Bug 25233 - poppler new security issues CVE-2019-9631, CVE-2019-9903, CVE-2019-1001[89], CVE-2019-1002[13], CVE-2019-1087[23], CVE-2019-12293, CVE-2019-14494
Summary: poppler new security issues CVE-2019-9631, CVE-2019-9903, CVE-2019-1001[89], ...
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA6TOO MGA6-64-OK MGA7-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2019-08-06 17:47 CEST by David Walser
Modified: 2019-09-06 23:11 CEST (History)
6 users (show)

See Also:
Source RPM: poppler-0.74.0-3.mga7.src.rpm
CVE:
Status comment:


Attachments
Before and after reports for POC listed against CVEs (4.68 KB, text/plain)
2019-08-27 23:15 CEST, Len Lawrence
Details

Description David Walser 2019-08-06 17:47:56 CEST
RedHat has issued an advisory today (August 6):
https://access.redhat.com/errata/RHSA-2019:2022

The issue appears to have been fixed upstream in 0.76.0, in this commit:
https://gitlab.freedesktop.org/poppler/poppler/commit/8122f6d6d409b53151a20c5578fc525ee97315e8

The other CVEs in RedHat's advisory we have fixed in the last few updates.

Mageia 6 is also affected.
David Walser 2019-08-06 17:48:05 CEST

Whiteboard: (none) => MGA6TOO

Comment 1 Marja Van Waes 2019-08-06 19:02:35 CEST
Assigning to all packagers collectively, since there is no registered maintainer for this package.
Also CC'ing ns80

CC: (none) => marja11, nicolas.salguero
Assignee: bugsquad => pkg-bugs

Comment 2 David Walser 2019-08-11 23:20:14 CEST
Ubuntu has issued an advisory for this on June 27:
https://usn.ubuntu.com/4042-1/

CVE-2019-9903 also appears to have been fixed in 0.76.0:
https://gitlab.freedesktop.org/poppler/poppler/commit/fada09a2ccc11a3a1d308e810f1336d8df6011fd

Other possibly new CVEs (we haven't previously mentioned) I haven't triaged yet:
CVE-2019-1001[89], CVE-2019-1002[13], CVE-2019-1087[23], CVE-2019-12293

Summary: poppler new security issue CVE-2019-9631 => poppler new security issues CVE-2019-9631 and CVE-2019-9903

Comment 3 David Walser 2019-08-16 20:26:26 CEST
Ubuntu has issued an advisory on August 12:
https://usn.ubuntu.com/4091-1/

CVE-2019-14494 fixed upstream in 0.79.0:
https://gitlab.freedesktop.org/poppler/poppler/commit/b224e2f5739fe61de9fa69955d016725b2a4b78d

Summary: poppler new security issues CVE-2019-9631 and CVE-2019-9903 => poppler new security issues CVE-2019-9631, CVE-2019-9903, CVE-2019-14494

Comment 4 David Walser 2019-08-16 20:36:05 CEST
Here's the other CVEs from Comment 2, with the commit and version they're fixed in:
CVE-2019-10018
https://cgit.freedesktop.org/poppler/poppler/commit/?id=e2ab2fa9d8c41e0115b2c276a2594cd2f7c217e6
0.56

CVE-2019-10019
https://cgit.freedesktop.org/poppler/poppler/commit/?id=4552af28684e18c6153ce5598b121a73477af4d6
0.60

CVE-2019-10021
https://cgit.freedesktop.org/poppler/poppler/commit/?id=5266fa426d73c5dbdb3dd903d50885097833acc6
0.56

CVE-2019-10023
https://cgit.freedesktop.org/poppler/poppler/commit/?id=e2ab2fa9d8c41e0115b2c276a2594cd2f7c217e6
0.56

CVE-2019-10872
https://gitlab.freedesktop.org/poppler/poppler/commit/6a1580e84f492b5671d23be98192267bb73de250
0.77

CVE-2019-10873
https://gitlab.freedesktop.org/poppler/poppler/commit/8dbe2e6c480405dab9347075cf4be626f90f1d05
0.76

CVE-2019-12293
https://gitlab.freedesktop.org/poppler/poppler/commit/89a5367d49b2556a2635dbb6d48d6a6b182a2c6c
0.77

So the first four of those are already fixed in Mageia 7, the last three aren't.

Summary: poppler new security issues CVE-2019-9631, CVE-2019-9903, CVE-2019-14494 => poppler new security issues CVE-2019-9631, CVE-2019-9903, CVE-2019-1001[89], CVE-2019-1002[13], CVE-2019-1087[23], CVE-2019-12293, CVE-2019-14494

Comment 5 Nicolas Salguero 2019-08-27 13:34:15 CEST
Hi,

To sum up:
  - CVE-2019-10019: it is the reintroduction of a code that was present in version 0.52 and removed after so Mageia 6 is not affected.
  - CVE-2019-10023: it is the same issue as CVE-2019-10018 but for xpdf (3.04 and 4.01.01 so Mageia 6, 7 and Cauldron are affected, I will create a separate bug report for that).
  - CVE-2019-10873: after checking, and according to https://bugzilla.suse.com/show_bug.cgi?id=1131726, the issue was introduced in version 0.70.

Best regards,

Nico.
Comment 6 Nicolas Salguero 2019-08-27 16:40:15 CEST
For Mageia 6:

Suggested advisory:
========================

The updated packages fix security vulnerabilities:

An issue was discovered in Xpdf 4.01.01. There is an FPE in the function PostScriptFunction::exec at Function.cc for the psOpIdiv case. (CVE-2019-10018)

An issue was discovered in Xpdf 4.01.01. There is an FPE in the function ImageStream::ImageStream at Stream.cc for nComps. (CVE-2019-10021)

An issue was discovered in Poppler 0.74.0. There is a heap-based buffer over-read in the function Splash::blitTransparent at splash/Splash.cc. (CVE-2019-10872)

In Poppler through 0.76.1, there is a heap-based buffer over-read in JPXStream::init in JPEG2000Stream.cc via data with inconsistent heights or widths. (CVE-2019-12293)

An issue was discovered in Poppler through 0.78.0. There is a divide-by-zero error in the function SplashOutputDev::tilingPatternFill at SplashOutputDev.cc. (CVE-2019-14494)

Poppler 0.74.0 has a heap-based buffer over-read in the CairoRescaleBox.cc downsample_row_box_filter function. (CVE-2019-9631)

PDFDoc::markObject in PDFDoc.cc in Poppler 0.74.0 mishandles dict marking, leading to stack consumption in the function Dict::find() located at Dict.cc, which can (for example) be triggered by passing a crafted pdf file to the pdfunite binary. (CVE-2019-9903)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10018
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10021
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10872
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12293
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14494
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9631
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9903
https://access.redhat.com/errata/RHSA-2019:2022
https://usn.ubuntu.com/4042-1/
https://usn.ubuntu.com/4091-1/
========================

Updated packages in 6/core/updates_testing:
========================
poppler-0.52.0-3.13.mga6
lib(64)poppler66-0.52.0-3.13.mga6
lib(64)poppler-devel-0.52.0-3.13.mga6
lib(64)poppler-cpp0-0.52.0-3.13.mga6
lib(64)poppler-qt4-devel-0.52.0-3.13.mga6
lib(64)poppler-qt5-devel-0.52.0-3.13.mga6
lib(64)poppler-qt4_4-0.52.0-3.13.mga6
lib(64)poppler-qt5_1-0.52.0-3.13.mga6
lib(64)poppler-glib8-0.52.0-3.13.mga6
lib(64)poppler-gir0.18-0.52.0-3.13.mga6
lib(64)poppler-glib-devel-0.52.0-3.13.mga6
lib(64)poppler-cpp-devel-0.52.0-3.13.mga6

from SRPMS:
poppler-0.52.0-3.13.mga6.src.rpm
Comment 7 Nicolas Salguero 2019-08-27 16:44:45 CEST
For Mageia 7:

Suggested advisory:
========================

The updated packages fix security vulnerabilities:

An issue was discovered in Poppler 0.74.0. There is a heap-based buffer over-read in the function Splash::blitTransparent at splash/Splash.cc. (CVE-2019-10872)

An issue was discovered in Poppler 0.74.0. There is a NULL pointer dereference in the function SplashClip::clipAALine at splash/SplashClip.cc. (CVE-2019-10873)

In Poppler through 0.76.1, there is a heap-based buffer over-read in JPXStream::init in JPEG2000Stream.cc via data with inconsistent heights or widths. (CVE-2019-12293)

An issue was discovered in Poppler through 0.78.0. There is a divide-by-zero error in the function SplashOutputDev::tilingPatternFill at SplashOutputDev.cc. (CVE-2019-14494)

Poppler 0.74.0 has a heap-based buffer over-read in the CairoRescaleBox.cc downsample_row_box_filter function. (CVE-2019-9631)

PDFDoc::markObject in PDFDoc.cc in Poppler 0.74.0 mishandles dict marking, leading to stack consumption in the function Dict::find() located at Dict.cc, which can (for example) be triggered by passing a crafted pdf file to the pdfunite binary. (CVE-2019-9903)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10872
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10873
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12293
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14494
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9631
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9903
https://access.redhat.com/errata/RHSA-2019:2022
https://usn.ubuntu.com/4042-1/
https://usn.ubuntu.com/4091-1/
========================

Updated packages in 7/core/updates_testing:
========================
poppler-0.74.0-3.1.mga7
lib(64)poppler85-0.74.0-3.1.mga7
lib(64)poppler-devel-0.74.0-3.1.mga7
lib(64)poppler-cpp0-0.74.0-3.1.mga7
lib(64)poppler-qt5-devel-0.74.0-3.1.mga7
lib(64)poppler-qt5_1-0.74.0-3.1.mga7
lib(64)poppler-glib8-0.74.0-3.1.mga7
lib(64)poppler-gir0.18-0.74.0-3.1.mga7
lib(64)poppler-glib-devel-0.74.0-3.1.mga7
lib(64)poppler-cpp-devel-0.74.0-3.1.mga7

from SRPMS:
poppler-0.74.0-3.1.mga7.src.rpm

Assignee: pkg-bugs => qa-bugs
Status: NEW => ASSIGNED

Comment 8 Nicolas Salguero 2019-08-27 16:58:16 CEST
I made a mistake because https://cgit.freedesktop.org/poppler/poppler/commit/?id=e2ab2fa9d8c41e0115b2c276a2594cd2f7c217e6 solves CVE-2019-10018 and CVE-2019-10023 at the same time but those CVEs are different.  So, for Mageia 6:

Suggested advisory:
========================

The updated packages fix security vulnerabilities:

An issue was discovered in Xpdf 4.01.01. There is an FPE in the function PostScriptFunction::exec at Function.cc for the psOpIdiv case. (CVE-2019-10018)

An issue was discovered in Xpdf 4.01.01. There is an FPE in the function ImageStream::ImageStream at Stream.cc for nComps. (CVE-2019-10021)

An issue was discovered in Xpdf 4.01.01. There is an FPE in the function PostScriptFunction::exec at Function.cc for the psOpMod case. (CVE-2019-10023)

An issue was discovered in Poppler 0.74.0. There is a heap-based buffer over-read in the function Splash::blitTransparent at splash/Splash.cc. (CVE-2019-10872)

In Poppler through 0.76.1, there is a heap-based buffer over-read in JPXStream::init in JPEG2000Stream.cc via data with inconsistent heights or widths. (CVE-2019-12293)

An issue was discovered in Poppler through 0.78.0. There is a divide-by-zero error in the function SplashOutputDev::tilingPatternFill at SplashOutputDev.cc. (CVE-2019-14494)

Poppler 0.74.0 has a heap-based buffer over-read in the CairoRescaleBox.cc downsample_row_box_filter function. (CVE-2019-9631)

PDFDoc::markObject in PDFDoc.cc in Poppler 0.74.0 mishandles dict marking, leading to stack consumption in the function Dict::find() located at Dict.cc, which can (for example) be triggered by passing a crafted pdf file to the pdfunite binary. (CVE-2019-9903)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10018
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10021
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10023
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10872
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12293
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14494
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9631
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9903
https://access.redhat.com/errata/RHSA-2019:2022
https://usn.ubuntu.com/4042-1/
https://usn.ubuntu.com/4091-1/
========================

Updated packages in 6/core/updates_testing:
========================
poppler-0.52.0-3.13.mga6
lib(64)poppler66-0.52.0-3.13.mga6
lib(64)poppler-devel-0.52.0-3.13.mga6
lib(64)poppler-cpp0-0.52.0-3.13.mga6
lib(64)poppler-qt4-devel-0.52.0-3.13.mga6
lib(64)poppler-qt5-devel-0.52.0-3.13.mga6
lib(64)poppler-qt4_4-0.52.0-3.13.mga6
lib(64)poppler-qt5_1-0.52.0-3.13.mga6
lib(64)poppler-glib8-0.52.0-3.13.mga6
lib(64)poppler-gir0.18-0.52.0-3.13.mga6
lib(64)poppler-glib-devel-0.52.0-3.13.mga6
lib(64)poppler-cpp-devel-0.52.0-3.13.mga6

from SRPMS:
poppler-0.52.0-3.13.mga6.src.rpm
Comment 9 Len Lawrence 2019-08-27 23:15:48 CEST
Created attachment 11264 [details]
Before and after reports for POC listed against CVEs

CC: (none) => tarazed25

Comment 10 Len Lawrence 2019-08-27 23:21:57 CEST
mga7, x86_64

The attached POC report covers some redundant tests.
Those up to CVE-2019-10023 only confirm the remarks in comment 4.
Comment 11 Len Lawrence 2019-08-28 11:14:59 CEST
mga7, x86_64
A few utility tests:

$ pdffonts UserManual.pdf
name                                 type              encoding         emb sub uni object ID
------------------------------------ ----------------- ---------------- --- --- --- ---------
AHKLDF+HelveticaNeue-Bold            Type 1C           WinAnsi          yes yes no     339  0
[...]
AHLFGB+SimSun                        CID TrueType      Identity-H       yes yes yes    145  0

$ pdfimages RustProgrammingLanguage.pdf rust
$ ls rust*
rust-000.ppm  rust-003.ppm  rust-006.ppm  rust-009.ppm
rust-001.ppm  rust-004.ppm  rust-007.ppm  rust-010.ppm
rust-002.ppm  rust-005.ppm  rust-008.ppm  rust-011.ppm
These appear as a series of slides using the display -> Next function.

$ pdftohtml RustProgrammingLanguage.pdf rust.html
Processed 554 pages.
$ ll rust*html
-rw-r--r-- 1 lcl lcl     361 Aug 28 09:44 rust.html
-rw-r--r-- 1 lcl lcl   34328 Aug 28 09:44 rust_ind.html
-rw-r--r-- 1 lcl lcl 1686937 Aug 28 09:44 rusts.html
Viewed the manual using:
$ firefox file:///home/lcl/docs/books/rust.html
Page index in the left hand column.  Clicking on 'Outline' brings up the TOC.  The links all work.

$ pdfseparate -f 5 -l 14 StatisticsDoneWrong.pdf stats_%d
Produced ten stats_* files.
$ file stats_5
stats_5: PDF document, version 1.6
All pages displayed fine in a pdf reader.

$ pdftops stats_11 stats11.ps
The postscript file could be viewed in ghostscript.
$ gs stats11.ps

$ pdftoppm stats_14 stats
$ ls stats*ppm
stats-1.ppm
$ eom stats-1.ppm
Displayed page 14 (xii in Contents).

$ pdftocairo -jpeg stats_14 stats14
$ ls stats*jpg
stats14-1.jpg
That displayed fine as well.

This all looks good.

Whiteboard: MGA6TOO => MGA6TOO MGA7-64-OK

Comment 12 Len Lawrence 2019-09-03 12:53:37 CEST
mga6, x86_64

Checked some of the POC before updating and saw a few results which differed from  those outlined in the mga7 attachment, comment 9.
These differ:
CVE-2019-10018
$ pdftotext fpe_1
Syntax Warning: No valid XRef size in trailer
Syntax Error: Type mismatch in PostScript function
Syntax Error: Type mismatch in PostScript function
Floating point exception (core dumped)
CVE-2019-10021
$ pdftoppm fpe_4 out.ppm
Bogus memory allocation size
$ pdftoppm -cropbox -jpeg -freetype yes outofboundsread > out.ppm
The error stack looked the same but there was no segfault and some image data was generated.
CVE-2019-9631
$ pdftocairo -ps radamsa_716NiagaraWineTrail_opt.pdf winetrail.ps  
Syntax errors, as before but no hangup.
The following test did hang though, whereas it did not for mga7.
$ pdftocairo -scale-to 200 -png radamsa_716NiagaraWineTrail_opt.pdf winetrail.png

Updated all twelve packages and checked the POC again.

CVE-2019-12293
No segfault but it aborts.  Maybe not fixed.
CVE-2019-14494
Endless loop, as in mga7 - maybe not properly fixed.
CVE-2019-9631
Hangup - not seen in mga7

So POC tests give broadly similar results with indications that some of the fixes may need to be looked at again.
Not a reason to hold this up though.

Some utility tests:

$ pdffonts PythonUnlocked.pdf
[...]
VVCFAS+Arial-BoldItalicMT            TrueType          WinAnsi          yes yes yes   1104  0

$ pdfimages PythonUnlocked.pdf unlocked
$ ls unlocked*.ppm | wc -l
27

All images displayed properly.

$ pdftohtml RustProgrammingLanguage.pdf rust.html
Page-1
Page-2
[...]
Syntax Warning: Invalid Font Weight
Page-554
$ ls rust*.html
rust.html  rust_ind.html  rusts.html
$ firefox file:///home/lcl/docs/books/rust.html
Brings up a two-frame page in browser with page index and text.  Page index works.

$ pdfseparate -f 19 -l 28 metaprogramming-ruby-2_p3_0.pdf mpr_%d
[...]
Syntax Warning: PDFDoc::markDictionnary: Found recursive dicts
$ ls mpr*
mpr_19  mpr_20  mpr_21  mpr_22  mpr_23  mpr_24  mpr_25  mpr_26  mpr_27  mpr_28

These are PDF files, one per page and can be viewed in a PDF reader.

$ pdftops mpr_22 mpr22.ps
$ gs mpr22.ps
The postscript file displays correctly.

$ pdftoppm mpr_23 mpr
Generates mpr-1.ppm which displays fine.

$ pdftocairo -jpeg mpr_24 mpr24
creates mpr24-1.jpg which looks fine in an image viewer.  Similarly :-
$ pdftocairo -png mpr_24 mpr24
$ display mpr24-1.png
The command works for TIFF format also.

This update can be sent on.

$ pdffonts PythonUnlocked.pdf
[...]
VVCFAS+Arial-BoldItalicMT            TrueType          WinAnsi          yes yes yes   1104  0

$ pdfimages PythonUnlocked.pdf unlocked
$ ls unlocked*.ppm | wc -l
27

All images displayed properly.

$ pdftohtml RustProgrammingLanguage.pdf rust.html
Page-1
Page-2
[...]
Syntax Warning: Invalid Font Weight
Page-554
$ ls rust*.html
rust.html  rust_ind.html  rusts.html
$ firefox file:///home/lcl/docs/books/rust.html
Brings up a two-frame page in browser with page index and text.  Page index works.

$ pdfseparate -f 19 -l 28 metaprogramming-ruby-2_p3_0.pdf mpr_%d
[...]
Syntax Warning: PDFDoc::markDictionnary: Found recursive dicts
$ ls mpr*
mpr_19  mpr_20  mpr_21  mpr_22  mpr_23  mpr_24  mpr_25  mpr_26  mpr_27  mpr_28

These are PDF files, one per page and can be viewed in a PDF reader.

$ pdftops mpr_22 mpr22.ps
$ gs mpr22.ps
The postscript file displays correctly.

$ pdftoppm mpr_23 mpr
Generates mpr-1.ppm which displays fine.

$ pdftocairo -jpeg mpr_24 mpr24
creates mpr24-1.jpg which looks fine in an image viewer.  Similarly :-
$ pdftocairo -png mpr_24 mpr24
$ display mpr24-1.png
The command works for TIFF format also.

This update can be sent on.

Whiteboard: MGA6TOO MGA7-64-OK => MGA6TOO MGA6-64-OK MGA7-64-OK

Comment 13 Thomas Andrews 2019-09-05 03:53:48 CEST
Validating. Suggested advisories in Comment 7 and Comment 8.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Thomas Backlund 2019-09-06 18:31:37 CEST

CC: (none) => tmb
Keywords: (none) => advisory

Comment 14 Mageia Robot 2019-09-06 23:11:11 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0244.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED

Comment 15 Mageia Robot 2019-09-06 23:11:12 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0245.html

Note You need to log in before you can comment on or make changes to this bug.