Bug 21038 - poppler new security issues CVE-2017-751[15], CVE-2017-940[68], CVE-2017-977[56], CVE-2017-9865
Summary: poppler new security issues CVE-2017-751[15], CVE-2017-940[68], CVE-2017-977[...
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 5
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: advisory MGA5-64-OK
Keywords: validated_update
Depends on: 21516
Blocks:
  Show dependency treegraph
 
Reported: 2017-06-07 12:43 CEST by David Walser
Modified: 2017-08-17 10:02 CEST (History)
3 users (show)

See Also:
Source RPM: poppler-0.26.5-2.1.mga5.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2017-06-07 12:43:10 CEST
Fedora has issued an advisory on June 5:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/MPWSH7JKKVEIEQEEILCRHTF7HL7BSYW4/

Upstream patch that fixed the issue is linked from the RedHat bug:
https://bugzilla.redhat.com/show_bug.cgi?id=1456827

Patch doesn't apply cleanly for Mageia 5; will need to be rediffed.

Freeze push requested for Cauldron.
Comment 1 Marja van Waes 2017-06-07 21:45:03 CEST
Assigning to all packagers collectively, since there is no registered maintainer for this package.

CC: (none) => marja11
Assignee: bugsquad => pkg-bugs

Comment 2 David Walser 2017-07-07 18:03:51 CEST
Ubuntu has issued an advisory on July 7:
https://www.ubuntu.com/usn/usn-3350-1/

CVE-2017-2820 and CVE-2017-9083 don't affect us since we building against openjpeg.

CVE-2017-7511 had previously been fixed in Cauldron.

CVE-2017-7515, CVE-2017-9406, CVE-2017-9408, CVE-2017-9775 have now been patched in Cauldron (awaiting freeze push).

Summary: poppler new security issue CVE-2017-7511 => poppler new security issues CVE-2017-7511, CVE-2017-7515, CVE-2017-9406, CVE-2017-9408, CVE-2017-9775

Comment 3 David Walser 2017-07-09 00:48:04 CEST
Patched package uploaded for Mageia 5.

Advisory:
========================

Updated poppler packages fix security vulnerabilities:

Jiaqi Peng discovered that the poppler pdfunite tool incorrectly parsed
certain malformed PDF documents. If a user or automated system were tricked
into opening a crafted PDF file, an attacker could cause poppler to crash,
resulting in a denial of service (CVE-2017-7511).

It was discovered that the poppler pdfunite tool incorrectly parsed certain
malformed PDF documents. If a user or automated system were tricked into
opening a crafted PDF file, an attacker could cause poppler to hang,
resulting in a denial of service (CVE-2017-7515).

It was discovered that poppler incorrectly handled memory when processing
PDF documents. If a user or automated system were tricked into opening a
crafted PDF file, an attacker could cause poppler to consume resources,
resulting in a denial of service (CVE-2017-9406, CVE-2017-9408).

Alberto Garcia, Francisco Oca, and Suleman Ali discovered that the poppler
pdftocairo tool incorrectly parsed certain malformed PDF documents. If a
user or automated system were tricked into opening a crafted PDF file, an
attacker could cause poppler to crash, resulting in a denial of service
(CVE-2017-9775).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7511
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7515
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9406
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9408
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9775
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/MPWSH7JKKVEIEQEEILCRHTF7HL7BSYW4/
https://www.ubuntu.com/usn/usn-3350-1/
========================

Updated packages in core/updates_testing:
========================
poppler-0.26.5-2.2.mga5
libpoppler46-0.26.5-2.2.mga5
libpoppler-devel-0.26.5-2.2.mga5
libpoppler-cpp0-0.26.5-2.2.mga5
libpoppler-qt4-devel-0.26.5-2.2.mga5
libpoppler-qt5-devel-0.26.5-2.2.mga5
libpoppler-qt4_4-0.26.5-2.2.mga5
libpoppler-qt5_1-0.26.5-2.2.mga5
libpoppler-glib8-0.26.5-2.2.mga5
libpoppler-gir0.18-0.26.5-2.2.mga5
libpoppler-glib-devel-0.26.5-2.2.mga5
libpoppler-cpp-devel-0.26.5-2.2.mga5

poppler-0.26.5-2.2.mga5.src.rpm

Assignee: pkg-bugs => qa-bugs

Comment 4 David Walser 2017-07-17 12:28:07 CEST
Fedora has issued an advisory for this on July 16:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/7G2XFEFF6S2H4DRDPUXBUWPEEDGE37EG/

It includes two more CVEs: CVE-2017-9776 and CVE-2017-9865.  I may need to add more patches.

Whiteboard: (none) => feedback

Comment 5 PC LX 2017-08-07 02:58:03 CEST
Installed and tested the various pdf* commands without issues.

System: Mageia 5, x86_64, Plasma, Intel CPU, nVidia GPU using proprietary driver nvidia340.

$ uname -a
Linux marte 4.4.79-desktop-1.mga5 #1 SMP Fri Jul 28 02:50:06 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
$ rpm -qa | grep poppler | sort
lib64poppler46-0.26.5-2.2.mga5
lib64poppler-glib8-0.26.5-2.2.mga5
lib64poppler-qt4_4-0.26.5-2.2.mga5
poppler-0.26.5-2.2.mga5

Whiteboard: feedback => feedback MGA5-64-OK
CC: (none) => mageia

Comment 6 David Walser 2017-08-13 17:01:02 CEST
Advisory:
========================

Updated poppler packages fix security vulnerabilities:

Jiaqi Peng discovered that the poppler pdfunite tool incorrectly parsed
certain malformed PDF documents. If a user or automated system were tricked
into opening a crafted PDF file, an attacker could cause poppler to crash,
resulting in a denial of service (CVE-2017-7511).

It was discovered that the poppler pdfunite tool incorrectly parsed certain
malformed PDF documents. If a user or automated system were tricked into
opening a crafted PDF file, an attacker could cause poppler to hang,
resulting in a denial of service (CVE-2017-7515).

It was discovered that poppler incorrectly handled memory when processing
PDF documents. If a user or automated system were tricked into opening a
crafted PDF file, an attacker could cause poppler to consume resources,
resulting in a denial of service (CVE-2017-9406, CVE-2017-9408).

Alberto Garcia, Francisco Oca, and Suleman Ali discovered that the poppler
pdftocairo tool incorrectly parsed certain malformed PDF documents. If a
user or automated system were tricked into opening a crafted PDF file, an
attacker could cause poppler to crash, resulting in a denial of service
(CVE-2017-9775).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7511
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7515
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9406
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9408
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9775
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9776
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9865
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/MPWSH7JKKVEIEQEEILCRHTF7HL7BSYW4/
https://www.ubuntu.com/usn/usn-3350-1/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/7G2XFEFF6S2H4DRDPUXBUWPEEDGE37EG/
========================

Updated packages in core/updates_testing:
========================
poppler-0.26.5-2.3.mga5
libpoppler46-0.26.5-2.3.mga5
libpoppler-devel-0.26.5-2.3.mga5
libpoppler-cpp0-0.26.5-2.3.mga5
libpoppler-qt4-devel-0.26.5-2.3.mga5
libpoppler-qt5-devel-0.26.5-2.3.mga5
libpoppler-qt4_4-0.26.5-2.3.mga5
libpoppler-qt5_1-0.26.5-2.3.mga5
libpoppler-glib8-0.26.5-2.3.mga5
libpoppler-gir0.18-0.26.5-2.3.mga5
libpoppler-glib-devel-0.26.5-2.3.mga5
libpoppler-cpp-devel-0.26.5-2.3.mga5

from poppler-0.26.5-2.3.mga5.src.rpm

Whiteboard: feedback MGA5-64-OK => (none)
Summary: poppler new security issues CVE-2017-7511, CVE-2017-7515, CVE-2017-9406, CVE-2017-9408, CVE-2017-9775 => poppler new security issues CVE-2017-751[15], CVE-2017-940[68], CVE-2017-977[56], CVE-2017-9865

Comment 7 David Walser 2017-08-13 17:02:06 CEST
Patched package uploaded for Mageia 5 to fix the issues from Comment 4.

Advisory:
========================

Updated poppler packages fix security vulnerabilities:

Jiaqi Peng discovered that the poppler pdfunite tool incorrectly parsed
certain malformed PDF documents. If a user or automated system were tricked
into opening a crafted PDF file, an attacker could cause poppler to crash,
resulting in a denial of service (CVE-2017-7511).

It was discovered that the poppler pdfunite tool incorrectly parsed certain
malformed PDF documents. If a user or automated system were tricked into
opening a crafted PDF file, an attacker could cause poppler to hang,
resulting in a denial of service (CVE-2017-7515).

It was discovered that poppler incorrectly handled memory when processing
PDF documents. If a user or automated system were tricked into opening a
crafted PDF file, an attacker could cause poppler to consume resources,
resulting in a denial of service (CVE-2017-9406, CVE-2017-9408).

Alberto Garcia, Francisco Oca, and Suleman Ali discovered that the poppler
pdftocairo tool incorrectly parsed certain malformed PDF documents. If a
user or automated system were tricked into opening a crafted PDF file, an
attacker could cause poppler to crash, resulting in a denial of service
(CVE-2017-9775).

Integer overflow leading to Heap buffer overflow in JBIG2Stream.cc in
pdftocairo in Poppler allows attackers to cause a denial of service
(application crash) or possibly have unspecified other impact via a crafted
PDF document (CVE-2017-9776).

The function GfxImageColorMap::getGray in GfxState.cc in Poppler allows
attackers to cause a denial of service (stack-based buffer over-read and
application crash) via a crafted PDF document, related to missing color-map
validation in ImageOutputDev.cc (CVE-2017-9865).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7511
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7515
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9406
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9408
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9775
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9776
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9865
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/MPWSH7JKKVEIEQEEILCRHTF7HL7BSYW4/
https://www.ubuntu.com/usn/usn-3350-1/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/7G2XFEFF6S2H4DRDPUXBUWPEEDGE37EG/
========================

Updated packages in core/updates_testing:
========================
poppler-0.26.5-2.3.mga5
libpoppler46-0.26.5-2.3.mga5
libpoppler-devel-0.26.5-2.3.mga5
libpoppler-cpp0-0.26.5-2.3.mga5
libpoppler-qt4-devel-0.26.5-2.3.mga5
libpoppler-qt5-devel-0.26.5-2.3.mga5
libpoppler-qt4_4-0.26.5-2.3.mga5
libpoppler-qt5_1-0.26.5-2.3.mga5
libpoppler-glib8-0.26.5-2.3.mga5
libpoppler-gir0.18-0.26.5-2.3.mga5
libpoppler-glib-devel-0.26.5-2.3.mga5
libpoppler-cpp-devel-0.26.5-2.3.mga5

from poppler-0.26.5-2.3.mga5.src.rpm
David Walser 2017-08-13 17:29:36 CEST

Depends on: (none) => 21516

Comment 8 PC LX 2017-08-17 01:03:43 CEST
Installed and tested the various pdf* commands without issues.

System: Mageia 5, x86_64, Plasma, Intel CPU, nVidia GPU using proprietary driver nvidia340.

$ uname -a
Linux marte 4.4.82-desktop-1.mga5 #1 SMP Sun Aug 13 18:03:58 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
$ rpm -qa | grep poppler
poppler-0.26.5-2.3.mga5
lib64poppler-qt4_4-0.26.5-2.3.mga5
lib64poppler46-0.26.5-2.3.mga5
lib64poppler-glib8-0.26.5-2.3.mga5

Whiteboard: (none) => MGA5-64-OK

Comment 9 Rémi Verschelde 2017-08-17 08:02:35 CEST
Advisory uploaded, validating.

Whiteboard: MGA5-64-OK => advisory MGA5-64-OK
Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 10 Mageia Robot 2017-08-17 10:02:43 CEST
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2017-0276.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.