Ubuntu has issued an advisory on January 22: https://usn.ubuntu.com/3865-1/ The upstream fixes (included in 0.73, already in Cauldron) are linked from: https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-20481.html https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-20650.html
Fedora has issued an advisory for this on January 24: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/CH33MK2BAV326CV7IKYGMFO4IYX552Z2/ It also fixes two additional CVEs (probably also fixed in 0.73).
Summary: poppler new security issues CVE-2018-20481 and CVE-2018-20650 => poppler new security issues CVE-2018-18897, CVE-2018-20481, CVE-2018-20551, CVE-2018-20650
Assigning to all packagers collectively, since there is no registered maintainer for this package. Also CC'ing two committers.
CC: (none) => geiger.david68210, marja11, nicolas.salguero
(In reply to Marja Van Waes from comment #2) > Assigning to all packagers collectively, since there is no registered > maintainer for this package. really assigning now :-(
Assignee: bugsquad => pkg-bugs
Ubuntu has issued an advisory today (February 11): https://usn.ubuntu.com/3886-1/ It fixes one new issue (fixed upstream in git after 0.73).
Whiteboard: (none) => MGA6TOOSummary: poppler new security issues CVE-2018-18897, CVE-2018-20481, CVE-2018-20551, CVE-2018-20650 => poppler new security issues CVE-2018-18897, CVE-2018-20481, CVE-2018-20551, CVE-2018-20650, CVE-2019-7310Version: 6 => Cauldron
CVE-2019-7310 fixed in Cauldron in poppler-0.73.0-2.mga7.
Version: Cauldron => 6Whiteboard: MGA6TOO => (none)
Suggested advisory: ======================== The updated packages fix security vulnerabilities: An issue was discovered in Poppler 0.71.0. There is a memory leak in GfxColorSpace::setDisplayProfile in GfxState.cc, as demonstrated by pdftocairo. (CVE-2018-18897) XRef::getEntry in XRef.cc in Poppler 0.72.0 mishandles unallocated XRef entries, which allows remote attackers to cause a denial of service (NULL pointer dereference) via a crafted PDF document, when XRefEntry::setFlag in XRef.h is called from Parser::makeStream in Parser.cc. (CVE-2018-20481) A reachable Object::getString assertion in Poppler 0.72.0 allows attackers to cause a denial of service due to construction of invalid rich media annotation assets in the AnnotRichMedia class in Annot.c. (CVE-2018-20551) A reachable Object::dictLookup assertion in Poppler 0.72.0 allows attackers to cause a denial of service due to the lack of a check for the dict data type, as demonstrated by use of the FileSpec class (in FileSpec.cc) in pdfdetach. (CVE-2018-20650) In Poppler 0.73.0, a heap-based buffer over-read (due to an integer signedness error in the XRef::getEntry function in XRef.cc) allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted PDF document, as demonstrated by pdftocairo. (CVE-2019-7310) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18897 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20481 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20551 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20650 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7310 https://usn.ubuntu.com/3865-1/ https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-20481.html https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-20650.html https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/CH33MK2BAV326CV7IKYGMFO4IYX552Z2/ https://usn.ubuntu.com/3886-1/ ======================== Updated packages in core/updates_testing: ======================== poppler-0.52.0-3.11.mga6 lib(64)poppler66-0.52.0-3.11.mga6 lib(64)poppler-devel-0.52.0-3.11.mga6 lib(64)poppler-cpp0-0.52.0-3.11.mga6 lib(64)poppler-qt4-devel-0.52.0-3.11.mga6 lib(64)poppler-qt5-devel-0.52.0-3.11.mga6 lib(64)poppler-qt4_4-0.52.0-3.11.mga6 lib(64)poppler-qt5_1-0.52.0-3.11.mga6 lib(64)poppler-glib8-0.52.0-3.11.mga6 lib(64)poppler-gir0.18-0.52.0-3.11.mga6 lib(64)poppler-glib-devel-0.52.0-3.11.mga6 lib(64)poppler-cpp-devel-0.52.0-3.11.mga6 from SRPMS: poppler-0.52.0-3.11.mga6.src.rpm
Assignee: pkg-bugs => qa-bugsCVE: (none) => CVE-2018-18897, CVE-2018-20481, CVE-2018-20551, CVE-2018-20650, CVE-2019-7310Status: NEW => ASSIGNED
mag6, x86_64 *Before updates* CVE-2018-18897 https://gitlab.freedesktop.org/poppler/poppler/issues/654 $ pdftocairo 'memoryleak@wildmidi_lib.c:2066' -ps Syntax Warning: May not be a PDF file (continuing anyway) Syntax Error: Couldn't find trailer dictionary Syntax Error: Couldn't find trailer dictionary Syntax Error: Couldn't read xref table Error opening PDF file. That looks like clean handling of the faulty file. --------------------------------------------------------- CVE-2018-20481 https://gitlab.freedesktop.org/poppler/poppler/issues/692 $ pdfdetach -save 1 nullpointerdereference.pdf Syntax Error (24552): Illegal character <25> in hex string Syntax Error (24591): Illegal digit in hex char in name Syntax Error (14081): Illegal character '}' Syntax Error (24552): Illegal character <25> in hex string Syntax Error (24591): Illegal digit in hex char in name Syntax Error: Couldn't find trailer dictionary Syntax Error: Invalid XRef entry Syntax Error (22675): Missing 'endstream' or incorrect stream length Syntax Error (22829): Dictionary key must be a name object Syntax Error (22831): Dictionary key must be a name object Syntax Error (22835): Dictionary key must be a name object Syntax Error (22837): Dictionary key must be a name object Syntax Error (22844): Dictionary key must be a name object Syntax Error (22938): Dictionary key must be a name object Syntax Error (22940): Dictionary key must be a name object Syntax Error (22951): Dictionary key must be a name object Syntax Error: Page count in top-level pages object is wrong type (null) Command Line Error: Invalid file number No segfault - probably fixed already. --------------------------------------------------------- CVE-2018-20551 https://gitlab.freedesktop.org/poppler/poppler/issues/703 $ pdfdetach -save 1 reachabort.pdf Syntax Error: End of file inside dictionary Syntax Warning: No valid XRef size in trailer [...] Internal Error (0): Call to Object where the object was type 1, not the expected type 3 Aborted (core dumped) --------------------------------------------------------- CVE-2018-20650 https://gitlab.freedesktop.org/poppler/poppler/issues/704 $ pdfdetach -save 1 reachabort2.pdf Syntax Error: Unterminated hex string Syntax Error (8586): Illegal character <2f> in hex string [...] Syntax Error: Unterminated string Syntax Error: End of file inside dictionary Syntax Error: Invalid FileSpec Internal Error (0): Call to Object where the object was type 3, not the expected type 7 Aborted (core dumped) --------------------------------------------------------- CVE-2019-7310 https://gitlab.freedesktop.org/poppler/poppler/issues/717 $ pdftocairo -png issue7769.pdf_mutated This generates a PNG file which displays the message: "Scan here to make a donation!" Running the test under valgrind produces a lot of details about various errors, such as: ==3813== Invalid read of size 4 and reports memory leaks which may be relevant to the heap overflow with which this CVE is concerned. --------------------------------------------------------- Updated the packages. - lib64poppler-cpp0-0.52.0-3.11.mga6.x86_64 - lib64poppler-devel-0.52.0-3.11.mga6.x86_64 - lib64poppler-glib8-0.52.0-3.11.mga6.x86_64 - lib64poppler-qt5_1-0.52.0-3.11.mga6.x86_64 - lib64poppler66-0.52.0-3.11.mga6.x86_64 - lib64qxp0.0_0-0.0.2-1.mga6.x86_64 - poppler-0.52.0-3.11.mga6.x86_64 Added these manually: lib64poppler-cpp-devel lib64poppler-gir0.18 lib64poppler-qt4-devel lib64poppler-glib-devel Ran the POC tests again. *After updating* --------------------------------------------------------- CVE-2018-18897 $ pdftocairo 'memoryleak@wildmidi_lib.c:2066' -ps Same result which confirms that the issue had been fixed. --------------------------------------------------------- CVE-2018-20481 https://gitlab.freedesktop.org/poppler/poppler/issues/692 $ pdfdetach -save 1 nullpointerdereference.pdf Same result so probably fixed already. --------------------------------------------------------- CVE-2018-20551 https://gitlab.freedesktop.org/poppler/poppler/issues/703 $ pdfdetach -save 1 reachabort.pdf Syntax Error: End of file inside dictionary Syntax Warning: No valid XRef size in trailer [...] Syntax Error: Invalid XRef entry Command Line Error: Invalid file number Good result - it has cured the abort problem. --------------------------------------------------------- CVE-2018-20650 https://gitlab.freedesktop.org/poppler/poppler/issues/704 $ pdfdetach -save 1 reachabort2.pdf Syntax Error: Unterminated hex string [...] Syntax Error: End of file inside dictionary Syntax Error: Invalid FileSpec No abort - good result. --------------------------------------------------------- CVE-2019-7310 https://gitlab.freedesktop.org/poppler/poppler/issues/717 $ pdftocairo -png issue7769.pdf_mutated Internal Error: Request for invalid XRef entry [-3] This generates the PNG image as before but is a better result. --------------------------------------------------------- All the POC tests look good. Utility tests: $ pdfseparate -f 8 -l 15 UsingDocker.pdf stats_%d generated a number of separate pages from the original PDF. $ ll stats* -rw-r--r-- 1 lcl lcl 8295187 Feb 18 10:51 stats_10 -rw-r--r-- 1 lcl lcl 8295187 Feb 18 10:51 stats_11 [...] -rw-r--r-- 1 lcl lcl 8295189 Feb 18 10:51 stats_9 $ pdftops stats_13 stats13.ps $ gs stats13.ps This showed the Preface page from the docker manual. $ pdfimages -png pragpub-2013-04.pdf test This extracted 31 images from the source material and stored them as PNGs which could be checked with any image viewer. $ pdffonts programming-ruby-1-9_p4_.pdf name type encoding emb sub uni object ID ------------------------------------ ----------------- ---------------- --- --- --- --------- Helvetica Type 1 WinAnsi no no no 1 0 OGCZJU+NimbusRomNo9L-Regu Type 1C Custom yes yes no 3129 0 [...] $ pdftoppm stats_13 > docker $ ll docker -rw-r--r-- 1 lcl lcl 4343867 Feb 18 11:09 docker $ display docker <This showed the docker manual preface page again. Note that the .ppm extension is no longer supplied.> $ file docker docker: Netpbm image data, size = 1050 x 1379, rawbits, pixmap $ pdfinfo pragpub-2010-03.pdf Title: Untitled Author: Pragmatic Bookshelf [...] File size: 7420926 bytes Optimized: no PDF version: 1.6 $ pdftohtml pragpub-2010-03.pdf This produced a stack of PNG images named after the source document and three HTML files: pragpub-2010-03.html pragpub-2010-03_ind.html pragpub-2010-03s.html $ firefox file:pragpub-2010-03.html indexes the pages in a browser along with some images. $ pdftotext pragpub-2010-03.pdf dump.txt Extracts all text from the PDF file and writes it to the specified file. $ ll dump.txt -rw-r--r-- 1 lcl lcl 116175 Feb 18 11:33 dump.txt $ pdfunite pragpub-2010-07.pdf pragpub-2010-08.pdf pragpub-2010-09.pdf test.pdf $ ll test.pdf -rw-r--r-- 1 lcl lcl 27365389 Feb 18 11:38 test.pdf In okular you can page down to see the included documents in sequence. This is good for 64-bits.
CC: (none) => tarazed25Whiteboard: (none) => MGA6-64-OK
Keywords: (none) => advisory, validated_updateCC: (none) => davidwhodgins, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2019-0092.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED