Bug 32242

Summary: poppler new security issues CVE-2020-3602[34]
Product: Mageia Reporter: Nicolas Salguero <nicolas.salguero>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, davidwhodgins, herman.viaene, mageia, nicolas.salguero, sysadmin-bugs
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8-64-OK
Source RPM: poppler-20.12.1-1.3.mga8.src.rpm CVE:
Status comment:

Description Nicolas Salguero 2023-09-05 08:58:06 CEST 
Ubuntu has issued an advisory on August 17:
https://ubuntu.com/security/notices/USN-6299-1

The issues are fixed upstream in 21.01.0 so only Mageia 8 is affected.
Nicolas Salguero 2023-09-05 08:58:51 CEST

CC: (none) => nicolas.salguero
Status comment: (none) => Fixed upstream in 21.01.0
Source RPM: (none) => poppler-20.12.1-1.3.mga8.src.rpm

Comment 1 Nicolas Salguero 2023-09-05 13:49:29 CEST 
Suggested advisory:
========================

The updated packages fix security vulnerabilities:

An issue was discovered in freedesktop poppler version 20.12.1, allows remote attackers to cause a denial of service (DoS) via crafted .pdf file to FoFiType1C::cvtGlyph function. (CVE-2020-36023)

An issue was discovered in freedesktop poppler version 20.12.1, allows remote attackers to cause a denial of service (DoS) via crafted .pdf file to FoFiType1C::convertToType1 function. (CVE-2020-36024)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-36023
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-36024
https://ubuntu.com/security/notices/USN-6299-1
========================

Updated packages in core/updates_testing:
========================
lib(64)poppler105-20.12.1-1.4.mga8
lib(64)poppler-cpp0-20.12.1-1.4.mga8
lib(64)poppler-cpp-devel-20.12.1-1.4.mga8
lib(64)poppler-devel-20.12.1-1.4.mga8
lib(64)poppler-gir0.18-20.12.1-1.4.mga8
lib(64)poppler-glib8-20.12.1-1.4.mga8
lib(64)poppler-glib-devel-20.12.1-1.4.mga8
lib(64)poppler-qt5_1-20.12.1-1.4.mga8
lib(64)poppler-qt5-devel-20.12.1-1.4.mga8
poppler-20.12.1-1.4.mga8

from SRPM:
poppler-20.12.1-1.4.mga8.src.rpm

Status: NEW => ASSIGNED
Assignee: bugsquad => nicolas.salguero

Nicolas Salguero 2023-09-05 15:22:53 CEST

Status comment: Fixed upstream in 21.01.0 => (none)
Assignee: nicolas.salguero => qa-bugs

PC LX 2023-09-06 11:16:36 CEST

CC: (none) => mageia

Comment 2 Herman Viaene 2023-09-07 11:15:32 CEST 
MGA8-64 Xfce on Acer Aspire 5253
No installation issues
Ref bug 30805 for testing

$ pdftohtml handleidingVM.pdf testpoppler.html
Page-1
Page-2
Page-3
Page-4
Page-5
Page-6
Page-7
Page-8
Page-9
 link to page 6 Page-10
Page-11
Page-12
Opened correctly in Firefox with a page index as a lefthand column of links and the text and graphics to the right.
[tester8@mach7 Documents]$ pdftotext handleidingVM.pdf VM.txt
Opened with mousepad and text is complete with indicators where graphical items occured in the original document.
Good to go.

CC: (none) => herman.viaene
Whiteboard: (none) => MGA8-64-OK

Comment 3 Thomas Andrews 2023-09-08 22:21:26 CEST 
Validating. Advisory in comment 1.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Dave Hodgins 2023-09-11 03:00:42 CEST

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 4 Mageia Robot 2023-09-11 15:10:02 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2023-0262.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED