Bug 30805

Summary:	poppler new security issue CVE-2022-38784
Product:	Mageia	Reporter:	David Walser <luigiwalser>
Component:	Security	Assignee:	QA Team <qa-bugs>
Status:	RESOLVED FIXED	QA Contact:	Sec team <security>
Severity:	normal
Priority:	Normal	CC:	andrewsfarm, davidwhodgins, nicolas.salguero, sysadmin-bugs, tarazed25
Version:	8	Keywords:	advisory, validated_update
Target Milestone:	---
Hardware:	All
OS:	Linux
Whiteboard:	MGA8-64-OK
Source RPM:	poppler-20.12.1-1.1.mga8.src.rpm	CVE:	CVE-2022-38784
Status comment:

Description David Walser 2022-09-02 18:27:09 CEST

Poppler 22.09.0 has been released on September 1, fixing a security issue:
https://poppler.freedesktop.org/releases.html

The issue is similar to CVE-2022-38171 for xpdf (Bug 30804).  I don't know if there are/were issues in poppler similar to the other CVEs in Bug 30804 or if we've addressed them yet.

Mageia 8 is also affected.

David Walser 2022-09-02 18:27:20 CEST

Whiteboard: (none) => MGA8TOO
Status comment: (none) => Fixed upstream in 22.09.0

Comment 1 David Walser 2022-09-04 02:36:39 CEST

poppler-22.09.0-1.mga9 uploaded for Cauldron by Jani.

Version: Cauldron => 8
Whiteboard: MGA8TOO => (none)

Comment 2 David Walser 2022-09-06 14:30:23 CEST

Some more background on this:
https://www.openwall.com/lists/oss-security/2022/09/02/11

Comment 3 David Walser 2022-09-07 19:02:06 CEST

Debian has issued an advisory for this on September 6:
https://www.debian.org/security/2022/dsa-5224

Comment 4 David Walser 2022-09-13 14:13:55 CEST

Ubuntu has issued an advisory for this on September 12:
https://ubuntu.com/security/notices/USN-5606-1

Comment 5 David Walser 2022-09-15 14:05:52 CEST

(In reply to David Walser from comment #4)
> Ubuntu has issued an advisory for this on September 12:
> https://ubuntu.com/security/notices/USN-5606-1

A further update was needed to complete the fix:
https://ubuntu.com/security/notices/USN-5606-2

Comment 6 David Walser 2022-09-22 14:08:25 CEST

Fedora has issued an advisory for this today (September 22):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/TQAO6O2XHPQHNW2MWOCJJ4C3YWS2VV4K/

Comment 7 David Walser 2022-09-26 23:58:39 CEST

Debian-LTS has issued an advisory for this today (September 26):
https://www.debian.org/lts/security/2022/dla-3120

Comment 8 Nicolas Salguero 2022-10-19 10:49:29 CEST

Suggested advisory:
========================

The updated packages fix a security vulnerability:

Poppler prior to and including 22.08.0 contains an integer overflow in the JBIG2 decoder (JBIG2Stream::readTextRegionSeg() in JBIGStream.cc). Processing a specially crafted PDF file or JBIG2 image could lead to a crash or the execution of arbitrary code. This is similar to the vulnerability described by CVE-2022-38171 in Xpdf. (CVE-2022-38784)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-38784
https://www.openwall.com/lists/oss-security/2022/09/02/11
https://www.debian.org/security/2022/dsa-5224
https://ubuntu.com/security/notices/USN-5606-1
https://ubuntu.com/security/notices/USN-5606-2
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/TQAO6O2XHPQHNW2MWOCJJ4C3YWS2VV4K/
https://www.debian.org/lts/security/2022/dla-3120
========================

Updated packages in core/updates_testing:
========================
lib(64)poppler105-20.12.1-1.2.mga8
lib(64)poppler-cpp0-20.12.1-1.2.mga8
lib(64)poppler-cpp-devel-20.12.1-1.2.mga8
lib(64)poppler-devel-20.12.1-1.2.mga8
lib(64)poppler-gir0.18-20.12.1-1.2.mga8
lib(64)poppler-glib8-20.12.1-1.2.mga8
lib(64)poppler-glib-devel-20.12.1-1.2
lib(64)poppler-qt5_1-20.12.1-1.2.mga8
lib(64)poppler-qt5-devel-20.12.1-1.2.mga8
poppler-20.12.1-1.2.mga8

from SRPM:
poppler-20.12.1-1.2.mga8.src.rpm

CVE: (none) => CVE-2022-38784
CC: (none) => nicolas.salguero
Status comment: Fixed upstream in 22.09.0 => (none)
Source RPM: poppler-22.07.0-1.mga9.src.rpm => poppler-20.12.1-1.1.mga8.src.rpm
Status: NEW => ASSIGNED
Assignee: jani.valimaa => qa-bugs

Comment 9 Len Lawrence 2022-10-20 00:50:50 CEST

MGA8, x64
Started with
lib64poppler-cpp-devel-20.12.1-1.1.mga8
lib64poppler-gir0.18-20.12.1-1.1.mga8
lib64poppler-qt5-devel-20.12.1-1.1.mga8
lib64poppler-glib8-20.12.1-1.1.mga8
lib64poppler-devel-20.12.1-1.1.mga8
lib64poppler-cpp0-20.12.1-1.1.mga8
lib64poppler-glib-devel-20.12.1-1.1.mga8
lib64poppler105-20.12.1-1.1.mga8
lib64poppler-qt5_1-20.12.1-1.1.mga8

$ urpmq --whatrequires lib64poppler105-20.12.1| uniq | grep -v lib64poppler
calligra-stage
calligra-words
gambas3-gb-pdf
gambas3-gb-poppler
inkscape
lib64gdal27
lib64kpimitinerary5
libreoffice-pdfimport
openboard
pdf2djvu
poppler
scribus
texlive

Updated the whole list from testing: qarepo(* fuzzy) -> MageiaUpdate.
Referred to bug 30690 for testing.
$ pdftohtml UsingDocker.pdf docker.html
355 pages converted.  Viewed docker.html with firefox which displayed a page index as a lefthand column of links and the text and graphics to the right.
Tried the other pdf utilities and noted no regressions.

Installed pdf2djvu.
$ strace -o djvu.trace pdf2djvu -o test.djv module_cheat_sheet.pdf
module_cheat_sheet.pdf:
- page #1 -> #1
0.021 bits/pixel; 6.079:1, 83.55% saved, 136259 bytes in, 22416 bytes out
$ ll *.djv
-rw-r--r-- 1 lcl lcl 22416 Oct 19 23:45 test.djv
$ grep poppler djvu.trace
openat(AT_FDCWD, "/lib64/libpoppler.so.105", O_RDONLY|O_CLOEXEC) = 3

Looks like this can go out.

Whiteboard: (none) => MGA8-64-OK
CC: (none) => tarazed25

Comment 10 Thomas Andrews 2022-10-20 01:17:08 CEST

Validating. Advisory in Comment 8.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Dave Hodgins 2022-10-23 23:43:28 CEST

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 11 Mageia Robot 2022-10-24 00:49:55 CEST

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0386.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED