Bug 27687

Summary: poppler new security issue CVE-2020-27778
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: jani.valimaa, ouaurelien, sysadmin-bugs, tarazed25
Version: 7Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA7-64-OK
Source RPM: poppler-0.74.0-3.3.mga7.src.rpm CVE:
Status comment:

Description David Walser 2020-11-29 17:11:06 CET 
Ubuntu has issued an advisory on November 25:
https://ubuntu.com/security/notices/USN-4646-1

The issue is fixed upstream in 0.76.
Comment 1 David Walser 2020-11-29 19:28:04 CET 
Update incoming by Jani.

Advisory:
========================

Updated poppler packages fix security vulnerability:

buffer overflow in pdftohtml could result in a DoS (CVE-2020-27778).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-27778
https://ubuntu.com/security/notices/USN-4646-1

CC: (none) => jani.valimaa

Comment 2 Jani Välimaa 2020-11-29 19:29:25 CET 
Added an upstream patch to poppler-0.74.0-3.4.mga7 to fix the issue, please test.

SRPMS:
poppler-0.74.0-3.4.mga7

RPMS:
poppler-0.74.0-3.4.mga7
lib(64)poppler85-0.74.0-3.4.mga7
lib(64)poppler-devel-0.74.0-3.4.mga7
lib(64)poppler-cpp0-0.74.0-3.4.mga7
lib(64)poppler-qt5-devel-0.74.0-3.4.mga7
lib(64)poppler-qt5_1-0.74.0-3.4.mga7
lib(64)poppler-glib8-0.74.0-3.4.mga7
lib(64)poppler-gir0.18-0.74.0-3.4.mga7
lib(64)poppler-glib-devel-0.74.0-3.4.mga7
lib(64)poppler-cpp-devel-0.74.0-3.4.mga7

Assignee: bugsquad => qa-bugs

Comment 3 Len Lawrence 2020-11-29 22:42:27 CET 
$ rpm -qa | grep poppler
lib64poppler-devel-0.74.0-3.3.mga7
lib64poppler-cpp0-0.74.0-3.3.mga7
lib64poppler-glib8-0.74.0-3.3.mga7
lib64poppler85-0.74.0-3.3.mga7
poppler-data-0.4.9-2.mga7
lib64poppler-qt5_1-0.74.0-3.3.mga7
lib64poppler-gir0.18-0.74.0-3.3.mga7
lib64poppler-cpp-devel-0.74.0-3.3.mga7
poppler-0.74.0-3.3.mga7
lib64poppler-glib-devel-0.74.0-3.3.mga7

Updated the packages:
Some dependencies gave trouble:
The following packages can't be installed because they depend on packages
that are older than the installed ones:
lib64input-devel-1.13.2-1.mga7
lib64qt5eglfsdeviceintegration-devel-5.12.6-4.mga7
lib64qt5gui-devel-5.12.6-4.mga7
lib64poppler-qt5-devel-0.74.0-3.4.mga7
Continue installation anyway? (Y/n) 

$ rpm -qa | grep poppler
lib64poppler-glib8-0.74.0-3.4.mga7
lib64poppler85-0.74.0-3.4.mga7
poppler-data-0.4.9-2.mga7
lib64poppler-cpp0-0.74.0-3.4.mga7
lib64poppler-cpp-devel-0.74.0-3.4.mga7
poppler-0.74.0-3.4.mga7
lib64poppler-devel-0.74.0-3.4.mga7
lib64poppler-qt5_1-0.74.0-3.4.mga7
lib64poppler-glib-devel-0.74.0-3.4.mga7
lib64poppler-gir0.18-0.74.0-3.4.mga7

That is all OK.
Moved to a folder containing some PDF files.
$ pdffonts AN202003March2020.pdf
[....]
CBJSPS+Helvetica-Condensed-Oblique   Type 1C           Custom           yes yes yes   9024  0
CBJSPS+HelveticaNeue-Bold            TrueType          WinAnsi          yes yes yes   9018  0
CBJSPS+HelveticaNeue-CondensedBlack-SC700 TrueType          WinAnsi          yes yes yes   9021  0
CBJSPS+Helvetica                     TrueType          WinAnsi          yes yes no    9020  0
$ pdftohtml AN202003March2020.pdf
[...]
Page-115
Page-116

Generated HTML pages and extracted embedded images from Astronomy Now.
AN202003March2020.html
 AN202003March2020-70_629.jpg              AN202003March2020_ind.html
 AN202003March2020-70_62.png               AN202003March2020.pdf
 AN202003March2020-70_630.jpg              AN202003March2020s.html

$ firefox AN202003March2020.html
Displayed the whole magazine via a page index.
Exercized a few more of the utilities, which all did what they were supposed to.

This is OK.

Whiteboard: (none) => MGA7-64-OK
CC: (none) => tarazed25

Comment 4 Aurelien Oudelet 2020-12-01 10:07:53 CET 
Validating update.
Advisory pushed to SVN.

CC: (none) => ouaurelien, sysadmin-bugs
Keywords: (none) => advisory, validated_update

Comment 5 Mageia Robot 2020-12-03 10:56:04 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0445.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED