Bug 23865 - poppler new security issues CVE-2018-16646, CVE-2018-1905[89], CVE-2018-19060
Summary: poppler new security issues CVE-2018-16646, CVE-2018-1905[89], CVE-2018-19060
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA6-32-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2018-11-20 23:40 CET by David Walser
Modified: 2018-11-22 23:27 CET (History)
7 users (show)

See Also:
Source RPM: poppler-0.52.0-3.8.mga6.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2018-11-20 23:40:27 CET 
Fedora has issued an advisory on November 18:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/FZVNJ2GRWGF3I7A4S4RI4WE7GLYADUX3/

Mageia 6 is also affected.
David Walser 2018-11-20 23:40:32 CET

Whiteboard: (none) => MGA6TOO

Comment 1 Marja Van Waes 2018-11-22 09:20:44 CET 
Assigning to all packagers collectively, since there is no registered maintainer for this package.

CC'ing three committers.

CC: (none) => geiger.david68210, marja11, nicolas.salguero, smelror
Assignee: bugsquad => pkg-bugs

Comment 2 Nicolas Salguero 2018-11-22 10:49:55 CET 
Suggested advisory:
========================

The updated packages fix security vulnerabilities:

In Poppler 0.68.0, the Parser::getObj() function in Parser.cc may cause infinite recursion via a crafted file. A remote attacker can leverage this for a DoS attack. (CVE-2018-16646)

An issue was discovered in Poppler 0.71.0. There is a reachable abort in Object.h, will lead to denial of service because EmbFile::save2 in FileSpec.cc lacks a stream check before saving an embedded file. (CVE-2018-19058)

An issue was discovered in Poppler 0.71.0. There is a out-of-bounds read in EmbFile::save2 in FileSpec.cc, will lead to denial of service, as demonstrated by utils/pdfdetach.cc not validating embedded files before save attempts. (CVE-2018-19059)

An issue was discovered in Poppler 0.71.0. There is a NULL pointer dereference in goo/GooString.h, will lead to denial of service, as demonstrated by utils/pdfdetach.cc not validating a filename of an embedded file before constructing a save path. (CVE-2018-19060)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16646
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19058
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19059
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19060
========================

Updated packages in core/updates_testing:
========================
poppler-0.52.0-3.9.mga6
lib(64)poppler66-0.52.0-3.9.mga6
lib(64)poppler-devel-0.52.0-3.9.mga6
lib(64)poppler-cpp0-0.52.0-3.9.mga6
lib(64)poppler-qt4-devel-0.52.0-3.9.mga6
lib(64)poppler-qt5-devel-0.52.0-3.9.mga6
lib(64)poppler-qt4_4-0.52.0-3.9.mga6
lib(64)poppler-qt5_1-0.52.0-3.9.mga6
lib(64)poppler-glib8-0.52.0-3.9.mga6
lib(64)poppler-gir0.18-0.52.0-3.9.mga6
lib(64)poppler-glib-devel-0.52.0-3.9.mga6
lib(64)poppler-cpp-devel-0.52.0-3.9.mga6

from SRPMS:
poppler-0.52.0-3.9.mga6.src.rpm

Status: NEW => ASSIGNED
Assignee: pkg-bugs => qa-bugs
Version: Cauldron => 6
Whiteboard: MGA6TOO => (none)

Comment 3 Nicolas Salguero 2018-11-22 10:52:08 CET 
For Cauldron, build fails because gcc is hit by a segmentation fault. See bug 23881.
Comment 4 Herman Viaene 2018-11-22 15:27:51 CET 
MGA6-32 MATE on IBM Thinkpad R50e
No installation issues
Ref to bug 23383 Comment 3 for tests
$ pdffonts fpdf
fpdfoutput.pdf  fpdf.php        
[tester6@mach6 Documenten]$ pdffonts fpdfoutput.pdf 
name                                 type              encoding         emb sub uni object ID
------------------------------------ ----------------- ---------------- --- --- --- ---------
Helvetica-Bold                       Type 1            WinAnsi          no  no  yes      6  0
$ pdffonts parkoersen.pdf 
name                                 type              encoding         emb sub uni object ID
------------------------------------ ----------------- ---------------- --- --- --- ---------
BAAAAA+LiberationSans-Bold           TrueType          WinAnsi          yes yes yes     66  0
CAAAAA+LiberationSans                TrueType          WinAnsi          yes yes yes     71  0
$ pdfimages -png sample-link_1.pdf testpoppler
$ ls testp*
testpoppler-000.png  testpoppler-001.png  testpoppler-002.png  testpoppler-003.png
$ eom test*.png
images show OK
$ pdfseparate -f 8 -l 15 verslag2006.pdf stats_%d
[tester6@mach6 Documenten]$ ll stats*
-rw-r--r-- 1 tester6 tester6 1223168 nov 22 15:13 stats_10
-rw-r--r-- 1 tester6 tester6 1224153 nov 22 15:13 stats_11
-rw-r--r-- 1 tester6 tester6 1222967 nov 22 15:13 stats_12
-rw-r--r-- 1 tester6 tester6 1222800 nov 22 15:13 stats_13
-rw-r--r-- 1 tester6 tester6 1222745 nov 22 15:13 stats_14
-rw-r--r-- 1 tester6 tester6 1224702 nov 22 15:13 stats_15
-rw-r--r-- 1 tester6 tester6 1222832 nov 22 15:13 stats_8
-rw-r--r-- 1 tester6 tester6 1223570 nov 22 15:13 stats_9
separate pages show OK
$ pdftops stats_11 stats11.ps
$ gs stats11.ps
GPL Ghostscript 9.25 (2018-09-13)
Copyright (C) 2018 Artifex Software, Inc.  All rights reserved. etc.....
displays the proper page of the original document
$ pdftoppm stats_11 abc
$ ls abc*
abc-1.ppm
$ display abc-1.ppm
Display is OK
$ pdftocairo -jpeg stats_14 stats14
Display is OK

Good enough

CC: (none) => herman.viaene
Whiteboard: (none) => MGA6-32-OK

Comment 5 Lewis Smith 2018-11-22 22:12:20 CET 
Quick work, Herman!
Advisory done from comment 2; validating.

Keywords: (none) => advisory, validated_update
CC: (none) => lewyssmith, sysadmin-bugs

Comment 6 Mageia Robot 2018-11-22 23:27:32 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0465.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED
Note You need to log in before you can comment on or make changes to this bug.