Bug 21516 - poppler new security issues CVE-2017-9776 and CVE-2017-9865
Summary: poppler new security issues CVE-2017-9776 and CVE-2017-9865
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA6-32-OK advisory MGA6-64-OK
Keywords: validated_update
Depends on:
Blocks: 21038
  Show dependency treegraph
 
Reported: 2017-08-13 17:29 CEST by David Walser
Modified: 2017-09-03 17:11 CEST (History)
3 users (show)

See Also:
Source RPM: poppler-0.52.0-3.mga6.src.rpm
CVE:
Status comment:


Attachments
Test case for CVE-2017-9865 (26.05 KB, application/pdf)
2017-08-31 20:59 CEST, Lewis Smith
Details

Description David Walser 2017-08-13 17:29:20 CEST
Fedora has issued an advisory on July 16:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/7G2XFEFF6S2H4DRDPUXBUWPEEDGE37EG/

Patched package uploaded for Mageia 6.

Advisory:
========================

Updated poppler packages fix security vulnerabilities:

Integer overflow leading to Heap buffer overflow in JBIG2Stream.cc in
pdftocairo in Poppler allows attackers to cause a denial of service
(application crash) or possibly have unspecified other impact via a crafted
PDF document (CVE-2017-9776).

The function GfxImageColorMap::getGray in GfxState.cc in Poppler allows
attackers to cause a denial of service (stack-based buffer over-read and
application crash) via a crafted PDF document, related to missing color-map
validation in ImageOutputDev.cc (CVE-2017-9865).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9776
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9865
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/7G2XFEFF6S2H4DRDPUXBUWPEEDGE37EG/
========================

Updated packages in core/updates_testing:
========================
poppler-0.52.0-3.1.mga6
libpoppler66-0.52.0-3.1.mga6
libpoppler-devel-0.52.0-3.1.mga6
libpoppler-cpp0-0.52.0-3.1.mga6
libpoppler-qt4-devel-0.52.0-3.1.mga6
libpoppler-qt5-devel-0.52.0-3.1.mga6
libpoppler-qt4_4-0.52.0-3.1.mga6
libpoppler-qt5_1-0.52.0-3.1.mga6
libpoppler-glib8-0.52.0-3.1.mga6
libpoppler-gir0.18-0.52.0-3.1.mga6
libpoppler-glib-devel-0.52.0-3.1.mga6
libpoppler-cpp-devel-0.52.0-3.1.mga6

from poppler-0.52.0-3.1.mga6.src.rpm
David Walser 2017-08-13 17:29:36 CEST

Blocks: (none) => 21038

Comment 1 Lewis Smith 2017-08-31 20:55:46 CEST
Before trying M6/64

Looking at what requires poppler (PDF routines), the handiest candidates for testing it seem to me 'epdfview':
"ePDFView is a free lightweight PDF document viewer using
Poppler and GTK+ libraries.The aim of ePDFView is to make
a simple PDF document viewer, in the lines of Evince but
without using the Gnome libraries."
and 'cups-pdf', always handy to have for a pseudo-printer. So installed them both, which pulled in poppler. I was surprised that with a 6-desktop M6 Classic installation, poppler was *not* already installed! It offers the following binaries to play with:
 /usr/bin/pdfdetach
 /usr/bin/pdffonts
 /usr/bin/pdfimages
 /usr/bin/pdfinfo
 /usr/bin/pdfseparate
 /usr/bin/pdfsig
 /usr/bin/pdftocairo
 /usr/bin/pdftohtml
 /usr/bin/pdftoppm
 /usr/bin/pdftops
 /usr/bin/pdftotext
 /usr/bin/pdfunite

There is a test case for CVE-2017-9865 which I attach.

CC: (none) => lewyssmith

Comment 3 Herman Viaene 2017-09-01 09:58:53 CEST
MGA6-32 on Asus A6000VM MATE
No installation issues.
While installing edpf, found that poppler was already installed. So before updating poppler using above attachment:
$ pdfinfo attachment.cgi 
Title:          file_layout.graffle
Author:         Guillaume Lazzara
Creator:        OmniGraffle Professional 5.1.1
Producer:       Mac OS X 10.5.8 Quartz PDFContext
CreationDate:   Thu Oct  1 14:16:00 2009 CEST
ModDate:        Thu Oct  1 15:21:00 2009 CEST
Tagged:         no
UserProperties: no
Suspects:       no
Form:           none
JavaScript:     no
Pages:          1
Encrypted:      no
Page size:      384 x 764 pts
Page rot:       0
File size:      26680 bytes
Optimized:      no
PDF version:    1.3
seems OK
$ epdfview
Gtk-Message: Failed to load module "canberra-gtk-module"

** (epdfview:5873): WARNING **: Couldn't load config file '/home/tester6/.config/epdfview/main.conf': Bestand of map bestaat niet
Seems OK for first run of epdf, document opened and seems normal.
After update did same runs with same results, plus (after renaming attachment.cgi to attachment.pdf just for convenience)
$ pdftotext attachment.pdf attachment.txt
Resulting txt file has all text info from PDF, so OK for me.

Whiteboard: (none) => MGA6-32-OK
CC: (none) => herman.viaene

Lewis Smith 2017-09-02 11:12:27 CEST

Whiteboard: MGA6-32-OK => MGA6-32-OK advisory

Comment 4 Lewis Smith 2017-09-02 11:19:31 CEST
I propose to test this for M6/64-bit.
Comment 5 Lewis Smith 2017-09-03 11:00:03 CEST
Testing Mageia 6 x64 using epdfview

BEFORE UPDATE
 poppler-0.52.0-3.mga6
 lib64poppler66-0.52.0-3.mga6
 lib64poppler-glib8-0.52.0-3.mga6
 lib64poppler-qt5_1-0.52.0-3.mga6
Same result as Comment 3 [test file cited]:
 $ epdfview stack-buffer-overflow-in-GfxImageColorMap_getGray-1.pdf 
...
** (epdfview:5001): WARNING **: Couldn't load config file '/home/lewis/.config/epdfview/main.conf': No such file or directory

This error only showed if the filename is given on the command line. Just launching epdfview and opening a file from its GUI does not throw the error.
But the test case did (alas) display correctly. Also genuine PDF docuemnts.

 $ strace epdfview 2>&1 | grep poppler
 open("/lib64/libpoppler-glib.so.8", O_RDONLY|O_CLOEXEC) = 3
 open("/lib64/libpoppler.so.66", O_RDONLY|O_CLOEXEC) = 3
shows these 2 libraries at least are invoked.

AFTER UPDATE
 poppler-0.52.0-3.1.mga6
 lib64poppler-qt5_1-0.52.0-3.1.mga6
 lib64poppler66-0.52.0-3.1.mga6
 lib64poppler-glib8-0.52.0-3.1.mga6

 $ epdfview tmp/stack-buffer-overflow-in-GfxImageColorMap_getGray-1.pdf
did not show the previous WARNING. Again this test file, and other genuine PDFs, displayed correctly. Same library accesses:
 open("/lib64/libpoppler-glib.so.8", O_RDONLY|O_CLOEXEC) = 3
 open("/lib64/libpoppler.so.66", O_RDONLY|O_CLOEXEC) = 3

OKing & validating.

Keywords: (none) => validated_update
Whiteboard: MGA6-32-OK advisory => MGA6-32-OK advisory MGA6-64-OK
CC: (none) => sysadmin-bugs

Comment 6 Nicolas Lécureuil 2017-09-03 16:12:44 CEST
Update ID assignment failed

Checking for QA validation keyword⦠  â
Checking dependent bugs⦠             â (None found)
Checking SRPMs⦠                      â (5/core/poppler-0.52.0-3.1.mga6) 


'validated_update' keyword reset.

Keywords: validated_update => (none)

Comment 7 David Walser 2017-09-03 16:23:01 CEST
Fixed.

Keywords: (none) => validated_update

Comment 8 Mageia Robot 2017-09-03 17:11:59 CEST
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2017-0329.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.