniGraffle Professional 5.1.1
Producer:       Mac OS X 10.5.8 Quartz PDFContext
CreationDate:   Thu Oct  1 14:16:00 2009 CEST
ModDate:        Thu Oct  1 15:21:00 2009 CEST
Tagged:         no
UserProperties: no
Suspects:       no
Form:           none
JavaScript:     no
Pages:          1
Encrypted:      no
Page size:      384 x 764 pts
Page rot:       0
File size:      26680 bytes
Optimized:      no
PDF version:    1.3
seems OK
$ epdfview
Gtk-Message: Failed to load module "canberra-gtk-module"

** (epdfview:5873): WARNING **: Couldn't load config file '/home/tester6/.config/epdfview/main.conf': Bestand of map bestaat niet
Seems OK for first run of epdf, document opened and seems normal.
After update did same runs with same results, plus (after renaming attachment.cgi to attachment.pdf just for convenience)
$ pdftotext attachment.pdf attachment.txt
Resulting txt file has all text info from PDF, so OK for me.

Whiteboard: (none) => MGA6-32-OK
CC: (none) => herman.viaene

Lewis Smith 2017-09-02 11:12:27 CEST

Whiteboard: MGA6-32-OK => MGA6-32-OK advisory

Comment 4 Lewis Smith 2017-09-02 11:19:31 CEST

I propose to test this for M6/64-bit.

Comment 5 Lewis Smith 2017-09-03 11:00:03 CEST

Testing Mageia 6 x64 using epdfview

BEFORE UPDATE
 poppler-0.52.0-3.mga6
 lib64poppler66-0.52.0-3.mga6
 lib64poppler-glib8-0.52.0-3.mga6
 lib64poppler-qt5_1-0.52.0-3.mga6
Same result as Comment 3 [test file cited]:
 $ epdfview stack-buffer-overflow-in-GfxImageColorMap_getGray-1.pdf 
...
** (epdfview:5001): WARNING **: Couldn't load config file '/home/lewis/.config/epdfview/main.conf': No such file or directory

This error only showed if the filename is given on the command line. Just launching epdfview and opening a file from its GUI does not throw the error.
But the test case did (alas) display correctly. Also genuine PDF docuemnts.

 $ strace epdfview 2>&1 | grep poppler
 open("/lib64/libpoppler-glib.so.8", O_RDONLY|O_CLOEXEC) = 3
 open("/lib64/libpoppler.so.66", O_RDONLY|O_CLOEXEC) = 3
shows these 2 libraries at least are invoked.

AFTER UPDATE
 poppler-0.52.0-3.1.mga6
 lib64poppler-qt5_1-0.52.0-3.1.mga6
 lib64poppler66-0.52.0-3.1.mga6
 lib64poppler-glib8-0.52.0-3.1.mga6

 $ epdfview tmp/stack-buffer-overflow-in-GfxImageColorMap_getGray-1.pdf
did not show the previous WARNING. Again this test file, and other genuine PDFs, displayed correctly. Same library accesses:
 open("/lib64/libpoppler-glib.so.8", O_RDONLY|O_CLOEXEC) = 3
 open("/lib64/libpoppler.so.66", O_RDONLY|O_CLOEXEC) = 3

OKing & validating.

Keywords: (none) => validated_update
Whiteboard: MGA6-32-OK advisory => MGA6-32-OK advisory MGA6-64-OK
CC: (none) => sysadmin-bugs

Comment 6 Nicolas Lécureuil 2017-09-03 16:12:44 CEST

Update ID assignment failed

Checking for QA validation keywordâ¦   â
Checking dependent bugsâ¦              â (None found)
Checking SRPMsâ¦                       â (5/core/poppler-0.52.0-3.1.mga6) 


'validated_update' keyword reset.

Keywords: validated_update => (none)

Comment 7 David Walser 2017-09-03 16:23:01 CEST

Fixed.

Keywords: (none) => validated_update

Comment 8 Mageia Robot 2017-09-03 17:11:59 CEST

An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2017-0329.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED