Bug 21038 - poppler new security issues CVE-2017-7511, CVE-2017-7515, CVE-2017-9406, CVE-2017-9408, CVE-2017-9775
Summary: poppler new security issues CVE-2017-7511, CVE-2017-7515, CVE-2017-9406, CVE-...
Status: NEW
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 5
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: feedback
Keywords:
Depends on:
Blocks:
 
Reported: 2017-06-07 12:43 CEST by David Walser
Modified: 2017-07-17 12:28 CEST (History)
1 user (show)

See Also:
Source RPM: poppler-0.26.5-2.1.mga5.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2017-06-07 12:43:10 CEST
Fedora has issued an advisory on June 5:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/MPWSH7JKKVEIEQEEILCRHTF7HL7BSYW4/

Upstream patch that fixed the issue is linked from the RedHat bug:
https://bugzilla.redhat.com/show_bug.cgi?id=1456827

Patch doesn't apply cleanly for Mageia 5; will need to be rediffed.

Freeze push requested for Cauldron.
Comment 1 Marja van Waes 2017-06-07 21:45:03 CEST
Assigning to all packagers collectively, since there is no registered maintainer for this package.
Comment 2 David Walser 2017-07-07 18:03:51 CEST
Ubuntu has issued an advisory on July 7:
https://www.ubuntu.com/usn/usn-3350-1/

CVE-2017-2820 and CVE-2017-9083 don't affect us since we building against openjpeg.

CVE-2017-7511 had previously been fixed in Cauldron.

CVE-2017-7515, CVE-2017-9406, CVE-2017-9408, CVE-2017-9775 have now been patched in Cauldron (awaiting freeze push).
Comment 3 David Walser 2017-07-09 00:48:04 CEST
Patched package uploaded for Mageia 5.

Advisory:
========================

Updated poppler packages fix security vulnerabilities:

Jiaqi Peng discovered that the poppler pdfunite tool incorrectly parsed
certain malformed PDF documents. If a user or automated system were tricked
into opening a crafted PDF file, an attacker could cause poppler to crash,
resulting in a denial of service (CVE-2017-7511).

It was discovered that the poppler pdfunite tool incorrectly parsed certain
malformed PDF documents. If a user or automated system were tricked into
opening a crafted PDF file, an attacker could cause poppler to hang,
resulting in a denial of service (CVE-2017-7515).

It was discovered that poppler incorrectly handled memory when processing
PDF documents. If a user or automated system were tricked into opening a
crafted PDF file, an attacker could cause poppler to consume resources,
resulting in a denial of service (CVE-2017-9406, CVE-2017-9408).

Alberto Garcia, Francisco Oca, and Suleman Ali discovered that the poppler
pdftocairo tool incorrectly parsed certain malformed PDF documents. If a
user or automated system were tricked into opening a crafted PDF file, an
attacker could cause poppler to crash, resulting in a denial of service
(CVE-2017-9775).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7511
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7515
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9406
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9408
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9775
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/MPWSH7JKKVEIEQEEILCRHTF7HL7BSYW4/
https://www.ubuntu.com/usn/usn-3350-1/
========================

Updated packages in core/updates_testing:
========================
poppler-0.26.5-2.2.mga5
libpoppler46-0.26.5-2.2.mga5
libpoppler-devel-0.26.5-2.2.mga5
libpoppler-cpp0-0.26.5-2.2.mga5
libpoppler-qt4-devel-0.26.5-2.2.mga5
libpoppler-qt5-devel-0.26.5-2.2.mga5
libpoppler-qt4_4-0.26.5-2.2.mga5
libpoppler-qt5_1-0.26.5-2.2.mga5
libpoppler-glib8-0.26.5-2.2.mga5
libpoppler-gir0.18-0.26.5-2.2.mga5
libpoppler-glib-devel-0.26.5-2.2.mga5
libpoppler-cpp-devel-0.26.5-2.2.mga5

poppler-0.26.5-2.2.mga5.src.rpm
Comment 4 David Walser 2017-07-17 12:28:07 CEST
Fedora has issued an advisory for this on July 16:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/7G2XFEFF6S2H4DRDPUXBUWPEEDGE37EG/

It includes two more CVEs: CVE-2017-9776 and CVE-2017-9865.  I may need to add more patches.

Note You need to log in before you can comment on or make changes to this bug.