Bug 26048

Summary: Patch libpoppler to prevent crashes when opening signed PDFs
Product: Mageia Reporter: Yuri Chornoivan <yurchor>
Component: RPM PackagesAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: Normal CC: jani.valimaa, sysadmin-bugs, tarazed25, tmb
Version: 7Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA7-64-OK
Source RPM: poppler-0.74.0-3.2.mga7.src.rpm CVE:
Status comment:
Attachments: Example double signed PDF file to crash Okular

Description Yuri Chornoivan 2020-01-10 17:48:37 CET 
Description of problem: There is a bug in the libpoppler code which can be patched like this

https://gitlab.freedesktop.org/poppler/poppler/commit/eaeac5c7dba6f53acef3f0be6b226facecfc5f28.diff

it was reported as Okular bug

https://bugs.kde.org/show_bug.cgi?id=407338

then moved to libpoppler

https://gitlab.freedesktop.org/poppler/poppler/issues/766

then fixed

https://gitlab.freedesktop.org/poppler/poppler/merge_requests/271

but people still reporting it

https://bugs.kde.org/show_bug.cgi?id=416055

It is worth to consider patching our libpoppler to prevent bad feelings by our users. Thanks.

Version-Release number of selected component (if applicable): 0.74


How reproducible: always


Steps to Reproduce:
1. Try to open files from this bug report and all of its duplicates in Okular

https://bugs.kde.org/show_bug.cgi?id=407338
2. Okular crashes.
Comment 1 Lewis Smith 2020-01-11 21:27:33 CET 
Created attachment 11451 [details]
Example double signed PDF file to crash Okular

Thank you Yuri for all the information and pointers.
Attaching the test PDF which does indeed crash Okular. But NOT:
 Atril
 Evince
 Xreader
$ urpmq --requires atril | grep poppler
libpoppler-glib.so.8()(64bit)
$ urpmq --requires evince | grep poppler
libpoppler-glib.so.8()(64bit)
$ urpmq --requires xreader | grep poppler
-
$ urpmq --requires okular | grep poppler
libpoppler-qt5.so.1()(64bit)
 and the relevant packages on my system are:
lib64poppler85-0.74.0-3.2.mga7
lib64poppler-glib8-0.74.0-3.2.mga7
lib64poppler-qt5_1-0.74.0-3.2.mga7
poppler-0.74.0-3.2.mga7
poppler-data-0.4.9-2.mga7
 but all the libraries are from the same SRPM as in the bug header.
Comment 2 Lewis Smith 2020-01-11 21:31:47 CET 
Poppler has no registered maintainer, so assigning globally; but wally has done all recent commits, so CC'ing him (I apologise if this is wrong).

Assignee: bugsquad => pkg-bugs
CC: (none) => jani.valimaa
Source RPM: lib64poppler85-0.74.0-3.2.mga7.src.rpm => poppler-0.74.0-3.2.mga7.src.rpm

Comment 3 Jani Välimaa 2020-01-12 11:57:41 CET 
Pushed poppler with a patch [1] from upstream to mga7 core/udpates_testing. Please test.

[1] https://gitlab.freedesktop.org/poppler/poppler/commit/eaeac5c7dba6f53acef3f0be6b226facecfc5f28

SPRMS:
poppler-0.74.0-3.3.mga7

RPMS:
poppler-0.74.0-3.3.mga7
lib(64)poppler85-0.74.0-3.3.mga7
lib(64)poppler-devel-0.74.0-3.3.mga7
lib(64)poppler-cpp0-0.74.0-3.3.mga7
lib(64)poppler-qt5-devel-0.74.0-3.3.mga7
lib(64)poppler-qt5_1-0.74.0-3.3.mga7
lib(64)poppler-glib8-0.74.0-3.3.mga7
lib(64)poppler-gir0.18-0.74.0-3.3.mga7
lib(64)poppler-glib-devel-0.74.0-3.3.mga7
lib(64)poppler-cpp-devel-0.74.0-3.3.mga7

Assignee: pkg-bugs => qa-bugs

Comment 4 Len Lawrence 2020-01-12 18:49:18 CET 
Mageia7, x86_64
*Before updates*
Installed whatever was missing.
$ okular sample_sig_victor.pdf 
Segmentation fault (core dumped)

Updated the ten packages via MageiaUpdate.

*After updates*
$ okular sample_sig_victor.pdf
okular opened the document.
Enabled the signatures panel and checked the two pages.
Read the rest of the document.

All fixed.

CC: (none) => tarazed25
Whiteboard: (none) => MGA7-64-OK

Thomas Backlund 2020-01-13 17:15:07 CET

Keywords: (none) => advisory, validated_update
CC: (none) => tmb, sysadmin-bugs

Comment 5 Mageia Robot 2020-01-13 17:52:26 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGAA-2020-0021.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED