Bug 30690 - poppler new security issue CVE-2022-27337
Summary: poppler new security issue CVE-2022-27337
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA8-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2022-08-01 17:26 CEST by David Walser
Modified: 2022-08-13 04:33 CEST (History)
6 users (show)

See Also:
Source RPM: poppler-20.12.1-1.mga8.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2022-08-01 17:26:45 CEST
Fedora has issued an advisory on July 30:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/KOTDUXJOKDYO4I7MKHLT5NBGTN5E7FHQ/

The issue is fixed upstream in 22.04.0.
David Walser 2022-08-01 17:26:59 CEST

Status comment: (none) => Fixed upstream in 22.04.0

Comment 1 Marja Van Waes 2022-08-02 13:37:21 CEST
Assigning to all packagers collectively, since there  is no registered maintainer for this package.

Assignee: bugsquad => pkg-bugs
CC: (none) => marja11

Comment 2 Jani Välimaa 2022-08-11 20:36:57 CEST
Pushed poppler-20.12.1-1.1.mga8 to mga core/updates_testing.

CC: (none) => jani.valimaa
Assignee: pkg-bugs => qa-bugs

Comment 3 David Walser 2022-08-11 23:50:40 CEST
libpoppler105-20.12.1-1.1.mga8
poppler-20.12.1-1.1.mga8
libpoppler-devel-20.12.1-1.1.mga8
libpoppler-qt5_1-20.12.1-1.1.mga8
libpoppler-glib-devel-20.12.1-1.1.mga8
libpoppler-glib8-20.12.1-1.1.mga8
libpoppler-gir0.18-20.12.1-1.1.mga8
libpoppler-cpp0-20.12.1-1.1.mga8
libpoppler-qt5-devel-20.12.1-1.1.mga8
libpoppler-cpp-devel-20.12.1-1.1.mga8

from poppler-20.12.1-1.1.mga8.src.rpm

Status comment: Fixed upstream in 22.04.0 => (none)

Comment 4 Len Lawrence 2022-08-12 01:28:08 CEST
mga8, x64
Updated all the packages and repeated tests used in earlier bugs.
$ urpmq --whatrequires lib64poppler105 | uniq
calligra-stage
calligra-words
gambas3-gb-pdf
gambas3-gb-poppler
inkscape
lib64gdal27
lib64kpimitinerary5
lib64poppler-cpp0
lib64poppler-devel
lib64poppler-gir0.18
lib64poppler-glib8
lib64poppler-qt5_1
lib64poppler105
libreoffice-pdfimport
openboard
pdf2djvu
poppler
scribus
texlive

$ pdffonts PythonCookbook_2.pdf
Helvetica                            Type 1            WinAnsi          no  no  no   10008  0
....
$ pdftohtml PythonCookbook_2.pdf python.html
$ ll *.html
-rw-r--r-- 1 lcl lcl     518 Aug 11 23:16 python.html
-rw-r--r-- 1 lcl lcl   54126 Aug 11 23:16 python_ind.html
-rw-r--r-- 1 lcl lcl 3551556 Aug 11 23:16 pythons.html
Displayed the whole book with page index in a browser.  All OK.
Extracted 6900 images from a PDF file.
$ pdfimages AN_2021_May.pdf AN
$ display AN-6845.ppm
Picture of a finder scope.
Extracted several consecutive pages from a book.
$ pdfseparate -f 3 -l 10 something.pdf page_%d
$ file page_3
page_3: PDF document, version 1.4
All the pages could be read.
$ pdftops page_4 page4.ps
The postscript file looked fine in gs.
$ pdftoppm page_5 page
generates page-1.ppm which can be displayed.
$ pdftocairo -jpeg page_7 page7
-> page7-1.jpg
$ pdftocairo -tiff page_8 page8
$ tiffgt page8-1.tif
OK and PNG format works as well.
$ strace -o lo.trace libreoffice RustProgrammingLanguage.pdf
That invoked LO draw - took some time to display the front cover but it worked fine.  The assumption was that libreoffice-pdfimport would be used and thence poppler but there was no sign of poppler in the trace file.  libpoppler is listed in the requires for libreoffice-pdfimport.

CC: (none) => tarazed25

Comment 5 Len Lawrence 2022-08-12 01:39:08 CEST
$ strace -o djvu.trace pdf2djvu -o test.djv module_cheat_sheet.pdf
module_cheat_sheet.pdf:
- page #1 -> #1
0.021 bits/pixel; 6.079:1, 83.55% saved, 136259 bytes in, 22416 bytes out
$ grep poppler djvu.trace
openat(AT_FDCWD, "/lib64/libpoppler.so.105", O_RDONLY|O_CLOEXEC) = 3

It is used there anyway.  Giving this a pass.

Whiteboard: (none) => MGA8-64-OK

Comment 6 Thomas Andrews 2022-08-12 02:36:55 CEST
Validating.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Dave Hodgins 2022-08-12 22:04:59 CEST

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 7 Mageia Robot 2022-08-13 04:33:42 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0282.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.