Ubuntu has issued an advisory on October 6: https://usn.ubuntu.com/usn/usn-3440-1/ Mageia 5 and Mageia 6 are also affected (a couple issues may not affect Mageia 5). New CVEs we haven't seen before are: CVE-2017-14518 CVE-2017-14617 CVE-2017-1492[689] CVE-2017-1497[57]
Whiteboard: (none) => MGA6TOO, MGA5TOO
Assinging to all packagers collectively, since it has no registered mainatainer.
CC: (none) => marja11Assignee: bugsquad => pkg-bugs
Assignee: pkg-bugs => nicolas.salgueroCC: (none) => nicolas.salguero
Mga5 is not affected by CVE-2017-14926 and CVE-2017-14928.
Suggested advisory: ======================== The updated packages fix security vulnerabilities: In Poppler 0.59.0, a floating point exception exists in the isImageInterpolationRequired() function in Splash.cc via a crafted PDF document. (CVE-2017-14518) In Poppler 0.59.0, a floating point exception occurs in the ImageStream class in Stream.cc, which may lead to a potential attack when handling malicious PDF files. (CVE-2017-14617) In Poppler 0.59.0, a NULL Pointer Dereference exists in AnnotRichMedia::Content::Content in Annot.cc via a crafted PDF document. (CVE-2017-14926) In Poppler 0.59.0, a NULL Pointer Dereference exists in AnnotRichMedia::Configuration::Configuration in Annot.cc via a crafted PDF document. (CVE-2017-14928) In Poppler 0.59.0, memory corruption occurs in a call to Object::dictLookup() in Object.h after a repeating series of Gfx::display, Gfx::go, Gfx::execOp, Gfx::opFill, Gfx::doPatternFill, Gfx::doTilingPatternFill and Gfx::drawForm calls (aka a Gfx.cc infinite loop), a different vulnerability than CVE-2017-14519. (CVE-2017-14929) The FoFiType1C::convertToType0 function in FoFiType1C.cc in Poppler 0.59.0 has a NULL pointer dereference vulnerability because a data structure is not initialized, which allows an attacker to launch a denial of service attack. (CVE-2017-14975) The FoFiTrueType::getCFFBlock function in FoFiTrueType.cc in Poppler 0.59.0 has a NULL pointer dereference vulnerability due to lack of validation of a table pointer, which allows an attacker to launch a denial of service attack. (CVE-2017-14977) References: ======================== https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14518 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14617 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14926 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14928 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14929 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14975 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14977 https://usn.ubuntu.com/usn/usn-3440-1/ Updated packages in 5/core/updates_testing: ======================== poppler-0.26.5-2.5.mga5 lib(64)poppler46-0.26.5-2.5.mga5 lib(64)poppler-devel-0.26.5-2.5.mga5 lib(64)poppler-cpp0-0.26.5-2.5.mga5 lib(64)poppler-qt4-devel-0.26.5-2.5.mga5 lib(64)poppler-qt5-devel-0.26.5-2.5.mga5 lib(64)poppler-qt4_4-0.26.5-2.5.mga5 lib(64)poppler-qt5_1-0.26.5-2.5.mga5 lib(64)poppler-glib8-0.26.5-2.5.mga5 lib(64)poppler-gir0.18-0.26.5-2.5.mga5 lib(64)poppler-glib-devel-0.26.5-2.5.mga5 lib(64)poppler-cpp-devel-0.26.5-2.5.mga5 from SRPMS: poppler-0.26.5-2.5.mga5.src.rpm Updated packages in 6/core/updates_testing: ======================== poppler-0.52.0-3.3.mga6 lib(64)poppler66-0.52.0-3.3.mga6 lib(64)poppler-devel-0.52.0-3.3.mga6 lib(64)poppler-cpp0-0.52.0-3.3.mga6 lib(64)poppler-qt4-devel-0.52.0-3.3.mga6 lib(64)poppler-qt5-devel-0.52.0-3.3.mga6 lib(64)poppler-qt4_4-0.52.0-3.3.mga6 lib(64)poppler-qt5_1-0.52.0-3.3.mga6 lib(64)poppler-glib8-0.52.0-3.3.mga6 lib(64)poppler-gir0.18-0.52.0-3.3.mga6 lib(64)poppler-glib-devel-0.52.0-3.3.mga6 lib(64)poppler-cpp-devel-0.52.0-3.3.mga6 from SRPMS: poppler-0.52.0-3.3.mga6.src.rpm
Version: Cauldron => 6Whiteboard: MGA6TOO, MGA5TOO => MGA5TOOStatus: NEW => ASSIGNEDAssignee: nicolas.salguero => qa-bugs
MGA6 x86_64 rpm -qa | grep poppler lib64poppler-devel-0.52.0-3.3.mga6 poppler-0.52.0-3.3.mga6 lib64poppler-glib8-0.52.0-3.3.mga6 lib64poppler-cpp0-0.52.0-3.3.mga6 poppler-data-0.4.7-4.mga6 lib64poppler66-0.52.0-3.3.mga6 lib64poppler-cpp-devel-0.52.0-3.3.mga6 lib64poppler-qt5_1-0.52.0-3.3.mga6 Tested different commands on a single-page PDF file and saw no errors.
CC: (none) => smelror
Whiteboard: MGA5TOO => MGA5TOO MGA6-64-OK
Testing this on mga5::x86_64
CC: (none) => tarazed25
Created attachment 9730 [details] POC tests before updating Most of the tests produce a result but unfortunately the tests after the updates produced the same output apart from the last two so there is little point in posting them. My conclusion is that they are not very useful and othr testers should not follow the same path.
Installed these via MageiaUpdate - lib64poppler-glib8-0.26.5-2.5.mga5.x86_64 - lib64poppler46-0.26.5-2.5.mga5.x86_64 - poppler-0.26.5-2.5.mga5.x86_64 Installed the rest individually (It is possible that the behaviour of the PoCs was influenced by the absence of these packages, I suppose.) Ran the PoC tests again and observed the same output as before for all but the last two where the crashes were avoided. CVE-2017-14975 $ pdftops crash.pdf crash.ps Syntax Error: FoFiType1C::convertToType0 without privateDicts CVE-2017-14977 $ pdftops -level3 -origpagesizes -form -opi -binary -expand -duplex null3.pdf 1.ps .............................. Syntax Error (220556): Dictionary key must be a name object Syntax Error (220563): Dictionary key must be a name object Attaching the test results for the before updates scenario. Used the tools to check for regressions. $ pdfdetach -list StatisticsDoneWrong.pdf 0 embedded files $ pdffonts UsingDocker.pdf Syntax Warning: Invalid Font Weight name type encoding emb sub uni object ID ------------------------------------ ----------------- ---------------- --- --- --- --------- DYEOYP+GuardianSans-Regular Type 1C WinAnsi yes yes yes 6058 0 DYEOYP+URWTypewriterTOT-LigNar Type 1C Custom yes yes ....... and more of the same. $ pdfimages -png pragpub-2013-06.pdf test $ ls test* test-000.png test-006.png test-012.png test-018.png test-024.png test-001.png test-007.png test-013.png test-019.png test-025.png test-002.png test-008.png test-014.png test-020.png test-026.png test-003.png test-009.png test-015.png test-021.png test-027.png test-004.png test-010.png test-016.png test-022.png test-028.png test-005.png test-011.png test-017.png test-023.png All valid images. $ pdfinfo working-with-ruby-threads_p1_0.pdf Title: Working With Ruby Threads Subject: [Your book description] Keywords: [Your book keywords (comma-separated)] Author: Jesse Storimer Creator: The Pragmatic Bookshelf Producer: Gerbil #592983 ............... PDF version: 1.4 $ pdfseparate -f 7 -l 12 ModernTkinter.pdf Tk_%d $ ls Tk_* Tk_10 Tk_11 Tk_12 Tk_7 Tk_8 Tk_9 $ file Tk_10 Tk_10: PDF document, version 1.5 All extracted pages could be viewed in a PDF viewer. $ pdftocairo -eps Tk_7 page7.ps # rendered OK by gs $ pdftocairo -jpeg Tk_8 page8 $ eom page8-1.jpg # Clear image $ pdftoppm Tk_9 page9 $ eom page9-1.ppm # Looked fine $ pdftohtml UsingDocker.pdf abc.html That produced a complete log of operations over several terminal pages and three HTML files, header, contents and index, viewable in a browser. The conversion looked complete - page index at the side, fulltext with URL links and text hyperlinks. Everything is still working - OK for 64 bits.
Whiteboard: MGA5TOO MGA6-64-OK => MGA5TOO MGA6-64-OK MGA5-64-OK
Keywords: (none) => advisory, validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2017-0378.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED