Bug 29161

Summary: htmldoc new security issue CVE-2021-20308
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, herman.viaene, sysadmin-bugs
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA7TOO MGA7-64-OK MGA8-64-OK
Source RPM: htmldoc-1.9.8-2.mga9.src.rpm CVE: CVE-2021-20308
Status comment:
Bug Depends on:    
Bug Blocks: 29101    

Description David Walser 2021-06-21 19:26:55 CEST 
openSUSE has issued an advisory on June 17:
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/RXMQHLXPNKTCGM4HNTMLHF7NWL3ZXKIO/

The issue is fixed upstream in 1.9.12.

Mageia 7 and Mageia 8 are also affected.
David Walser 2021-06-21 19:27:34 CEST

CC: (none) => nicolas.salguero
Status comment: (none) => Fixed upstream in 1.9.12
Blocks: (none) => 29101
Whiteboard: (none) => MGA8TOO, MGA7TOO

Comment 1 Lewis Smith 2021-06-22 09:10:01 CEST 
Changing NicolasS from CC to assignee; you very recently did loads of CVE updates to htmldoc - but not this one!

Assignee: bugsquad => nicolas.salguero
CC: nicolas.salguero => (none)

Comment 2 Nicolas Salguero 2021-06-22 14:09:06 CEST 
Suggested advisory:
========================

The updated packages fix a security vulnerability:

Integer overflow in the htmldoc 1.9.11 and before may allow attackers to execute arbitrary code and cause a denial of service that is similar to CVE-2017-9181. (CVE-2021-20308)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20308
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/RXMQHLXPNKTCGM4HNTMLHF7NWL3ZXKIO/
========================

Updated packages in 7/core/updates_testing:
========================
htmldoc-1.9.3-2.3.mga7
htmldoc-nogui-1.9.3-2.3.mga7

from SRPM:
htmldoc-1.9.3-2.3.mga7.src.rpm

Updated packages in 8/core/updates_testing:
========================
htmldoc-1.9.8-1.2.mga8
htmldoc-nogui-1.9.8-1.2.mga8

from SRPM:
htmldoc-1.9.8-1.2.mga8.src.rpm

Assignee: nicolas.salguero => qa-bugs
Whiteboard: MGA8TOO, MGA7TOO => MGA7TOO
Status: NEW => ASSIGNED
Status comment: Fixed upstream in 1.9.12 => (none)
Version: Cauldron => 8
CVE: (none) => CVE-2021-20308

Comment 3 David Walser 2021-06-22 14:34:56 CEST 
Advisory from Bug 29101 needs to be combined into this one.
Comment 4 Herman Viaene 2021-06-25 15:01:10 CEST 
MGA7-64 Plasma on Lenovo B50
No installation issues.
tried htmldoc from menu with gui, converted html file to pdf OK.
At CLI:
$ htmldoc-nogui -f donderdag2.pdf --webpage donderdag.html 
PAGES: 18
BYTES: 320364
fpdf file OK.
Good enoughfor me.

CC: (none) => herman.viaene
Whiteboard: MGA7TOO => MGA7TOO MGA7-64-OK

Comment 5 David Walser 2021-07-01 00:32:12 CEST 
PoC is here:
https://github.com/michaelrsweet/htmldoc/issues/423
Comment 6 David Walser 2021-07-01 14:36:16 CEST 
Debian-LTS has issued an advisory for this today (July 1):
https://www.debian.org/lts/security/2021/dla-2700

It has all of the CVEs.
Comment 7 David Walser 2021-07-09 00:06:12 CEST 
Tested PoC from Comment 5.

Before:
$ htmldoc --webpage -f out.pdf htmldoc-poc.html
PAGES: 2
Segmentation fault (core dumped)

After:
$ htmldoc --webpage -f out.pdf htmldoc-poc.html
ERR011: Unable to load image file "htmldoc-poc.gif"!
PAGES: 1
BYTES: 38849

Looks good on Mageia 8 x86_64.

Whiteboard: MGA7TOO MGA7-64-OK => MGA7TOO MGA7-64-OK MGA8-64-OK

Comment 8 Thomas Andrews 2021-07-09 01:38:39 CEST 
Validating. Advisory in Comment 2, with an important note in Comment 3.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Comment 9 David Walser 2021-07-09 19:00:19 CEST 
Good PoC tests for the other CVEs in:
https://bugs.mageia.org/show_bug.cgi?id=29101#c6

Advisory should combine:
https://bugs.mageia.org/show_bug.cgi?id=29101#c2
https://bugs.mageia.org/show_bug.cgi?id=29161#c2
Thomas Backlund 2021-07-10 12:47:27 CEST

Keywords: (none) => advisory

Comment 10 Mageia Robot 2021-07-10 14:58:44 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0332.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED