RedHat has issued an advisory today (August 6): https://access.redhat.com/errata/RHSA-2019:2022 The issue appears to have been fixed upstream in 0.76.0, in this commit: https://gitlab.freedesktop.org/poppler/poppler/commit/8122f6d6d409b53151a20c5578fc525ee97315e8 The other CVEs in RedHat's advisory we have fixed in the last few updates. Mageia 6 is also affected.
Whiteboard: (none) => MGA6TOO
Assigning to all packagers collectively, since there is no registered maintainer for this package. Also CC'ing ns80
CC: (none) => marja11, nicolas.salgueroAssignee: bugsquad => pkg-bugs
Ubuntu has issued an advisory for this on June 27: https://usn.ubuntu.com/4042-1/ CVE-2019-9903 also appears to have been fixed in 0.76.0: https://gitlab.freedesktop.org/poppler/poppler/commit/fada09a2ccc11a3a1d308e810f1336d8df6011fd Other possibly new CVEs (we haven't previously mentioned) I haven't triaged yet: CVE-2019-1001[89], CVE-2019-1002[13], CVE-2019-1087[23], CVE-2019-12293
Summary: poppler new security issue CVE-2019-9631 => poppler new security issues CVE-2019-9631 and CVE-2019-9903
Ubuntu has issued an advisory on August 12: https://usn.ubuntu.com/4091-1/ CVE-2019-14494 fixed upstream in 0.79.0: https://gitlab.freedesktop.org/poppler/poppler/commit/b224e2f5739fe61de9fa69955d016725b2a4b78d
Summary: poppler new security issues CVE-2019-9631 and CVE-2019-9903 => poppler new security issues CVE-2019-9631, CVE-2019-9903, CVE-2019-14494
Here's the other CVEs from Comment 2, with the commit and version they're fixed in: CVE-2019-10018 https://cgit.freedesktop.org/poppler/poppler/commit/?id=e2ab2fa9d8c41e0115b2c276a2594cd2f7c217e6 0.56 CVE-2019-10019 https://cgit.freedesktop.org/poppler/poppler/commit/?id=4552af28684e18c6153ce5598b121a73477af4d6 0.60 CVE-2019-10021 https://cgit.freedesktop.org/poppler/poppler/commit/?id=5266fa426d73c5dbdb3dd903d50885097833acc6 0.56 CVE-2019-10023 https://cgit.freedesktop.org/poppler/poppler/commit/?id=e2ab2fa9d8c41e0115b2c276a2594cd2f7c217e6 0.56 CVE-2019-10872 https://gitlab.freedesktop.org/poppler/poppler/commit/6a1580e84f492b5671d23be98192267bb73de250 0.77 CVE-2019-10873 https://gitlab.freedesktop.org/poppler/poppler/commit/8dbe2e6c480405dab9347075cf4be626f90f1d05 0.76 CVE-2019-12293 https://gitlab.freedesktop.org/poppler/poppler/commit/89a5367d49b2556a2635dbb6d48d6a6b182a2c6c 0.77 So the first four of those are already fixed in Mageia 7, the last three aren't.
Summary: poppler new security issues CVE-2019-9631, CVE-2019-9903, CVE-2019-14494 => poppler new security issues CVE-2019-9631, CVE-2019-9903, CVE-2019-1001[89], CVE-2019-1002[13], CVE-2019-1087[23], CVE-2019-12293, CVE-2019-14494
Hi, To sum up: - CVE-2019-10019: it is the reintroduction of a code that was present in version 0.52 and removed after so Mageia 6 is not affected. - CVE-2019-10023: it is the same issue as CVE-2019-10018 but for xpdf (3.04 and 4.01.01 so Mageia 6, 7 and Cauldron are affected, I will create a separate bug report for that). - CVE-2019-10873: after checking, and according to https://bugzilla.suse.com/show_bug.cgi?id=1131726, the issue was introduced in version 0.70. Best regards, Nico.
For Mageia 6: Suggested advisory: ======================== The updated packages fix security vulnerabilities: An issue was discovered in Xpdf 4.01.01. There is an FPE in the function PostScriptFunction::exec at Function.cc for the psOpIdiv case. (CVE-2019-10018) An issue was discovered in Xpdf 4.01.01. There is an FPE in the function ImageStream::ImageStream at Stream.cc for nComps. (CVE-2019-10021) An issue was discovered in Poppler 0.74.0. There is a heap-based buffer over-read in the function Splash::blitTransparent at splash/Splash.cc. (CVE-2019-10872) In Poppler through 0.76.1, there is a heap-based buffer over-read in JPXStream::init in JPEG2000Stream.cc via data with inconsistent heights or widths. (CVE-2019-12293) An issue was discovered in Poppler through 0.78.0. There is a divide-by-zero error in the function SplashOutputDev::tilingPatternFill at SplashOutputDev.cc. (CVE-2019-14494) Poppler 0.74.0 has a heap-based buffer over-read in the CairoRescaleBox.cc downsample_row_box_filter function. (CVE-2019-9631) PDFDoc::markObject in PDFDoc.cc in Poppler 0.74.0 mishandles dict marking, leading to stack consumption in the function Dict::find() located at Dict.cc, which can (for example) be triggered by passing a crafted pdf file to the pdfunite binary. (CVE-2019-9903) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10018 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10021 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10872 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12293 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14494 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9631 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9903 https://access.redhat.com/errata/RHSA-2019:2022 https://usn.ubuntu.com/4042-1/ https://usn.ubuntu.com/4091-1/ ======================== Updated packages in 6/core/updates_testing: ======================== poppler-0.52.0-3.13.mga6 lib(64)poppler66-0.52.0-3.13.mga6 lib(64)poppler-devel-0.52.0-3.13.mga6 lib(64)poppler-cpp0-0.52.0-3.13.mga6 lib(64)poppler-qt4-devel-0.52.0-3.13.mga6 lib(64)poppler-qt5-devel-0.52.0-3.13.mga6 lib(64)poppler-qt4_4-0.52.0-3.13.mga6 lib(64)poppler-qt5_1-0.52.0-3.13.mga6 lib(64)poppler-glib8-0.52.0-3.13.mga6 lib(64)poppler-gir0.18-0.52.0-3.13.mga6 lib(64)poppler-glib-devel-0.52.0-3.13.mga6 lib(64)poppler-cpp-devel-0.52.0-3.13.mga6 from SRPMS: poppler-0.52.0-3.13.mga6.src.rpm
For Mageia 7: Suggested advisory: ======================== The updated packages fix security vulnerabilities: An issue was discovered in Poppler 0.74.0. There is a heap-based buffer over-read in the function Splash::blitTransparent at splash/Splash.cc. (CVE-2019-10872) An issue was discovered in Poppler 0.74.0. There is a NULL pointer dereference in the function SplashClip::clipAALine at splash/SplashClip.cc. (CVE-2019-10873) In Poppler through 0.76.1, there is a heap-based buffer over-read in JPXStream::init in JPEG2000Stream.cc via data with inconsistent heights or widths. (CVE-2019-12293) An issue was discovered in Poppler through 0.78.0. There is a divide-by-zero error in the function SplashOutputDev::tilingPatternFill at SplashOutputDev.cc. (CVE-2019-14494) Poppler 0.74.0 has a heap-based buffer over-read in the CairoRescaleBox.cc downsample_row_box_filter function. (CVE-2019-9631) PDFDoc::markObject in PDFDoc.cc in Poppler 0.74.0 mishandles dict marking, leading to stack consumption in the function Dict::find() located at Dict.cc, which can (for example) be triggered by passing a crafted pdf file to the pdfunite binary. (CVE-2019-9903) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10872 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10873 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12293 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14494 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9631 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9903 https://access.redhat.com/errata/RHSA-2019:2022 https://usn.ubuntu.com/4042-1/ https://usn.ubuntu.com/4091-1/ ======================== Updated packages in 7/core/updates_testing: ======================== poppler-0.74.0-3.1.mga7 lib(64)poppler85-0.74.0-3.1.mga7 lib(64)poppler-devel-0.74.0-3.1.mga7 lib(64)poppler-cpp0-0.74.0-3.1.mga7 lib(64)poppler-qt5-devel-0.74.0-3.1.mga7 lib(64)poppler-qt5_1-0.74.0-3.1.mga7 lib(64)poppler-glib8-0.74.0-3.1.mga7 lib(64)poppler-gir0.18-0.74.0-3.1.mga7 lib(64)poppler-glib-devel-0.74.0-3.1.mga7 lib(64)poppler-cpp-devel-0.74.0-3.1.mga7 from SRPMS: poppler-0.74.0-3.1.mga7.src.rpm
Assignee: pkg-bugs => qa-bugsStatus: NEW => ASSIGNED
I made a mistake because https://cgit.freedesktop.org/poppler/poppler/commit/?id=e2ab2fa9d8c41e0115b2c276a2594cd2f7c217e6 solves CVE-2019-10018 and CVE-2019-10023 at the same time but those CVEs are different. So, for Mageia 6: Suggested advisory: ======================== The updated packages fix security vulnerabilities: An issue was discovered in Xpdf 4.01.01. There is an FPE in the function PostScriptFunction::exec at Function.cc for the psOpIdiv case. (CVE-2019-10018) An issue was discovered in Xpdf 4.01.01. There is an FPE in the function ImageStream::ImageStream at Stream.cc for nComps. (CVE-2019-10021) An issue was discovered in Xpdf 4.01.01. There is an FPE in the function PostScriptFunction::exec at Function.cc for the psOpMod case. (CVE-2019-10023) An issue was discovered in Poppler 0.74.0. There is a heap-based buffer over-read in the function Splash::blitTransparent at splash/Splash.cc. (CVE-2019-10872) In Poppler through 0.76.1, there is a heap-based buffer over-read in JPXStream::init in JPEG2000Stream.cc via data with inconsistent heights or widths. (CVE-2019-12293) An issue was discovered in Poppler through 0.78.0. There is a divide-by-zero error in the function SplashOutputDev::tilingPatternFill at SplashOutputDev.cc. (CVE-2019-14494) Poppler 0.74.0 has a heap-based buffer over-read in the CairoRescaleBox.cc downsample_row_box_filter function. (CVE-2019-9631) PDFDoc::markObject in PDFDoc.cc in Poppler 0.74.0 mishandles dict marking, leading to stack consumption in the function Dict::find() located at Dict.cc, which can (for example) be triggered by passing a crafted pdf file to the pdfunite binary. (CVE-2019-9903) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10018 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10021 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10023 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10872 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12293 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14494 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9631 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9903 https://access.redhat.com/errata/RHSA-2019:2022 https://usn.ubuntu.com/4042-1/ https://usn.ubuntu.com/4091-1/ ======================== Updated packages in 6/core/updates_testing: ======================== poppler-0.52.0-3.13.mga6 lib(64)poppler66-0.52.0-3.13.mga6 lib(64)poppler-devel-0.52.0-3.13.mga6 lib(64)poppler-cpp0-0.52.0-3.13.mga6 lib(64)poppler-qt4-devel-0.52.0-3.13.mga6 lib(64)poppler-qt5-devel-0.52.0-3.13.mga6 lib(64)poppler-qt4_4-0.52.0-3.13.mga6 lib(64)poppler-qt5_1-0.52.0-3.13.mga6 lib(64)poppler-glib8-0.52.0-3.13.mga6 lib(64)poppler-gir0.18-0.52.0-3.13.mga6 lib(64)poppler-glib-devel-0.52.0-3.13.mga6 lib(64)poppler-cpp-devel-0.52.0-3.13.mga6 from SRPMS: poppler-0.52.0-3.13.mga6.src.rpm
Created attachment 11264 [details] Before and after reports for POC listed against CVEs
CC: (none) => tarazed25
mga7, x86_64 The attached POC report covers some redundant tests. Those up to CVE-2019-10023 only confirm the remarks in comment 4.
mga7, x86_64 A few utility tests: $ pdffonts UserManual.pdf name type encoding emb sub uni object ID ------------------------------------ ----------------- ---------------- --- --- --- --------- AHKLDF+HelveticaNeue-Bold Type 1C WinAnsi yes yes no 339 0 [...] AHLFGB+SimSun CID TrueType Identity-H yes yes yes 145 0 $ pdfimages RustProgrammingLanguage.pdf rust $ ls rust* rust-000.ppm rust-003.ppm rust-006.ppm rust-009.ppm rust-001.ppm rust-004.ppm rust-007.ppm rust-010.ppm rust-002.ppm rust-005.ppm rust-008.ppm rust-011.ppm These appear as a series of slides using the display -> Next function. $ pdftohtml RustProgrammingLanguage.pdf rust.html Processed 554 pages. $ ll rust*html -rw-r--r-- 1 lcl lcl 361 Aug 28 09:44 rust.html -rw-r--r-- 1 lcl lcl 34328 Aug 28 09:44 rust_ind.html -rw-r--r-- 1 lcl lcl 1686937 Aug 28 09:44 rusts.html Viewed the manual using: $ firefox file:///home/lcl/docs/books/rust.html Page index in the left hand column. Clicking on 'Outline' brings up the TOC. The links all work. $ pdfseparate -f 5 -l 14 StatisticsDoneWrong.pdf stats_%d Produced ten stats_* files. $ file stats_5 stats_5: PDF document, version 1.6 All pages displayed fine in a pdf reader. $ pdftops stats_11 stats11.ps The postscript file could be viewed in ghostscript. $ gs stats11.ps $ pdftoppm stats_14 stats $ ls stats*ppm stats-1.ppm $ eom stats-1.ppm Displayed page 14 (xii in Contents). $ pdftocairo -jpeg stats_14 stats14 $ ls stats*jpg stats14-1.jpg That displayed fine as well. This all looks good.
Whiteboard: MGA6TOO => MGA6TOO MGA7-64-OK
mga6, x86_64 Checked some of the POC before updating and saw a few results which differed from those outlined in the mga7 attachment, comment 9. These differ: CVE-2019-10018 $ pdftotext fpe_1 Syntax Warning: No valid XRef size in trailer Syntax Error: Type mismatch in PostScript function Syntax Error: Type mismatch in PostScript function Floating point exception (core dumped) CVE-2019-10021 $ pdftoppm fpe_4 out.ppm Bogus memory allocation size $ pdftoppm -cropbox -jpeg -freetype yes outofboundsread > out.ppm The error stack looked the same but there was no segfault and some image data was generated. CVE-2019-9631 $ pdftocairo -ps radamsa_716NiagaraWineTrail_opt.pdf winetrail.ps Syntax errors, as before but no hangup. The following test did hang though, whereas it did not for mga7. $ pdftocairo -scale-to 200 -png radamsa_716NiagaraWineTrail_opt.pdf winetrail.png Updated all twelve packages and checked the POC again. CVE-2019-12293 No segfault but it aborts. Maybe not fixed. CVE-2019-14494 Endless loop, as in mga7 - maybe not properly fixed. CVE-2019-9631 Hangup - not seen in mga7 So POC tests give broadly similar results with indications that some of the fixes may need to be looked at again. Not a reason to hold this up though. Some utility tests: $ pdffonts PythonUnlocked.pdf [...] VVCFAS+Arial-BoldItalicMT TrueType WinAnsi yes yes yes 1104 0 $ pdfimages PythonUnlocked.pdf unlocked $ ls unlocked*.ppm | wc -l 27 All images displayed properly. $ pdftohtml RustProgrammingLanguage.pdf rust.html Page-1 Page-2 [...] Syntax Warning: Invalid Font Weight Page-554 $ ls rust*.html rust.html rust_ind.html rusts.html $ firefox file:///home/lcl/docs/books/rust.html Brings up a two-frame page in browser with page index and text. Page index works. $ pdfseparate -f 19 -l 28 metaprogramming-ruby-2_p3_0.pdf mpr_%d [...] Syntax Warning: PDFDoc::markDictionnary: Found recursive dicts $ ls mpr* mpr_19 mpr_20 mpr_21 mpr_22 mpr_23 mpr_24 mpr_25 mpr_26 mpr_27 mpr_28 These are PDF files, one per page and can be viewed in a PDF reader. $ pdftops mpr_22 mpr22.ps $ gs mpr22.ps The postscript file displays correctly. $ pdftoppm mpr_23 mpr Generates mpr-1.ppm which displays fine. $ pdftocairo -jpeg mpr_24 mpr24 creates mpr24-1.jpg which looks fine in an image viewer. Similarly :- $ pdftocairo -png mpr_24 mpr24 $ display mpr24-1.png The command works for TIFF format also. This update can be sent on. $ pdffonts PythonUnlocked.pdf [...] VVCFAS+Arial-BoldItalicMT TrueType WinAnsi yes yes yes 1104 0 $ pdfimages PythonUnlocked.pdf unlocked $ ls unlocked*.ppm | wc -l 27 All images displayed properly. $ pdftohtml RustProgrammingLanguage.pdf rust.html Page-1 Page-2 [...] Syntax Warning: Invalid Font Weight Page-554 $ ls rust*.html rust.html rust_ind.html rusts.html $ firefox file:///home/lcl/docs/books/rust.html Brings up a two-frame page in browser with page index and text. Page index works. $ pdfseparate -f 19 -l 28 metaprogramming-ruby-2_p3_0.pdf mpr_%d [...] Syntax Warning: PDFDoc::markDictionnary: Found recursive dicts $ ls mpr* mpr_19 mpr_20 mpr_21 mpr_22 mpr_23 mpr_24 mpr_25 mpr_26 mpr_27 mpr_28 These are PDF files, one per page and can be viewed in a PDF reader. $ pdftops mpr_22 mpr22.ps $ gs mpr22.ps The postscript file displays correctly. $ pdftoppm mpr_23 mpr Generates mpr-1.ppm which displays fine. $ pdftocairo -jpeg mpr_24 mpr24 creates mpr24-1.jpg which looks fine in an image viewer. Similarly :- $ pdftocairo -png mpr_24 mpr24 $ display mpr24-1.png The command works for TIFF format also. This update can be sent on.
Whiteboard: MGA6TOO MGA7-64-OK => MGA6TOO MGA6-64-OK MGA7-64-OK
Validating. Suggested advisories in Comment 7 and Comment 8.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
CC: (none) => tmbKeywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2019-0244.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2019-0245.html