Fedora has issued an advisory today (December 6): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JQ3NYJ43U2MA7COKGMJDARZUAAOP45D4/
Status comment: (none) => Patch available from FedoraSource RPM: (none) => poppler-23.02.0-1.mga9.src.rpm
I think this is the patch URL (from the header URL): https://gitlab.freedesktop.org/poppler/poppler/-/commit/591235c8b6c65a2eee88991b9ae73490fd9afdfe Assigning globally because poppler has no listed maintainer; but CC'ing wally who has done most of its updates.
Assignee: bugsquad => pkg-bugsCC: (none) => jani.valimaaURL: (none) => https://bugzilla.redhat.com/show_bug.cgi?id=2227884
Suggested advisory: ======================== The updated packages fix a security vulnerability: A vulnerability in Outline.cc for Poppler prior to 23.06.0 allows a remote attacker to cause a Denial of Service (DoS) (crash) via a crafted PDF file in OutlineItem::open. (CVE-2023-34872) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-34872 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JQ3NYJ43U2MA7COKGMJDARZUAAOP45D4/ ======================== Updated packages in core/updates_testing: ======================== lib(64)poppler-cpp-devel-23.02.0-1.1.mga9 lib(64)poppler-cpp0-23.02.0-1.1.mga9 lib(64)poppler-devel-23.02.0-1.1.mga9 lib(64)poppler-gir0.18-23.02.0-1.1.mga9 lib(64)poppler-glib-devel-23.02.0-1.1.mga9 lib(64)poppler-glib8-23.02.0-1.1.mga9 lib(64)poppler-qt5-devel-23.02.0-1.1.mga9 lib(64)poppler-qt5_1-23.02.0-1.1.mga9 lib(64)poppler-qt6-devel-23.02.0-1.1.mga9 lib(64)poppler-qt6_3-23.02.0-1.1.mga9 lib(64)poppler126-23.02.0-1.1.mga9 poppler-23.02.0-1.1.mga9 from SRPM: poppler-23.02.0-1.1.mga9.src.rpm
Status comment: Patch available from Fedora => (none)Status: NEW => ASSIGNEDAssignee: pkg-bugs => qa-bugs
CC: (none) => marja11CVE: (none) => CVE-2023-34872
Advisory from comment 2 added to SVN. Please remove the "advisory" keyword if it needs to be changed. It also helps when obsolete advisories are tagged as "obsolete"
Keywords: (none) => advisory
Mageia9, x86_64 Made sure that all the 23.02.0-1 packages were installed (dragging in a lot of dependencies). Ran a cursory test to see that some of the packages work: $ pdftohtml PythonCookbook_2.pdf python.html $ less python.html: <!DOCTYPE html> <html> <head> <title>Python Cookbook</title> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/> <meta name="generator" content="pdftohtml 0.36"/> <meta name="author" content="Alex Martelli"/> <meta name="keywords" content="www.it-ebooks.info"/> <meta name="date" content="2013-05-17T13:02:03+00:00"/> <meta name="subject" content="IT eBooks"/> </head> <frameset cols="100,*"> .... $ firefox python.html <That showed the contents in the browser> Pasted this into the qarepo panel: lib64poppler-cpp-devel-23.02.0-1.1.mga9 lib64poppler-cpp0-23.02.0-1.1.mga9 lib64poppler-devel-23.02.0-1.1.mga9 lib64poppler-gir0.18-23.02.0-1.1.mga9 lib64poppler-glib-devel-23.02.0-1.1.mga9 lib64poppler-glib8-23.02.0-1.1.mga9 lib64poppler-qt5-devel-23.02.0-1.1.mga9 lib64poppler-qt5_1-23.02.0-1.1.mga9 lib64poppler-qt6-devel-23.02.0-1.1.mga9 lib64poppler-qt6_3-23.02.0-1.1.mga9 lib64poppler126-23.02.0-1.1.mga9 poppler-23.02.0-1.1.mga9 and hit update, then: $ MageiaUpdate All done. Successfully repeated the pdftohtml test on another e-book. $ pdftohtml RustProgrammingLanguage.pdf rust.html and displayed the pages in Firefox. $ pdfimages AN_2023_September.pdf AN $ ls AN-* [...] AN-2076.ppm AN-4058.ppm AN-603.ppm AN-8021.ppm $ ls AN-*.ppm | wc -l 10893 Used eom to display images at random. All looked fine but most of them were trivial. Separated out several pages from another book: $ pdfseparate -f 3 -l 10 TheGoProgrammingLanguage.pdf page_%d $ ls page_* page_10 page_3 page_4 page_5 page_6 page_7 page_8 page_9 $ file page_4 page_4: PDF document, version 1.6, 1 pages $ okular page_* showed the pages correctly. $ pdftops page_4 page4.ps $ gs page4.ps showed the title page. $ pdftoppm page_5 page generates page-1.ppm, which display OK in eom. $ pdftocairo -jpeg page_7 page7 generates page7-1.jpg. $ pdftocairo -tiff page_8 page8 $ display page8-1.tif Fine. Installed djvulibre and exercised pdf2djvu. $ strace -o djvu.trace pdf2djvu -o test.djv module_cheat_sheet.pdf module_cheat_sheet.pdf: - page #1 -> #1 0.021 bits/pixel; 6.081:1, 83.55% saved, 136259 bytes in, 22408 bytes out $ grep poppler djvu.trace openat(AT_FDCWD, "/lib64/libpoppler.so.126", O_RDONLY|O_CLOEXEC) = 3 OK for Mageia9, 64-bit.
CC: (none) => tarazed25Whiteboard: (none) => MGA9-64-OK
Rider to comment #4: Apologies for not researching the PoC. Before update test can no longer be done but afterwards the application behaves itself with the malformed file. CVE-2023-34872 https://gitlab.freedesktop.org/poppler/poppler/-/issues/1399 This is said to affect pdftohtml. After the update: $ pdftohtml crash crash.html Page-1 Page-2 Page-3 Syntax Error (6095): Illegal character ')' Syntax Error: End of file inside array Syntax Error: End of file inside dictionary .... The output document looks like valid HTML and does display correctly in a browser.
Validating.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
mga9-64 Clean update and works. I could not figure out where to get that "crash" test file from.
CC: (none) => fri
Sorry. I quoted the CVE number and posted one of the links you find when you follow the CVE link. Very often there is useful information to be found when the link contains the string 'issue'. Following that link showed a further link to the crash file. Just right-click on it and download. There were no instructions about how to handle the file so 'pdftohtml' was a bit of a guess.
Not so much of a guess when the page is entitled "Crash in pdftohtml".
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2023-0348.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED