Fedora has issued an advisory on July 16: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/7G2XFEFF6S2H4DRDPUXBUWPEEDGE37EG/ Patched package uploaded for Mageia 6. Advisory: ======================== Updated poppler packages fix security vulnerabilities: Integer overflow leading to Heap buffer overflow in JBIG2Stream.cc in pdftocairo in Poppler allows attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted PDF document (CVE-2017-9776). The function GfxImageColorMap::getGray in GfxState.cc in Poppler allows attackers to cause a denial of service (stack-based buffer over-read and application crash) via a crafted PDF document, related to missing color-map validation in ImageOutputDev.cc (CVE-2017-9865). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9776 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9865 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/7G2XFEFF6S2H4DRDPUXBUWPEEDGE37EG/ ======================== Updated packages in core/updates_testing: ======================== poppler-0.52.0-3.1.mga6 libpoppler66-0.52.0-3.1.mga6 libpoppler-devel-0.52.0-3.1.mga6 libpoppler-cpp0-0.52.0-3.1.mga6 libpoppler-qt4-devel-0.52.0-3.1.mga6 libpoppler-qt5-devel-0.52.0-3.1.mga6 libpoppler-qt4_4-0.52.0-3.1.mga6 libpoppler-qt5_1-0.52.0-3.1.mga6 libpoppler-glib8-0.52.0-3.1.mga6 libpoppler-gir0.18-0.52.0-3.1.mga6 libpoppler-glib-devel-0.52.0-3.1.mga6 libpoppler-cpp-devel-0.52.0-3.1.mga6 from poppler-0.52.0-3.1.mga6.src.rpm
Blocks: (none) => 21038
Before trying M6/64 Looking at what requires poppler (PDF routines), the handiest candidates for testing it seem to me 'epdfview': "ePDFView is a free lightweight PDF document viewer using Poppler and GTK+ libraries.The aim of ePDFView is to make a simple PDF document viewer, in the lines of Evince but without using the Gnome libraries." and 'cups-pdf', always handy to have for a pseudo-printer. So installed them both, which pulled in poppler. I was surprised that with a 6-desktop M6 Classic installation, poppler was *not* already installed! It offers the following binaries to play with: /usr/bin/pdfdetach /usr/bin/pdffonts /usr/bin/pdfimages /usr/bin/pdfinfo /usr/bin/pdfseparate /usr/bin/pdfsig /usr/bin/pdftocairo /usr/bin/pdftohtml /usr/bin/pdftoppm /usr/bin/pdftops /usr/bin/pdftotext /usr/bin/pdfunite There is a test case for CVE-2017-9865 which I attach.
CC: (none) => lewyssmith
Created attachment 9652 [details] Test case for CVE-2017-9865 Found at https://bugs.freedesktop.org/show_bug.cgi?id=100774 -> https://bugs.freedesktop.org/attachment.cgi?id=131001
MGA6-32 on Asus A6000VM MATE No installation issues. While installing edpf, found that poppler was already installed. So before updating poppler using above attachment: $ pdfinfo attachment.cgi Title: file_layout.graffle Author: Guillaume Lazzara Creator: OmniGraffle Professional 5.1.1 Producer: Mac OS X 10.5.8 Quartz PDFContext CreationDate: Thu Oct 1 14:16:00 2009 CEST ModDate: Thu Oct 1 15:21:00 2009 CEST Tagged: no UserProperties: no Suspects: no Form: none JavaScript: no Pages: 1 Encrypted: no Page size: 384 x 764 pts Page rot: 0 File size: 26680 bytes Optimized: no PDF version: 1.3 seems OK $ epdfview Gtk-Message: Failed to load module "canberra-gtk-module" ** (epdfview:5873): WARNING **: Couldn't load config file '/home/tester6/.config/epdfview/main.conf': Bestand of map bestaat niet Seems OK for first run of epdf, document opened and seems normal. After update did same runs with same results, plus (after renaming attachment.cgi to attachment.pdf just for convenience) $ pdftotext attachment.pdf attachment.txt Resulting txt file has all text info from PDF, so OK for me.
Whiteboard: (none) => MGA6-32-OKCC: (none) => herman.viaene
Whiteboard: MGA6-32-OK => MGA6-32-OK advisory
I propose to test this for M6/64-bit.
Testing Mageia 6 x64 using epdfview BEFORE UPDATE poppler-0.52.0-3.mga6 lib64poppler66-0.52.0-3.mga6 lib64poppler-glib8-0.52.0-3.mga6 lib64poppler-qt5_1-0.52.0-3.mga6 Same result as Comment 3 [test file cited]: $ epdfview stack-buffer-overflow-in-GfxImageColorMap_getGray-1.pdf ... ** (epdfview:5001): WARNING **: Couldn't load config file '/home/lewis/.config/epdfview/main.conf': No such file or directory This error only showed if the filename is given on the command line. Just launching epdfview and opening a file from its GUI does not throw the error. But the test case did (alas) display correctly. Also genuine PDF docuemnts. $ strace epdfview 2>&1 | grep poppler open("/lib64/libpoppler-glib.so.8", O_RDONLY|O_CLOEXEC) = 3 open("/lib64/libpoppler.so.66", O_RDONLY|O_CLOEXEC) = 3 shows these 2 libraries at least are invoked. AFTER UPDATE poppler-0.52.0-3.1.mga6 lib64poppler-qt5_1-0.52.0-3.1.mga6 lib64poppler66-0.52.0-3.1.mga6 lib64poppler-glib8-0.52.0-3.1.mga6 $ epdfview tmp/stack-buffer-overflow-in-GfxImageColorMap_getGray-1.pdf did not show the previous WARNING. Again this test file, and other genuine PDFs, displayed correctly. Same library accesses: open("/lib64/libpoppler-glib.so.8", O_RDONLY|O_CLOEXEC) = 3 open("/lib64/libpoppler.so.66", O_RDONLY|O_CLOEXEC) = 3 OKing & validating.
Keywords: (none) => validated_updateWhiteboard: MGA6-32-OK advisory => MGA6-32-OK advisory MGA6-64-OKCC: (none) => sysadmin-bugs
Update ID assignment failed Checking for QA validation keyword⦠â Checking dependent bugs⦠â (None found) Checking SRPMs⦠â (5/core/poppler-0.52.0-3.1.mga6) 'validated_update' keyword reset.
Keywords: validated_update => (none)
Fixed.
Keywords: (none) => validated_update
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2017-0329.html
Status: NEW => RESOLVEDResolution: (none) => FIXED