Bug 25432

Poppler has no registered maintainer, so assigning globally.

Assignee: bugsquad => pkg-bugs

Hi,

Version 0.79 is affected by CVE-2019-10871.  poppler-0.79.0-2.mga8 solves the problem for Cauldron.

Best regards,

Nico.

CC: (none) => nicolas.salguero

Suggested advisory:
========================

The updated packages fix security vulnerabilities:

The JPXStream::init function in Poppler 0.78.0 and earlier doesn't check for negative values of stream length, leading to an Integer Overflow, thereby making it possible to allocate a large memory chunk on the heap, with a size controlled by an attacker, as demonstrated by pdftocairo. (CVE-2019-9959)

An issue was discovered in Poppler 0.74.0. There is a heap-based buffer over-read in the function PSOutputDev::checkPageSlice at PSOutputDev.cc. (CVE-2019-10871)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9959
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10871
https://access.redhat.com/errata/RHSA-2019:2713
========================

Updated packages in 6/core/updates_testing:
========================
poppler-0.52.0-3.14.mga6
lib(64)poppler66-0.52.0-3.14.mga6
lib(64)poppler-devel-0.52.0-3.14.mga6
lib(64)poppler-cpp0-0.52.0-3.14.mga6
lib(64)poppler-qt4-devel-0.52.0-3.14.mga6
lib(64)poppler-qt5-devel-0.52.0-3.14.mga6
lib(64)poppler-qt4_4-0.52.0-3.14.mga6
lib(64)poppler-qt5_1-0.52.0-3.14.mga6
lib(64)poppler-glib8-0.52.0-3.14.mga6
lib(64)poppler-gir0.18-0.52.0-3.14.mga6
lib(64)poppler-glib-devel-0.52.0-3.14.mga6
lib(64)poppler-cpp-devel-0.52.0-3.14.mga6

from SRPMS:
poppler-0.52.0-3.14.mga6.src.rpm

Updated packages in 7/core/updates_testing:
========================
poppler-0.74.0-3.2.mga7
lib(64)poppler85-0.74.0-3.2.mga7
lib(64)poppler-devel-0.74.0-3.2.mga7
lib(64)poppler-cpp0-0.74.0-3.2.mga7
lib(64)poppler-qt5-devel-0.74.0-3.2.mga7
lib(64)poppler-qt5_1-0.74.0-3.2.mga7
lib(64)poppler-glib8-0.74.0-3.2.mga7
lib(64)poppler-gir0.18-0.74.0-3.2.mga7
lib(64)poppler-glib-devel-0.74.0-3.2.mga7
lib(64)poppler-cpp-devel-0.74.0-3.2.mga7

from SRPMS:
poppler-0.74.0-3.2.mga7.src.rpm

QA Contact: (none) => security
Assignee: pkg-bugs => qa-bugs
CVE: (none) => CVE-2019-9959, CVE-2019-10871
Version: Cauldron => 7
Component: RPM Packages => Security
Status: NEW => ASSIGNED
Whiteboard: MGA7TOO, MGA6TOO => MGA6TOO

mga7, x86_64

Upgraded poppler packages to the release version (3.1) and checked for reproducers.

CVE-2019-9959
https://bugzilla.redhat.com/show_bug.cgi?id=1732340
The PoC file is a PDF but there are no instructions on how to run it to trigger the integer overflow.  It displays what looks like an image with tiles containing random data.
$ pdftops raiter_issue5465.pdf /dev/null
Syntax Error (339): Dictionary key must be a name object
Syntax Error (342): Dictionary key must be a name object
Internal Error: xref num 5 not found but needed, try to reconstruct<0a>
Syntax Error (339): Dictionary key must be a name object
Syntax Error (342): Dictionary key must be a name object
Out of memory
Aborted (core dumped)

CVE-2019-10871
https://gitlab.freedesktop.org/poppler/poppler/issues/751
Heap buffer overflow.
Extracted poc file from the archive file.
$ pdftops -level1sep 'PSOutputDev::checkPageSlice@PSOutputDev.cc:3468-23___heap-buffer-overflow' /dev/null
$
This may have been fixed in the last update.  It seems to be an old issue.

All packages updated cleanly.

CVE-2019-9959
$ pdftops raiter_issue5465.pdf /dev/null
Syntax Error (339): Dictionary key must be a name object
Syntax Error (342): Dictionary key must be a name object
Internal Error: xref num 5 not found but needed, try to reconstruct<0a>
Syntax Error (339): Dictionary key must be a name object

No abort - good result.

The poc for the other CVE produced no errors, as before.  poc file renamed.
$ pdftops -level1sep poc_hbo test.ps
$ gs test.ps

The test.ps output displayed as an image like a large uppercase L, matching the content of the poc file.

Ran tests of pdffonts, pdfimages, pdfto{html,ppm,ps,cairo}, pdfseparate against local files with no problems.  All output as expected.

Good for 64 bits.

CC: (none) => tarazed25
Whiteboard: MGA6TOO => MGA6TOO MGA7-64-OK

mga6, x86_64

All packages already installed as a result of an earlier QA test.

Tried the POC as reported in comment 4.

CVE-2019-9959
$ pdftops raiter_issue5465.pdf /dev/null
Syntax Error (339): Dictionary key must be a name object
Syntax Error (342): Dictionary key must be a name object
Internal Error: xref num 5 not found but needed, try to reconstruct<0a>
Syntax Error (339): Dictionary key must be a name object
Syntax Error (342): Dictionary key must be a name object
Out of memory

Note, no core dump.

CVE-2019-10871
$ pdftops -level1sep poc_hbo test.ps
$ gs test.ps
This showed an image of two L's in white on a black background; i.e. the image was not
rendered correctly.

12 packages updated.

CVE-2019-9959
$ pdftops raiter_issue5465.pdf /dev/null

Same result as before the update.  Tidy exit, so this had probably been fixed already.

CVE-2019-10871
$ pdftops -level1sep poc_hbo test.ps

gs showed that test.ps looked the same as the source image, indicating that something
had been fixed.

Ran similar tests to those in comment 4 to show that the utilities work OK.  No
problems.

So this update is OK.

Whiteboard: MGA6TOO MGA7-64-OK => MGA6TOO MGA7-64-OK MGA6-64-OK

Validating. Suggested advisory in Comment 3.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0276.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED