RedHat has issued an advisory on September 10: https://access.redhat.com/errata/RHSA-2019:2713 CVE-2019-9959 is fixed in 0.79 (so Cauldron is fine), but I don't have information on a fix for CVE-2019-10871. Mageia 6 and Mageia 7 are also affected.
Whiteboard: (none) => MGA7TOO, MGA6TOO
Poppler has no registered maintainer, so assigning globally.
Assignee: bugsquad => pkg-bugs
Hi, Version 0.79 is affected by CVE-2019-10871. poppler-0.79.0-2.mga8 solves the problem for Cauldron. Best regards, Nico.
CC: (none) => nicolas.salguero
Suggested advisory: ======================== The updated packages fix security vulnerabilities: The JPXStream::init function in Poppler 0.78.0 and earlier doesn't check for negative values of stream length, leading to an Integer Overflow, thereby making it possible to allocate a large memory chunk on the heap, with a size controlled by an attacker, as demonstrated by pdftocairo. (CVE-2019-9959) An issue was discovered in Poppler 0.74.0. There is a heap-based buffer over-read in the function PSOutputDev::checkPageSlice at PSOutputDev.cc. (CVE-2019-10871) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9959 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10871 https://access.redhat.com/errata/RHSA-2019:2713 ======================== Updated packages in 6/core/updates_testing: ======================== poppler-0.52.0-3.14.mga6 lib(64)poppler66-0.52.0-3.14.mga6 lib(64)poppler-devel-0.52.0-3.14.mga6 lib(64)poppler-cpp0-0.52.0-3.14.mga6 lib(64)poppler-qt4-devel-0.52.0-3.14.mga6 lib(64)poppler-qt5-devel-0.52.0-3.14.mga6 lib(64)poppler-qt4_4-0.52.0-3.14.mga6 lib(64)poppler-qt5_1-0.52.0-3.14.mga6 lib(64)poppler-glib8-0.52.0-3.14.mga6 lib(64)poppler-gir0.18-0.52.0-3.14.mga6 lib(64)poppler-glib-devel-0.52.0-3.14.mga6 lib(64)poppler-cpp-devel-0.52.0-3.14.mga6 from SRPMS: poppler-0.52.0-3.14.mga6.src.rpm Updated packages in 7/core/updates_testing: ======================== poppler-0.74.0-3.2.mga7 lib(64)poppler85-0.74.0-3.2.mga7 lib(64)poppler-devel-0.74.0-3.2.mga7 lib(64)poppler-cpp0-0.74.0-3.2.mga7 lib(64)poppler-qt5-devel-0.74.0-3.2.mga7 lib(64)poppler-qt5_1-0.74.0-3.2.mga7 lib(64)poppler-glib8-0.74.0-3.2.mga7 lib(64)poppler-gir0.18-0.74.0-3.2.mga7 lib(64)poppler-glib-devel-0.74.0-3.2.mga7 lib(64)poppler-cpp-devel-0.74.0-3.2.mga7 from SRPMS: poppler-0.74.0-3.2.mga7.src.rpm
QA Contact: (none) => securityAssignee: pkg-bugs => qa-bugsCVE: (none) => CVE-2019-9959, CVE-2019-10871Version: Cauldron => 7Component: RPM Packages => SecurityStatus: NEW => ASSIGNEDWhiteboard: MGA7TOO, MGA6TOO => MGA6TOO
mga7, x86_64 Upgraded poppler packages to the release version (3.1) and checked for reproducers. CVE-2019-9959 https://bugzilla.redhat.com/show_bug.cgi?id=1732340 The PoC file is a PDF but there are no instructions on how to run it to trigger the integer overflow. It displays what looks like an image with tiles containing random data. $ pdftops raiter_issue5465.pdf /dev/null Syntax Error (339): Dictionary key must be a name object Syntax Error (342): Dictionary key must be a name object Internal Error: xref num 5 not found but needed, try to reconstruct<0a> Syntax Error (339): Dictionary key must be a name object Syntax Error (342): Dictionary key must be a name object Out of memory Aborted (core dumped) CVE-2019-10871 https://gitlab.freedesktop.org/poppler/poppler/issues/751 Heap buffer overflow. Extracted poc file from the archive file. $ pdftops -level1sep 'PSOutputDev::checkPageSlice@PSOutputDev.cc:3468-23___heap-buffer-overflow' /dev/null $ This may have been fixed in the last update. It seems to be an old issue. All packages updated cleanly. CVE-2019-9959 $ pdftops raiter_issue5465.pdf /dev/null Syntax Error (339): Dictionary key must be a name object Syntax Error (342): Dictionary key must be a name object Internal Error: xref num 5 not found but needed, try to reconstruct<0a> Syntax Error (339): Dictionary key must be a name object No abort - good result. The poc for the other CVE produced no errors, as before. poc file renamed. $ pdftops -level1sep poc_hbo test.ps $ gs test.ps The test.ps output displayed as an image like a large uppercase L, matching the content of the poc file. Ran tests of pdffonts, pdfimages, pdfto{html,ppm,ps,cairo}, pdfseparate against local files with no problems. All output as expected. Good for 64 bits.
CC: (none) => tarazed25Whiteboard: MGA6TOO => MGA6TOO MGA7-64-OK
mga6, x86_64 All packages already installed as a result of an earlier QA test. Tried the POC as reported in comment 4. CVE-2019-9959 $ pdftops raiter_issue5465.pdf /dev/null Syntax Error (339): Dictionary key must be a name object Syntax Error (342): Dictionary key must be a name object Internal Error: xref num 5 not found but needed, try to reconstruct<0a> Syntax Error (339): Dictionary key must be a name object Syntax Error (342): Dictionary key must be a name object Out of memory Note, no core dump. CVE-2019-10871 $ pdftops -level1sep poc_hbo test.ps $ gs test.ps This showed an image of two L's in white on a black background; i.e. the image was not rendered correctly. 12 packages updated. CVE-2019-9959 $ pdftops raiter_issue5465.pdf /dev/null Same result as before the update. Tidy exit, so this had probably been fixed already. CVE-2019-10871 $ pdftops -level1sep poc_hbo test.ps gs showed that test.ps looked the same as the source image, indicating that something had been fixed. Ran similar tests to those in comment 4 to show that the utilities work OK. No problems. So this update is OK.
Whiteboard: MGA6TOO MGA7-64-OK => MGA6TOO MGA7-64-OK MGA6-64-OK
Validating. Suggested advisory in Comment 3.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
CC: (none) => tmbKeywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2019-0276.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED