Bug 26304

Summary:	pdfresurrect new security issue CVE-2020-9549
Product:	Mageia	Reporter:	David Walser <luigiwalser>
Component:	Security	Assignee:	QA Team <qa-bugs>
Status:	RESOLVED FIXED	QA Contact:	Sec team <security>
Severity:	normal
Priority:	Normal	CC:	andrewsfarm, geiger.david68210, nicolas.salguero, sysadmin-bugs, tarazed25, tmb
Version:	7	Keywords:	advisory, validated_update
Target Milestone:	---
Hardware:	All
OS:	Linux
Whiteboard:	MGA7-64-OK
Source RPM:	pdfresurrect-0.18-1.mga7.src.rpm	CVE:	CVE-2020-9549
Status comment:

Description David Walser 2020-03-05 22:59:18 CET

Debian-LTS has issued an advisory today (February 5):
https://www.debian.org/lts/security/2020/dla-2134

Mageia 7 is also affected.

David Walser 2020-03-05 22:59:34 CET

Status comment: (none) => Patches available from upstream
Whiteboard: (none) => MGA7TOO

Comment 1 David GEIGER 2020-03-06 07:37:44 CET

Fixed both Cauldron and mga7!

CC: (none) => geiger.david68210

Comment 2 Nicolas Salguero 2020-03-06 13:36:53 CET

Suggested advisory:
========================

The updated package fixes a security vulnerability:

In PDFResurrect 0.12 through 0.19, get_type in pdf.c has an out-of-bounds write via a crafted PDF document. (CVE-2020-9549)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9549
https://www.debian.org/lts/security/2020/dla-2134
========================

Updated package in core/updates_testing:
========================
pdfresurrect-0.18-1.1.mga7

from SRPM:
pdfresurrect-0.18-1.1.mga7.src.rpm

Source RPM: pdfresurrect-0.19-2.mga8.src.rpm => pdfresurrect-0.18-1.mga7.src.rpm
Status: NEW => ASSIGNED
Status comment: Patches available from upstream => (none)
CC: (none) => nicolas.salguero
Version: Cauldron => 7
CVE: (none) => CVE-2020-9549
Whiteboard: MGA7TOO => (none)
Assignee: bugsquad => qa-bugs

Thomas Backlund 2020-03-06 22:45:04 CET

CC: (none) => tmb
Keywords: (none) => advisory

Comment 3 Len Lawrence 2020-03-08 18:41:15 CET

mga7, x86_64

CVE-2020-9549
https://github.com/enferex/pdfresurrect/issues/8
Downloaded Remoteattacksurfaces.pdf

$ pdfresurrect Remoteattacksurfaces.pdf -q
Remoteattacksurfaces.pdf: 2
$ pdfresurrect Remoteattacksurfaces.pdf -w
Segmentation fault (core dumped)
$ pdfresurrect Remoteattacksurfaces.pdf -i
....
Remoteattacksurfaces.pdf: --A-- Version 1 -- Object 2039 (FontDescriptor)
Segmentation fault (core dumped)

Updated the package and ran the suspect file past it.
$ pdfresurrect Remoteattacksurfaces.pdf -i
....
Remoteattacksurfaces.pdf: --A-- Version 1 -- Object 5831 (Stream)
---------- Remoteattacksurfaces.pdf ----------
Versions: 2
Version 1 -- 5832 objects
PDF Version: 1.5
Title: 
Author: (chris)
Subject: 
Keywords: 
Creator: (��
Producer: 
CreationDate: 
ModDate: 
Trapped: 

$ pdfresurrect Remoteattacksurfaces.pdf -q
Remoteattacksurfaces.pdf: 2
$ pdfresurrect Remoteattacksurfaces.pdf -w
[pdfresurrect] -- Error -- This directory already exists, PDF version extraction will not occur.
<Not sure what this means but it looks relatively harmless>
New directory appeared:
$ ls Remoteattacksurfaces-versions/
Remoteattacksurfaces-version-1.pdf  Remoteattacksurfaces-versions.summary
Remoteattacksurfaces-version-2.pdf

No crashes anyway.
Trying it on another document.
$ pdfresurrect RustProgrammingLanguage.pdf -i -q
RustProgrammingLanguage.pdf: 2
PDF Version: 1.6
$ pdfresurrect RustProgrammingLanguage.pdf -w
$ ls RustProgrammingLanguage-versions
RustProgrammingLanguage-version-1.pdf  RustProgrammingLanguage-version-3.pdf
RustProgrammingLanguage-version-2.pdf  RustProgrammingLanguage-versions.summary
$ cd RustProgrammingLanguage-versions
$ cat RustProgrammingLanguage-versions.summary
RustProgrammingLanguage.pdf: This PDF contains potential cross reference streams.
RustProgrammingLanguage.pdf: An object summary is not available.
---------- RustProgrammingLanguage.pdf ----------
Versions: 2

We can probably go with this.

Whiteboard: (none) => MGA7-64-OK
CC: (none) => tarazed25

Comment 4 Thomas Andrews 2020-03-08 21:50:35 CET

Validating.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Comment 5 Mageia Robot 2020-03-08 23:39:04 CET

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0133.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED