24495 – poppler new security issues CVE-2018-20662 and CVE-2019-9200

Bug 24495 - poppler new security issues CVE-2018-20662 and CVE-2019-9200

Summary: poppler new security issues CVE-2018-20662 and CVE-2019-9200

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	6
Hardware:	All Linux

Priority:	Normal Severity: major
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA6-64-OK MGA6-32-OK
Keywords:	advisory, validated_update

Depends on:
Blocks:

Reported:	2019-03-12 15:27 CET by David Walser
Modified:	2019-03-29 16:52 CET (History)
CC List:	8 users (show)

See Also:
Source RPM:	poppler-0.52.0-3.11.mga6.src.rpm
CVE:	CVE-2018-20662, CVE-2019-9200
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2019-03-12 15:27:42 CET

Fedora has issued an advisory on February 25:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/XZJRQDZQWGGWTYPBZW75BHT5JBZQZNRP/

The other CVE was fixed in Bug 24250.

As for this one, the RedHat bug says the upstream fix was reverted:
https://bugzilla.redhat.com/show_bug.cgi?id=1665273

but that was a month before they pushed this update, so hopefully they have a good fix.

Mageia 6 is probably also affected.

Comment 1 David Walser 2019-03-13 20:00:20 CET

Ubuntu has issued an advisory on March 11:
https://usn.ubuntu.com/3905-1/

It fixes one new issue.

Mageia 6 is also affected.

Whiteboard: (none) => MGA6TOO
Summary: poppler new security issue CVE-2018-20662 => poppler new security issues CVE-2018-20662 and CVE-2019-9200
Severity: normal => major

Comment 2 Marja Van Waes 2019-03-14 15:54:24 CET

Assigning to all packagers collectively, since there is no registered maintainer for this package.

Also CC'ing some committers.

CC: (none) => geiger.david68210, marja11, nicolas.salguero, smelror
Assignee: bugsquad => pkg-bugs

Comment 3 Nicolas Salguero 2019-03-20 17:10:13 CET

Suggested advisory:
========================

The updated packages fix security vulnerabilities:

In Poppler 0.72.0, PDFDoc::setup in PDFDoc.cc allows attackers to cause a denial-of-service (application crash caused by Object.h SIGABRT, because of a wrong return value from PDFDoc::setup) by crafting a PDF file in which an xref data structure is mishandled during extractPDFSubtype processing. (CVE-2018-20662)

A heap-based buffer underwrite exists in ImageStream::getLine() located at Stream.cc in Poppler 0.74.0 that can (for example) be triggered by sending a crafted PDF file to the pdfimages binary. It allows an attacker to cause Denial of Service (Segmentation fault) or possibly have unspecified other impact. (CVE-2019-9200)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20662
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9200
https://usn.ubuntu.com/3905-1/
========================

Updated packages in core/updates_testing:
========================
poppler-0.52.0-3.12.mga6
lib(64)poppler66-0.52.0-3.12.mga6
lib(64)poppler-devel-0.52.0-3.12.mga6
lib(64)poppler-cpp0-0.52.0-3.12.mga6
lib(64)poppler-qt4-devel-0.52.0-3.12.mga6
lib(64)poppler-qt5-devel-0.52.0-3.12.mga6
lib(64)poppler-qt4_4-0.52.0-3.12.mga6
lib(64)poppler-qt5_1-0.52.0-3.12.mga6
lib(64)poppler-glib8-0.52.0-3.12.mga6
lib(64)poppler-gir0.18-0.52.0-3.12.mga6
lib(64)poppler-glib-devel-0.52.0-3.12.mga6
lib(64)poppler-cpp-devel-0.52.0-3.12.mga6

from SRPMS:
poppler-0.52.0-3.12.mga6.src.rpm

Source RPM: poppler-0.74.0-1.mga7.src.rpm => poppler-0.52.0-3.11.mga6.src.rpm
Whiteboard: MGA6TOO => (none)
Status: NEW => ASSIGNED
Assignee: pkg-bugs => qa-bugs
Version: Cauldron => 6

Nicolas Salguero 2019-03-20 17:10:24 CET

CVE: (none) => CVE-2018-20662, CVE-2019-9200

Comment 4 Len Lawrence 2019-03-21 18:41:26 CET

mga6, x86_64

The POC for the CVEs are not very well defined for our purposes so we have to ignore them.  One of them involves a damaged PDF file which displays OK but aborts within the ASAN framework for pdfimages.  The other cannot be downloaded.

Going for a clean update.
- lib64poppler-cpp-devel-0.52.0-3.12.mga6.x86_64
- lib64poppler-cpp0-0.52.0-3.12.mga6.x86_64
- lib64poppler-devel-0.52.0-3.12.mga6.x86_64
- lib64poppler-gir0.18-0.52.0-3.12.mga6.x86_64
- lib64poppler-glib-devel-0.52.0-3.12.mga6.x86_64
- lib64poppler-glib8-0.52.0-3.12.mga6.x86_64
- lib64poppler-qt4-devel-0.52.0-3.12.mga6.x86_64
- lib64poppler-qt4_4-0.52.0-3.12.mga6.x86_64
- lib64poppler-qt5_1-0.52.0-3.12.mga6.x86_64
- lib64poppler66-0.52.0-3.12.mga6.x86_64
- poppler-0.52.0-3.12.mga6.x86_64

Added lib64poppler-qt5-devel-0.52.0-3.12.mga6

Processed some local PDFs.

$ pdffonts text-processing-with-ruby_p1_0.pdf
name                                 type              encoding         emb sub uni object ID
------------------------------------ ----------------- ---------------- --- --- --- ---------
Helvetica                            Type 1            WinAnsi          no  no  no       1  0
GFEDCB+MyriadPro-Semibold            Type 1C           Custom           yes yes
[...]

$ pdfimages -png pragpub-2009-10.pdf pp
$ ls pp*
pp-000.png  pp-008.png  pp-016.png  pp-024.png  pp-032.png  pp-040.png
pp-001.png  pp-009.png  pp-017.png  pp-025.png  pp-033.png  pp-041.png
pp-002.png  pp-010.png  pp-018.png  pp-026.png  pp-034.png  pp-042.png
pp-003.png  pp-011.png  pp-019.png  pp-027.png  pp-035.png  pp-043.png
pp-004.png  pp-012.png  pp-020.png  pp-028.png  pp-036.png  pp-044.png
pp-005.png  pp-013.png  pp-021.png  pp-029.png  pp-037.png
pp-006.png  pp-014.png  pp-022.png  pp-030.png  pp-038.png
pp-007.png  pp-015.png  pp-023.png  pp-031.png  pp-039.png

Viewed some of these with eom.  All looked OK.

$ pdftohtml LJ_TBF4.pdf LJ.html
$ ls *.html
LJ.html  LJ_ind.html  LJs.html
$ firefox LJ.html
This showed a Linux Journal cover page in the browser with all the pages in an index on the left to enable the journal to be scanned.

$ pdfseparate -f 2 -l 6 LJ_TBF4.pdf lj_%dSyntax Warning: PDFDoc::markDictionnary: Found recursive dicts
Syntax Warning: PDFDoc::markDictionnary: Found recursive dicts
$ ls lj*
lj_2  lj_3  lj_4  lj_5  lj_6
$ file lj_2
lj_2: PDF document, version 1.6
$ xpdf lj_2
displayed page 2 of the Linux Journal.
$ pdftocairo -png lj_5 page5
$ ls page5*
page5-1.png
$ eom page5-1.png
displayed page 5 as an image.
$ pdftoppm lj_4 xyz
$ ls xyz*
xyz-1.ppm
This is an image of the Contents page.

$ pdfinfo metaprogramming-ruby_p3_0.pdf
Title:          Metaprogramming Ruby
Subject:        
Keywords:       
Author:         Paolo Perrotta
Creator:        The Pragmatic Bookshelf
[...]

$ pdfdetach -list metaprogramming-ruby_p3_0.pdf
0 embedded files

$ pdfunite lj_4 lj_5 lj_6 lj4-6.pdf
$ okular lj4-6.pdf
This showed the three consecutive pages from the journal.

$ pdftops lj4-6.pdf
$ gs lj4-6.ps
This showed the Contents page in postscript format and the two succeeding pages when Return was pressed.

This all looks good for 64 bits.

CC: (none) => tarazed25
Whiteboard: (none) => MGA6-64-OK

Comment 5 Thomas Andrews 2019-03-22 15:17:02 CET

Following Len's lead, going for a clean install in 32-bit Plasma.

The following 4 packages are going to be installed:

- libpoppler-glib8-0.52.0-3.12.mga6.i586
- libpoppler-qt5_1-0.52.0-3.12.mga6.i586
- libpoppler66-0.52.0-3.12.mga6.i586
- poppler-0.52.0-3.12.mga6.i586

Packages installed cleanly. viewed several pdfs with ePDFviewer, which urpmq lists as being dependent on poppler. All files displayed properly.

OK for 32-bit. Validating. Suggested advisory in Comment 3.

Keywords: (none) => validated_update
Whiteboard: MGA6-64-OK => MGA6-64-OK MGA6-32-OK
CC: (none) => andrewsfarm, sysadmin-bugs

Thomas Backlund 2019-03-29 16:03:52 CET

Keywords: (none) => advisory
CC: (none) => tmb

Comment 6 Mageia Robot 2019-03-29 16:52:07 CET

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0117.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.