Bug 23138 - poppler new security issues CVE-2017-18267 and CVE-2018-10768
Summary: poppler new security issues CVE-2017-18267 and CVE-2018-10768
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA5TOO MGA5-64-OK MGA6-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2018-06-07 22:31 CEST by David Walser
Modified: 2018-06-20 01:43 CEST (History)
6 users (show)

See Also:
Source RPM: poppler-0.63.0-2.mga7.src.rpm
CVE: CVE-2017-18267, CVE-2018-10768
Status comment: Patches available from upstream and Fedora


Attachments

David Walser 2018-06-07 22:31:28 CEST

Whiteboard: (none) => MGA6TOO
Status comment: (none) => Patches available from upstream and Fedora

Comment 1 Marja Van Waes 2018-06-08 21:24:22 CEST
Assigning to all packagers collectively, since there is no registered maintainer for this package.

Assignee: bugsquad => pkg-bugs
CC: (none) => geiger.david68210, marja11, nicolas.salguero, smelror

Comment 2 David Walser 2018-06-08 22:23:47 CEST
Ubuntu has issued an advisory on May 15:
https://usn.ubuntu.com/3647-1/

It also fixes one additional issue.

Summary: poppler new security issue CVE-2017-18267 => poppler new security issue CVE-2017-18267 and CVE-2018-10768

David Walser 2018-06-08 22:24:21 CEST

Summary: poppler new security issue CVE-2017-18267 and CVE-2018-10768 => poppler new security issues CVE-2017-18267 and CVE-2018-10768
Severity: normal => major

Comment 3 Nicolas Salguero 2018-06-19 13:28:14 CEST
Suggested advisory:
========================

The updated packages fix security vulnerabilities:

The FoFiType1C::cvtGlyph function in fofi/FoFiType1C.cc in Poppler through 0.64.0 allows remote attackers to cause a denial of service (infinite recursion) via a crafted PDF file, as demonstrated by pdftops. (CVE-2017-18267)

There is a NULL pointer dereference in the AnnotPath::getCoordsLength function in Annot.h in an Ubuntu package for Poppler 0.24.5. A crafted input will lead to a remote denial of service attack. Later Ubuntu packages such as for Poppler 0.41.0 are not affected. (CVE-2018-10768)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18267
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10768
https://bugzilla.redhat.com/show_bug.cgi?id=1578777
https://usn.ubuntu.com/3647-1/
========================

Updated package in 5/core/updates_testing:
========================
poppler-0.26.5-2.9.mga5
lib(64)poppler46-0.26.5-2.9.mga5
lib(64)poppler-devel-0.26.5-2.9.mga5
lib(64)poppler-cpp0-0.26.5-2.9.mga5
lib(64)poppler-qt4-devel-0.26.5-2.9.mga5
lib(64)poppler-qt5-devel-0.26.5-2.9.mga5
lib(64)poppler-qt4_4-0.26.5-2.9.mga5
lib(64)poppler-qt5_1-0.26.5-2.9.mga5
lib(64)poppler-glib8-0.26.5-2.9.mga5
lib(64)poppler-gir0.18-0.26.5-2.9.mga5
lib(64)poppler-glib-devel-0.26.5-2.9.mga5
lib(64)poppler-cpp-devel-0.26.5-2.9.mga5

from SRPMS:
poppler-0.26.5-2.9.mga5.src.rpm

Updated package in 6/core/updates_testing:
========================
poppler-0.52.0-3.7.mga6
lib(64)poppler66-0.52.0-3.7.mga6
lib(64)poppler-devel-0.52.0-3.7.mga6
lib(64)poppler-cpp0-0.52.0-3.7.mga6
lib(64)poppler-qt4-devel-0.52.0-3.7.mga6
lib(64)poppler-qt5-devel-0.52.0-3.7.mga6
lib(64)poppler-qt4_4-0.52.0-3.7.mga6
lib(64)poppler-qt5_1-0.52.0-3.7.mga6
lib(64)poppler-glib8-0.52.0-3.7.mga6
lib(64)poppler-gir0.18-0.52.0-3.7.mga6
lib(64)poppler-glib-devel-0.52.0-3.7.mga6
lib(64)poppler-cpp-devel-0.52.0-3.7.mga6

from SRPMS:
poppler-0.52.0-3.7.mga6.src.rpm

Whiteboard: MGA6TOO => MGA5TOO
Status: NEW => ASSIGNED
Version: Cauldron => 6
Assignee: pkg-bugs => qa-bugs
CVE: (none) => CVE-2017-18267, CVE-2018-10768

Comment 4 Len Lawrence 2018-06-19 19:53:34 CEST
Mageia 5, x86_64

Before updating:

CVE-2017-18267
https://bugzilla.freedesktop.org/show_bug.cgi?id=103238
$ pdftops crash_heap.pdf out
Segmentation fault

CVE-2018-10768
https://bugs.freedesktop.org/show_bug.cgi?id=106408
$ pdftohtml POC_poppler.pdf out
Syntax Error: End of file inside array
Syntax Error: End of file inside dictionary
Syntax Error: Bad Annot Path
Syntax Error: Bad Annot Path
Segmentation fault

12 packages updated.

After update:

$ pdftops crash_heap.pdf out
$ file out
out: PostScript document text conforming DSC level 3.0, Level 2

The PostScript file is empty - to be expected.

$ pdftohtml POC_poppler.pdf out
Syntax Error: End of file inside array
Syntax Error: End of file inside dictionary
Syntax Error: Bad Annot Path
Syntax Error: Bad Annot Path
Page-1

This looks like a good result as well.  No output file in this case.

Referring to a previous report (cannot locate bug number) the utilities 
pdfdetach, pdffonts, pdfimages, pdfinfo, pdfseparate, pdfsig, pdftocairo, pdftohtml, pdftoppm, pdftops, pdftotext, pdfunite should be available.  All but pdfsig turn up in the output from 'ls /bin/pdf*'.

Could not find any PDF documents with attachments here.  This was typical:
$ pdfdetach -list utility_qflash_uefi.pdf
0 embedded files

$ pdffonts ThinkPython_2ndEdition.pdf
Syntax Warning: Invalid Font Weight
name                                 type              encoding         emb sub uni object ID
------------------------------------ ----------------- ---------------- --- --- --- ---------
VIXFZF+GuardianSans-Regular          Type 1C           WinAnsi          yes yes yes   7703  0
VIXFZF+URWTypewriterTOTThinNar       Type 1C           WinAnsi          yes yes yes   7704  0
VIXFZF+GuardianSansNarrow-Regular    Type 1C           WinAnsi          yes yes yes   7705  0
[...]

$ pdfimages -f 2 -l 8 -png pragpub-2013-02.pdf test
This extracted 9 images test-000.png to test-008.png which all corresponded with images displayed on pages 2 to 8.  The first 6 were on the contents page.

$ pdfseparate -f 8 -l 15 StatisticsDoneWrong.pdf stats_%d
[lcl@difda books]$ ll stats*
-rw-r--r-- 1 lcl lcl   11971 Jun 19 18:30 stats_10
-rw-r--r-- 1 lcl lcl 3568245 Jun 19 18:30 stats_11
-rw-r--r-- 1 lcl lcl   11971 Jun 19 18:30 stats_12
-rw-r--r-- 1 lcl lcl 3568363 Jun 19 18:30 stats_13
-rw-r--r-- 1 lcl lcl 3568392 Jun 19 18:30 stats_14
-rw-r--r-- 1 lcl lcl 3568352 Jun 19 18:30 stats_15
-rw-r--r-- 1 lcl lcl   11971 Jun 19 18:30 stats_8
-rw-r--r-- 1 lcl lcl   24817 Jun 19 18:30 stats_9
These were all single page PDF documents corresponding to pages 8 to 15.

$ pdftocairo -jpeg stats_14 stats14
$ display stats14-1.jpg
One of the contents pages from StatisticsDoneWrong displayed as a JPEG image.

$ pdftoppm stats_11 abc
$ display abc-1.ppm
This showed Brief Contents image from the same book.

Leaving it there.  The utilities work as far as they have been tested and the PoC tests are good.

CC: (none) => tarazed25
Whiteboard: MGA5TOO => MGA5TOO MGA5-64-OK

Comment 5 Len Lawrence 2018-06-19 20:46:39 CEST
Mageia 6, x86_64

Installed some missing development packages and then carried out similar tests to those in comment 4.

Before updating, the first PoC test segfaulted in the same way but the second echoed the after update result from comment 4.  That indicates that the Dos vulnerability covered by CVE-2018-10768 had already been fixed in Mageia 6.

Clean update.

CVE-2017-18267
$ pdftops crash_heap.pdf out
$
Good result.  'gs out' showed a blank page.

$ pdfdetach -list Table_Layout_in_CSS.pdf 
0 embedded files

Followed the same pattern as comment 4 for testing the same utilities in the same directory but not all on the same PDFs.
e.g.
$ pdfimages -f 2 -l 8 PythonProjectsForKids.pdf kids
$ ll kids*
-rw-r--r-- 1 lcl lcl 60854 Jun 19 19:25 kids-000.ppm
-rw-r--r-- 1 lcl lcl 60854 Jun 19 19:25 kids-001.ppm

$ pdftocairo -ps sdw_14 sdw14
$ file sdw14
sdw14: PostScript document text conforming DSC level 3.0, Level 2
$ pdftocairo -eps sdw_13 sdw13
file sdw13
sdw13: PostScript document text conforming DSC level 3.0, type EPS, Level 2

$ pdfinfo metaprogramming-ruby-2_p3_0.pdf
Title:          Metaprogramming Ruby 2
Author:         Paolo Perrotta
Creator:        The Pragmatic Bookshelf
Producer:       Gerbil #474326
CreationDate:   Sat Aug  6 16:17:08 2016 BST
ModDate:        Sat Aug  6 16:17:08 2016 BST
Tagged:         no
UserProperties: no
Suspects:       no
Form:           none
JavaScript:     no
Pages:          264
Encrypted:      no
Page size:      540 x 648 pts
Page rot:       0
File size:      7051466 bytes
Optimized:      no
PDF version:    1.5

Looks like the reported issues have been dealt with and the utilities work.

Whiteboard: MGA5TOO MGA5-64-OK => MGA5TOO MGA5-64-OK MGA6-64-OK

Comment 6 claire robinson 2018-06-19 21:30:39 CEST
Advisoried. Validating.

Keywords: (none) => advisory, validated_update
CC: (none) => sysadmin-bugs

Comment 7 Mageia Robot 2018-06-20 01:43:29 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0290.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED


Note You need to log in before you can comment on or make changes to this bug.