32242 – poppler new security issues CVE-2020-3602[34]

Bug 32242 - poppler new security issues CVE-2020-3602[34]

Summary: poppler new security issues CVE-2020-3602[34]

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	8
Hardware:	All Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA8-64-OK
Keywords:	advisory, validated_update

Depends on:
Blocks:

Reported:	2023-09-05 08:58 CEST by Nicolas Salguero
Modified:	2023-09-11 15:10 CEST (History)
CC List:	6 users (show)

See Also:
Source RPM:	poppler-20.12.1-1.3.mga8.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Nicolas Salguero 2023-09-05 08:58:06 CEST

Ubuntu has issued an advisory on August 17:
https://ubuntu.com/security/notices/USN-6299-1

The issues are fixed upstream in 21.01.0 so only Mageia 8 is affected.

Nicolas Salguero 2023-09-05 08:58:51 CEST

CC: (none) => nicolas.salguero
Status comment: (none) => Fixed upstream in 21.01.0
Source RPM: (none) => poppler-20.12.1-1.3.mga8.src.rpm

Comment 1 Nicolas Salguero 2023-09-05 13:49:29 CEST

Suggested advisory:
========================

The updated packages fix security vulnerabilities:

An issue was discovered in freedesktop poppler version 20.12.1, allows remote attackers to cause a denial of service (DoS) via crafted .pdf file to FoFiType1C::cvtGlyph function. (CVE-2020-36023)

An issue was discovered in freedesktop poppler version 20.12.1, allows remote attackers to cause a denial of service (DoS) via crafted .pdf file to FoFiType1C::convertToType1 function. (CVE-2020-36024)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-36023
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-36024
https://ubuntu.com/security/notices/USN-6299-1
========================

Updated packages in core/updates_testing:
========================
lib(64)poppler105-20.12.1-1.4.mga8
lib(64)poppler-cpp0-20.12.1-1.4.mga8
lib(64)poppler-cpp-devel-20.12.1-1.4.mga8
lib(64)poppler-devel-20.12.1-1.4.mga8
lib(64)poppler-gir0.18-20.12.1-1.4.mga8
lib(64)poppler-glib8-20.12.1-1.4.mga8
lib(64)poppler-glib-devel-20.12.1-1.4.mga8
lib(64)poppler-qt5_1-20.12.1-1.4.mga8
lib(64)poppler-qt5-devel-20.12.1-1.4.mga8
poppler-20.12.1-1.4.mga8

from SRPM:
poppler-20.12.1-1.4.mga8.src.rpm

Status: NEW => ASSIGNED
Assignee: bugsquad => nicolas.salguero

Nicolas Salguero 2023-09-05 15:22:53 CEST

Status comment: Fixed upstream in 21.01.0 => (none)
Assignee: nicolas.salguero => qa-bugs

PC LX 2023-09-06 11:16:36 CEST

CC: (none) => mageia

Comment 2 Herman Viaene 2023-09-07 11:15:32 CEST

MGA8-64 Xfce on Acer Aspire 5253
No installation issues
Ref bug 30805 for testing

$ pdftohtml handleidingVM.pdf testpoppler.html
Page-1
Page-2
Page-3
Page-4
Page-5
Page-6
Page-7
Page-8
Page-9
 link to page 6 Page-10
Page-11
Page-12
Opened correctly in Firefox with a page index as a lefthand column of links and the text and graphics to the right.
[tester8@mach7 Documents]$ pdftotext handleidingVM.pdf VM.txt
Opened with mousepad and text is complete with indicators where graphical items occured in the original document.
Good to go.

CC: (none) => herman.viaene
Whiteboard: (none) => MGA8-64-OK

Comment 3 Thomas Andrews 2023-09-08 22:21:26 CEST

Validating. Advisory in comment 1.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Dave Hodgins 2023-09-11 03:00:42 CEST

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 4 Mageia Robot 2023-09-11 15:10:02 CEST

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2023-0262.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.