Fedora has issued advisories on June 1 and 2: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/L55T5FH6FBU2WLBJQ7KYCCCBDZWXYYPV/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/5PEMORW4R6NMXQZD2RYTNE5SIDRRQPZH/ The RedHat bug has links to the upstream bug and commit to fix the issue: https://bugzilla.redhat.com/show_bug.cgi?id=1578777 Mageia 5 and Mageia 6 are also affected.
Whiteboard: (none) => MGA6TOOStatus comment: (none) => Patches available from upstream and Fedora
Assigning to all packagers collectively, since there is no registered maintainer for this package.
Assignee: bugsquad => pkg-bugsCC: (none) => geiger.david68210, marja11, nicolas.salguero, smelror
Ubuntu has issued an advisory on May 15: https://usn.ubuntu.com/3647-1/ It also fixes one additional issue.
Summary: poppler new security issue CVE-2017-18267 => poppler new security issue CVE-2017-18267 and CVE-2018-10768
Summary: poppler new security issue CVE-2017-18267 and CVE-2018-10768 => poppler new security issues CVE-2017-18267 and CVE-2018-10768Severity: normal => major
Suggested advisory: ======================== The updated packages fix security vulnerabilities: The FoFiType1C::cvtGlyph function in fofi/FoFiType1C.cc in Poppler through 0.64.0 allows remote attackers to cause a denial of service (infinite recursion) via a crafted PDF file, as demonstrated by pdftops. (CVE-2017-18267) There is a NULL pointer dereference in the AnnotPath::getCoordsLength function in Annot.h in an Ubuntu package for Poppler 0.24.5. A crafted input will lead to a remote denial of service attack. Later Ubuntu packages such as for Poppler 0.41.0 are not affected. (CVE-2018-10768) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18267 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10768 https://bugzilla.redhat.com/show_bug.cgi?id=1578777 https://usn.ubuntu.com/3647-1/ ======================== Updated package in 5/core/updates_testing: ======================== poppler-0.26.5-2.9.mga5 lib(64)poppler46-0.26.5-2.9.mga5 lib(64)poppler-devel-0.26.5-2.9.mga5 lib(64)poppler-cpp0-0.26.5-2.9.mga5 lib(64)poppler-qt4-devel-0.26.5-2.9.mga5 lib(64)poppler-qt5-devel-0.26.5-2.9.mga5 lib(64)poppler-qt4_4-0.26.5-2.9.mga5 lib(64)poppler-qt5_1-0.26.5-2.9.mga5 lib(64)poppler-glib8-0.26.5-2.9.mga5 lib(64)poppler-gir0.18-0.26.5-2.9.mga5 lib(64)poppler-glib-devel-0.26.5-2.9.mga5 lib(64)poppler-cpp-devel-0.26.5-2.9.mga5 from SRPMS: poppler-0.26.5-2.9.mga5.src.rpm Updated package in 6/core/updates_testing: ======================== poppler-0.52.0-3.7.mga6 lib(64)poppler66-0.52.0-3.7.mga6 lib(64)poppler-devel-0.52.0-3.7.mga6 lib(64)poppler-cpp0-0.52.0-3.7.mga6 lib(64)poppler-qt4-devel-0.52.0-3.7.mga6 lib(64)poppler-qt5-devel-0.52.0-3.7.mga6 lib(64)poppler-qt4_4-0.52.0-3.7.mga6 lib(64)poppler-qt5_1-0.52.0-3.7.mga6 lib(64)poppler-glib8-0.52.0-3.7.mga6 lib(64)poppler-gir0.18-0.52.0-3.7.mga6 lib(64)poppler-glib-devel-0.52.0-3.7.mga6 lib(64)poppler-cpp-devel-0.52.0-3.7.mga6 from SRPMS: poppler-0.52.0-3.7.mga6.src.rpm
Whiteboard: MGA6TOO => MGA5TOOStatus: NEW => ASSIGNEDVersion: Cauldron => 6Assignee: pkg-bugs => qa-bugsCVE: (none) => CVE-2017-18267, CVE-2018-10768
Mageia 5, x86_64 Before updating: CVE-2017-18267 https://bugzilla.freedesktop.org/show_bug.cgi?id=103238 $ pdftops crash_heap.pdf out Segmentation fault CVE-2018-10768 https://bugs.freedesktop.org/show_bug.cgi?id=106408 $ pdftohtml POC_poppler.pdf out Syntax Error: End of file inside array Syntax Error: End of file inside dictionary Syntax Error: Bad Annot Path Syntax Error: Bad Annot Path Segmentation fault 12 packages updated. After update: $ pdftops crash_heap.pdf out $ file out out: PostScript document text conforming DSC level 3.0, Level 2 The PostScript file is empty - to be expected. $ pdftohtml POC_poppler.pdf out Syntax Error: End of file inside array Syntax Error: End of file inside dictionary Syntax Error: Bad Annot Path Syntax Error: Bad Annot Path Page-1 This looks like a good result as well. No output file in this case. Referring to a previous report (cannot locate bug number) the utilities pdfdetach, pdffonts, pdfimages, pdfinfo, pdfseparate, pdfsig, pdftocairo, pdftohtml, pdftoppm, pdftops, pdftotext, pdfunite should be available. All but pdfsig turn up in the output from 'ls /bin/pdf*'. Could not find any PDF documents with attachments here. This was typical: $ pdfdetach -list utility_qflash_uefi.pdf 0 embedded files $ pdffonts ThinkPython_2ndEdition.pdf Syntax Warning: Invalid Font Weight name type encoding emb sub uni object ID ------------------------------------ ----------------- ---------------- --- --- --- --------- VIXFZF+GuardianSans-Regular Type 1C WinAnsi yes yes yes 7703 0 VIXFZF+URWTypewriterTOTThinNar Type 1C WinAnsi yes yes yes 7704 0 VIXFZF+GuardianSansNarrow-Regular Type 1C WinAnsi yes yes yes 7705 0 [...] $ pdfimages -f 2 -l 8 -png pragpub-2013-02.pdf test This extracted 9 images test-000.png to test-008.png which all corresponded with images displayed on pages 2 to 8. The first 6 were on the contents page. $ pdfseparate -f 8 -l 15 StatisticsDoneWrong.pdf stats_%d [lcl@difda books]$ ll stats* -rw-r--r-- 1 lcl lcl 11971 Jun 19 18:30 stats_10 -rw-r--r-- 1 lcl lcl 3568245 Jun 19 18:30 stats_11 -rw-r--r-- 1 lcl lcl 11971 Jun 19 18:30 stats_12 -rw-r--r-- 1 lcl lcl 3568363 Jun 19 18:30 stats_13 -rw-r--r-- 1 lcl lcl 3568392 Jun 19 18:30 stats_14 -rw-r--r-- 1 lcl lcl 3568352 Jun 19 18:30 stats_15 -rw-r--r-- 1 lcl lcl 11971 Jun 19 18:30 stats_8 -rw-r--r-- 1 lcl lcl 24817 Jun 19 18:30 stats_9 These were all single page PDF documents corresponding to pages 8 to 15. $ pdftocairo -jpeg stats_14 stats14 $ display stats14-1.jpg One of the contents pages from StatisticsDoneWrong displayed as a JPEG image. $ pdftoppm stats_11 abc $ display abc-1.ppm This showed Brief Contents image from the same book. Leaving it there. The utilities work as far as they have been tested and the PoC tests are good.
CC: (none) => tarazed25Whiteboard: MGA5TOO => MGA5TOO MGA5-64-OK
Mageia 6, x86_64 Installed some missing development packages and then carried out similar tests to those in comment 4. Before updating, the first PoC test segfaulted in the same way but the second echoed the after update result from comment 4. That indicates that the Dos vulnerability covered by CVE-2018-10768 had already been fixed in Mageia 6. Clean update. CVE-2017-18267 $ pdftops crash_heap.pdf out $ Good result. 'gs out' showed a blank page. $ pdfdetach -list Table_Layout_in_CSS.pdf 0 embedded files Followed the same pattern as comment 4 for testing the same utilities in the same directory but not all on the same PDFs. e.g. $ pdfimages -f 2 -l 8 PythonProjectsForKids.pdf kids $ ll kids* -rw-r--r-- 1 lcl lcl 60854 Jun 19 19:25 kids-000.ppm -rw-r--r-- 1 lcl lcl 60854 Jun 19 19:25 kids-001.ppm $ pdftocairo -ps sdw_14 sdw14 $ file sdw14 sdw14: PostScript document text conforming DSC level 3.0, Level 2 $ pdftocairo -eps sdw_13 sdw13 file sdw13 sdw13: PostScript document text conforming DSC level 3.0, type EPS, Level 2 $ pdfinfo metaprogramming-ruby-2_p3_0.pdf Title: Metaprogramming Ruby 2 Author: Paolo Perrotta Creator: The Pragmatic Bookshelf Producer: Gerbil #474326 CreationDate: Sat Aug 6 16:17:08 2016 BST ModDate: Sat Aug 6 16:17:08 2016 BST Tagged: no UserProperties: no Suspects: no Form: none JavaScript: no Pages: 264 Encrypted: no Page size: 540 x 648 pts Page rot: 0 File size: 7051466 bytes Optimized: no PDF version: 1.5 Looks like the reported issues have been dealt with and the utilities work.
Whiteboard: MGA5TOO MGA5-64-OK => MGA5TOO MGA5-64-OK MGA6-64-OK
Advisoried. Validating.
Keywords: (none) => advisory, validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0290.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED