Bug 22352

Summary: poppler new security issue CVE-2017-1000456
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: marja11, nicolas.salguero, sysadmin-bugs, tarazed25
Version: 6Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA6-64-OK
Source RPM: poppler-0.52.0-3.5.mga6.src.rpm CVE: CVE-2017-1000456
Status comment:
Bug Depends on:    
Bug Blocks: 22377    

Description David Walser 2018-01-09 00:17:56 CET 
Ubuntu has issued an advisory today (January 8):
https://usn.ubuntu.com/usn/usn-3517-1/

It fixes one issue that we haven't yet.

Mageia 5 and Mageia 6 are also affected.
David Walser 2018-01-09 00:18:04 CET

Whiteboard: (none) => MGA6TOO

Comment 1 Marja Van Waes 2018-01-09 06:46:12 CET 
Assigning to all packagers collectively, since there is no registered maintainer for poppler

CC: (none) => marja11, nicolas.salguero
Assignee: bugsquad => pkg-bugs

Comment 2 Nicolas Salguero 2018-01-09 11:13:39 CET 
Suggested advisory:
========================

The updated packages fix a security vulnerability:

freedesktop.org libpoppler 0.60.1 fails to validate boundaries in TextPool::addWord, leading to overflow in subsequent calculations. (CVE-2017-1000456)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000456
https://usn.ubuntu.com/usn/usn-3517-1/
========================

Updated packages in core/updates_testing:
========================
poppler-0.52.0-3.6.mga6
lib(64)poppler66-0.52.0-3.6.mga6
lib(64)poppler-devel-0.52.0-3.6.mga6
lib(64)poppler-cpp0-0.52.0-3.6.mga6
lib(64)poppler-qt4-devel-0.52.0-3.6.mga6
lib(64)poppler-qt5-devel-0.52.0-3.6.mga6
lib(64)poppler-qt4_4-0.52.0-3.6.mga6
lib(64)poppler-qt5_1-0.52.0-3.6.mga6
lib(64)poppler-glib8-0.52.0-3.6.mga6
lib(64)poppler-gir0.18-0.52.0-3.6.mga6
lib(64)poppler-glib-devel-0.52.0-3.6.mga6
lib(64)poppler-cpp-devel-0.52.0-3.6.mga6

from SRPMS:
poppler-0.52.0-3.6.mga6.src.rpm

Assignee: pkg-bugs => qa-bugs
CVE: (none) => CVE-2017-1000456
Status: NEW => ASSIGNED
Version: Cauldron => 6
Whiteboard: MGA6TOO => (none)

Nicolas Salguero 2018-01-09 11:16:35 CET

Source RPM: poppler-0.60.1-2.mga7.src.rpm => poppler-0.52.0-3.5.mga6.src.rpm

Comment 3 Len Lawrence 2018-01-09 14:28:21 CET 
Mageia 6 :: x86_64

All packages updated cleanly.

CVE-2017-1000456
Invalid read demonstrated by the POC file from https://bugs.freedesktop.org/show_bug.cgi?id=103116
Before:
$ pdftotext 0JBYrSy8_CRASHED.pdf poc.txt
Syntax Error: Embedded font file may be invalid
Syntax Error (20431): Unknown operator 'TJJJJJJJJJJJJJJ'
Segmentation fault (core dumped)
$ pdftotext 0JBYrSy8_CRASHED.pdf poc.txt
Syntax Error: Embedded font file may be invalid
Syntax Error (20431): Unknown operator 'TJJJJJJJJJJJJJJ'
Syntax Warning: wordBaseIdx out of range
Syntax Warning: wordBaseIdx out of range
Syntax Warning: wordBaseIdx out of range
Syntax Warning: wordBaseIdx out of range
Syntax Error (17678): Bad 'Length' attribute in stream
Syntax Warning: wordBaseIdx out of range

That looks conclusive.
Ran a few tests as in previous poppler bugs.

$ pdfimages -all working-with-ruby-threads_p1_0.pdf threads
$ ls threads*
threads-000.png  threads-004.png  threads-008.png  threads-012.png
................................
$ pdfseparate -f 16 -l 22 working-with-ruby-threads_p1_0.pdf threadsx%d.pdf
$ ls threadsx*
threadsx16.pdf  threadsx18.pdf  threadsx20.pdf  threadsx22.pdf
threadsx17.pdf  threadsx19.pdf  threadsx21.pdf
$ pdfunite threads1*.pdf reunited.pdf
This produced a readable PDF file containing pages 16-19 of the original book.
$ pdftotext reunited.pdf pages.txt
$ cat pages.txt
end
# The main thread sleeps to prevent it from finishing execution.
# If it were allowed to run, it would simply exit, killing the other
# thread and preventing it from doing its important work.
sleep
.........................................

The text file retained the original page numbers 16-19.
Good for 64 bits.

CC: (none) => tarazed25
Whiteboard: (none) => MGA6-64-OK

Comment 4 Len Lawrence 2018-01-09 14:36:13 CET 
Cut and paste error there - insert "Afterwards:" after 'Segmentation fault'.
Lewis Smith 2018-01-11 09:33:00 CET

Keywords: (none) => advisory, validated_update
CC: (none) => sysadmin-bugs

Comment 5 Mageia Robot 2018-01-11 20:37:36 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0068.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED

Comment 6 David Walser 2018-01-12 03:09:36 CET 
Patch checked into Mageia 5 SVN.
David Walser 2018-01-12 15:15:09 CET

Blocks: (none) => 22377