Bug 22377 - poppler new security issue CVE-2017-1000456
Summary: poppler new security issue CVE-2017-1000456
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 5
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA5-64-OK
Keywords: advisory, validated_update
Depends on: 22352
Blocks:
  Show dependency treegraph
 
Reported: 2018-01-12 15:15 CET by David Walser
Modified: 2018-01-14 17:55 CET (History)
2 users (show)

See Also:
Source RPM: poppler-0.26.5-2.7.mga5.src.rpm
CVE: CVE-2017-1000456
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2018-01-12 15:15:09 CET 
+++ This bug was initially created as a clone of Bug #22352 +++

Ubuntu has issued an advisory today (January 8):
https://usn.ubuntu.com/usn/usn-3517-1/

It fixes one issue that we haven't yet.

Suggested advisory:
========================

The updated packages fix a security vulnerability:

freedesktop.org libpoppler 0.60.1 fails to validate boundaries in
TextPool::addWord, leading to overflow in subsequent calculations
(CVE-2017-1000456).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000456
https://usn.ubuntu.com/usn/usn-3517-1/
========================

Updated packages in core/updates_testing:
========================
poppler-0.26.5-2.8.mga5
libpoppler46-0.26.5-2.8.mga5
libpoppler-devel-0.26.5-2.8.mga5
libpoppler-cpp0-0.26.5-2.8.mga5
libpoppler-qt4-devel-0.26.5-2.8.mga5
libpoppler-qt5-devel-0.26.5-2.8.mga5
libpoppler-qt4_4-0.26.5-2.8.mga5
libpoppler-qt5_1-0.26.5-2.8.mga5
libpoppler-glib8-0.26.5-2.8.mga5
libpoppler-gir0.18-0.26.5-2.8.mga5
libpoppler-glib-devel-0.26.5-2.8.mga5
libpoppler-cpp-devel-0.26.5-2.8.mga5

from poppler-0.26.5-2.8.mga5.src.rpm
Comment 1 David Walser 2018-01-13 20:11:21 CET 
Repeating the same PoC Len did in:
https://bugs.mageia.org/show_bug.cgi?id=22352#c3

Before:
$ pdftotext 0JBYrSy8_CRASHED.pdf 
Syntax Error: Embedded font file may be invalid
Syntax Error (20431): Unknown operator 'TJJJJJJJJJJJJJJ'
Segmentation fault

After:
$ pdftotext 0JBYrSy8_CRASHED.pdf 
Syntax Error: Embedded font file may be invalid
Syntax Error (20431): Unknown operator 'TJJJJJJJJJJJJJJ'
Syntax Warning: wordBaseIdx out of range
Syntax Warning: wordBaseIdx out of range
Syntax Warning: wordBaseIdx out of range
Syntax Warning: wordBaseIdx out of range
Syntax Error (17678): Bad 'Length' attribute in stream
Syntax Warning: wordBaseIdx out of range

Looks good on Mageia 5 x86_64.

Whiteboard: (none) => MGA5-64-OK

Comment 2 Len Lawrence 2018-01-13 20:21:26 CET 
Testing on Mageia 5 :: x86_64
Tried the POC before updating:
$ pdftotext 0JBYrSy8_CRASHED.pdf
Syntax Error: Embedded font file may be invalid
Syntax Error (20431): Unknown operator 'TJJJJJJJJJJJJJJ'
Segmentation fault

The POC test file can be traced via the CVE-2017-1000456 link.
Clean update for the 12 packages.
$ pdftotext 0JBYrSy8_CRASHED.pdf
Syntax Error: Embedded font file may be invalid
Syntax Error (20431): Unknown operator 'TJJJJJJJJJJJJJJ'
Syntax Warning: wordBaseIdx out of range
Syntax Warning: wordBaseIdx out of range
Syntax Warning: wordBaseIdx out of range
Syntax Warning: wordBaseIdx out of range
Syntax Error (17678): Bad 'Length' attribute in stream
Syntax Warning: wordBaseIdx out of range

No segfault anyway.

Used an ebook to test the functionality:
$ pdfimages -all PythonCookbook_2.pdf cookbook
[lcl@difda books]$ ls cookbook*
cookbook-000.jp2   cookbook-003.jb2e  cookbook-006.jb2e  cookbook-009.jb2e
cookbook-001.jp2   cookbook-004.jp2   cookbook-007.jb2e
cookbook-002.jb2e  cookbook-005.jb2e  cookbook-008.jb2e
$ display cookbook-000.jp2
$ display cookbook-005.jb2e
display: no decode delegate for this image format `JB2E' @ error/constitute.c/ReadImage/504.
jb2e not recognized by ImageMagick so default to PNG.
$ rm -f cookbook*
$ pdfimages -png PythonCookbook_2.pdf cookbook
$ display cookbook-000.png
$ display cookbook-005.png
All the images displayed correctly.
$ pdfinfo PythonCookbook_2.pdf | grep Pages
Pages:          846
$ pdfseparate -f 11 -l 44 PythonCookbook_2.pdf pages%d.pdf
This produced 34 single page PDFs from pages 11 to 44, e.g. pages26.pdf.
A couple taken at random displayed properly in xpdf and okular.
Create a new pdf based on the extracted pages.
$ pdfunite pages*.pdf pages.pdf
That could be read with a pdf reader and contained the original page numbers.

pdfjam or pdfbook can be used to create books or booklets from a series of images and pdf files, if you can understand the help instructions.  Had to give up on that.

$ pdf2ps -dLanguageLevel=3 pages.pdf pages.ps
created a Postscript file which could be viewed page by page in gs by hitting Return repeatedly.  The pages were exact copies.  In this case the 34 pages translated to a 27 MB file.  Used less to examine it:
%!PS-Adobe-3.0
%%BoundingBox: 0 0 612 792
%%HiResBoundingBox: 0 0 612.00 792.00
%%Creator: GPL Ghostscript 922 (ps2write)
%%LanguageLevel: 2
%%CreationDate: D:20180113191008Z00'00'
%%Pages: 34
%%EndComments
%%BeginProlog
/DSC_OPDFREAD true def
/SetPageSize true def
/EPS2Write false def

This is all good enough for an OK.

Just collided with you David.  Thanks.

CC: (none) => tarazed25

Lewis Smith 2018-01-14 16:57:58 CET

Keywords: (none) => advisory

Comment 3 Lewis Smith 2018-01-14 16:59:03 CET 
Sorry; forgot to validate at the same time.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 4 Mageia Robot 2018-01-14 17:55:07 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0083.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.