Bug 11560 - poppler new security issues CVE-2013-4473 and CVE-2013-4474
: poppler new security issues CVE-2013-4473 and CVE-2013-4474
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 3
: i586 Linux
: Normal Severity: major
: ---
Assigned To: QA Team
: Sec team
: http://lwn.net/Vulnerabilities/573532/
: MGA2TOO has_procedure advisory mga2-3...
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2013-10-29 19:03 CET by David Walser
Modified: 2013-11-20 21:59 CET (History)
3 users (show)

See Also:
Source RPM: poppler-0.24.2-2.mga4.src.rpm
CVE:


Attachments

Description David Walser 2013-10-29 19:03:49 CET
CVEs have been allocated for a few security issues in poppler:
http://openwall.com/lists/oss-security/2013/10/29/1

There is also CVE-2013-4472 which also affects xpdf, but we'll have to handle that later as there is not a fix available for it yet.

CVE-2013-4473 was fixed in 0.24.2 (already in Cauldron) here:
http://cgit.freedesktop.org/poppler/poppler/diff/utils/pdfseparate.cc?id=b8682d868ddf7f741e93b

CVE-2013-4474 was fixed in 0.24.3 here:
http://cgit.freedesktop.org/poppler/poppler/commit/?id=61f79b8447c3ac8ab5a26e79e0c28053ffdccf75

Reproducible: 

Steps to Reproduce:
Comment 1 Oden Eriksson 2013-10-30 14:05:19 CET
Fixed with poppler-0.22.1-1.1.mga3 but the patch needs to be ported to poppler-0.18.4 in mga2

http://svnweb.mageia.org/packages?view=revision&revision=547921
Comment 2 Oden Eriksson 2013-10-30 14:06:35 CET
And for cauldron, either submit the latest version or patch it to fix CVE-2013-4474.

cgit.freedesktop.org/poppler/poppler/commit/?id=61f79b8447c3ac8ab5a26e79e0c28053ffdccf75
Comment 3 David Walser 2013-10-30 15:03:06 CET
Thanks Oden!

Hopefully we'll get a backported patch for 0.18.x from another distro.

Oden has also requested a freeze push for 0.24.3 for Cauldron.

Uploaded for Mageia 3:
poppler-0.22.1-1.1.mga3
libpoppler34-0.22.1-1.1.mga3
libpoppler-devel-0.22.1-1.1.mga3
libpoppler-cpp0-0.22.1-1.1.mga3
libpoppler-qt4-devel-0.22.1-1.1.mga3
libpoppler-qt4_4-0.22.1-1.1.mga3
libpoppler-glib8-0.22.1-1.1.mga3
libpoppler-gir0.18-0.22.1-1.1.mga3
libpoppler-glib-devel-0.22.1-1.1.mga3
libpoppler-cpp-devel-0.22.1-1.1.mga3

from poppler-0.22.1-1.1.mga3.src.rpm
Comment 4 David Walser 2013-10-31 17:37:36 CET
poppler-0.24.3-1.mga4 has been uploaded for Cauldron.
Comment 5 David Walser 2013-11-11 20:14:54 CET
Fedora has issued an advisory for this on November 1:
https://lists.fedoraproject.org/pipermail/package-announce/2013-November/121297.html
Comment 6 David Walser 2013-11-19 00:07:49 CET
Fedora issued an update for Fedora 18 with poppler 0.20.2, so backporting the patches from there to 0.18.4 was easy.  The CVE-2013-4473 patch applied cleanly, and the CVE-2013-4474 patch only needed a minor change.

Assigning to QA now.

Advisory:
========================

Updated poppler packages fix security vulnerabilities:

Poppler is found to be affected by a stack based buffer overflow vulnerability
in the pdfseparate utility. Successfully exploiting this issue could allow
remote attackers to execute arbitrary code in the context of the affected
application. Failed exploits may result in denial-of-service conditions
(CVE-2013-4473).

Poppler was found to have a user controlled format string vulnerability because
it fails to sanitize user-supplied input. An attacker may exploit this issue to
execute arbitrary code in the context of the vulnerable application. Failed
exploit attempts will likely result in a denial-of-service condition
(CVE-2013-4474).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4473
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4474
https://lists.fedoraproject.org/pipermail/package-announce/2013-November/121297.html
========================

Updated packages in core/updates_testing:
========================
poppler-0.18.4-2.3.mga2
libpoppler19-0.18.4-2.3.mga2
libpoppler-devel-0.18.4-2.3.mga2
libpoppler-cpp0-0.18.4-2.3.mga2
libpoppler-qt4-devel-0.18.4-2.3.mga2
libpoppler-qt4-3-0.18.4-2.3.mga2
libpoppler-glib8-0.18.4-2.3.mga2
libpoppler-gir0.18-0.18.4-2.3.mga2
libpoppler-glib-devel-0.18.4-2.3.mga2
libpoppler-cpp-devel-0.18.4-2.3.mga2
poppler-0.22.1-1.1.mga3
libpoppler34-0.22.1-1.1.mga3
libpoppler-devel-0.22.1-1.1.mga3
libpoppler-cpp0-0.22.1-1.1.mga3
libpoppler-qt4-devel-0.22.1-1.1.mga3
libpoppler-qt4_4-0.22.1-1.1.mga3
libpoppler-glib8-0.22.1-1.1.mga3
libpoppler-gir0.18-0.22.1-1.1.mga3
libpoppler-glib-devel-0.22.1-1.1.mga3
libpoppler-cpp-devel-0.22.1-1.1.mga3

from SRPMS:
poppler-0.18.4-2.3.mga2.src.rpm
poppler-0.22.1-1.1.mga3.src.rpm
Comment 7 claire robinson 2013-11-19 10:44:31 CET
Procedure: https://bugs.mageia.org/show_bug.cgi?id=9390#c3
Comment 8 claire robinson 2013-11-19 11:12:41 CET
Advisory uploaded. Please remove 'advisory' tag from whiteboard if anything changes.
Comment 9 claire robinson 2013-11-19 13:56:40 CET
Testing complete mga2 32
Comment 10 claire robinson 2013-11-19 14:08:02 CET
Testing complete mga2 64
Comment 11 claire robinson 2013-11-19 14:33:15 CET
Testing complete mga3 32 & 64

Validating.

Could sysadmin please push from 2&3 core/updates_testing to updates

Thanks!
Comment 12 Thomas Backlund 2013-11-20 21:59:32 CET
Update pushed:
http://advisories.mageia.org/MGASA-2013-0332.html

Note You need to log in before you can comment on or make changes to this bug.