Bug 24073

Summary: poppler new security issue CVE-2018-19149
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, geiger.david68210, lewyssmith, marja11, nicolas.salguero, smelror, sysadmin-bugs
Version: 6Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA6-64-OK
Source RPM: poppler-0.52.0-3.9.mga6.src.rpm CVE: CVE-2018-19149
Status comment:

Description David Walser 2018-12-26 02:04:44 CET 
Ubuntu has issued an advisory on December 4:
https://usn.ubuntu.com/3837-1/

It fixes one issue we haven't previously mentioned.
Comment 1 David Walser 2018-12-26 02:06:00 CET 
Ubuntu issued an advisory on December 11 to fix a regression:
https://usn.ubuntu.com/3837-2/
Comment 2 Marja Van Waes 2018-12-26 08:10:08 CET 
Assigning to all packagers collectively, since there is no registered maintainer for this package.

Also CC'ing some committers.

CC: (none) => geiger.david68210, marja11, nicolas.salguero, smelror
Assignee: bugsquad => pkg-bugs

Comment 3 Nicolas Salguero 2018-12-27 11:39:49 CET 
Suggested advisory:
========================

The updated packages fix a security vulnerability:

Poppler before 0.70.0 has a NULL pointer dereference in _poppler_attachment_new when called from poppler_annot_file_attachment_get_attachment. (CVE-2018-19149)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19149
https://usn.ubuntu.com/3837-2/
========================

Updated packages in core/updates_testing:
========================
poppler-0.52.0-3.10.mga6
lib(64)poppler66-0.52.0-3.10.mga6
lib(64)poppler-devel-0.52.0-3.10.mga6
lib(64)poppler-cpp0-0.52.0-3.10.mga6
lib(64)poppler-qt4-devel-0.52.0-3.10.mga6
lib(64)poppler-qt5-devel-0.52.0-3.10.mga6
lib(64)poppler-qt4_4-0.52.0-3.10.mga6
lib(64)poppler-qt5_1-0.52.0-3.10.mga6
lib(64)poppler-glib8-0.52.0-3.10.mga6
lib(64)poppler-gir0.18-0.52.0-3.10.mga6
lib(64)poppler-glib-devel-0.52.0-3.10.mga6
lib(64)poppler-cpp-devel-0.52.0-3.10.mga6

from SRPMS:
poppler-0.52.0-3.10.mga6.src.rpm

CVE: (none) => CVE-2018-19149
Status: NEW => ASSIGNED
Assignee: pkg-bugs => qa-bugs

Comment 4 Thomas Andrews 2018-12-30 22:20:28 CET 
Real hardware, Intel Core 2 Duo, Intel graphics, 64-bit Plasma system.

Packages installed cleanly. Tried several pdf readers, printed a page or two on an HP inkjet printer. No regressions noted.

Looks OK for 64-bit.

CC: (none) => andrewsfarm
Whiteboard: (none) => MGA6-64-OK

Comment 5 Lewis Smith 2018-12-31 21:15:54 CET 
Mageia 6 x64.
Trying a PoC. From the CVE, 1st reference
 https://gitlab.freedesktop.org/poppler/poppler/issues/664
says "1. Open NullPointerDeference.h_134 with evince.
      2. Segmentation fault (core dumped)"
The test file is at:
 https://gitlab.freedesktop.org/poppler/poppler/uploads/64ee53478f55bbc8f0e8ba955521ad25/NullPointerDeference.h_134
No other CVE refs have a PoC.

BEFORE update: poppler-0.52.0-3.9.mga6 etc
 $ evince Desktop/NullPointerDeference.h_134
 Segmentation fault (core dumped)
-------------
AFTER update:
- lib64poppler-cpp0-0.52.0-3.10.mga6.x86_64
- lib64poppler-glib8-0.52.0-3.10.mga6.x86_64
- lib64poppler-qt5_1-0.52.0-3.10.mga6.x86_64
- lib64poppler66-0.52.0-3.10.mga6.x86_64
- poppler-0.52.0-3.10.mga6.x86_64

 $ evince Desktop/NullPointerDeference.h_134

 (evince:29446): Poppler-WARNING **: Missing stream object for embedded file
 Segmentation fault (core dumped)
Not the same, at least. But - is it Evince crashing, rather than Poppler?

Advisorying & validating anyway thanks to TJ's tests.

Keywords: (none) => advisory, validated_update
CC: (none) => lewyssmith, sysadmin-bugs

Comment 6 Mageia Robot 2018-12-31 23:43:17 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0498.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED