Bug 33932 - poppler new security issue CVE-2024-56378
Summary: poppler new security issue CVE-2024-56378
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 9
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA9-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2025-01-17 15:35 CET by Nicolas Salguero
Modified: 2025-01-24 20:46 CET (History)
2 users (show)

See Also:
Source RPM: poppler-23.02.0-1.3.mga9.src.rpm
CVE: CVE-2024-56378
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Nicolas Salguero 2025-01-17 15:35:28 CET 
Ubuntu has issued an advisory on January 16:
https://ubuntu.com/security/notices/USN-7213-1
Comment 1 Nicolas Salguero 2025-01-17 15:36:52 CET 
Fix: https://gitlab.freedesktop.org/poppler/poppler/-/commit/ade9b5ebed44b0c15522c27669ef6cdf93eff84e

Status comment: (none) => Fixed upstream in 25.01.0 and patch available from upstream
Whiteboard: (none) => MGA9TOO
CVE: (none) => CVE-2024-56378
Source RPM: (none) => poppler-24.06.0-3.mga10.src.rpm, poppler-23.02.0-1.3.mga9.src.rpm

Comment 2 Nicolas Salguero 2025-01-22 14:32:49 CET 
Suggested advisory:
========================

The updated packages fix a security vulnerability:

libpoppler.so in Poppler through 24.12.0 has an out-of-bounds read vulnerability within the JBIG2Bitmap::combine function in JBIG2Stream.cc. (CVE-2024-56378)

References:
https://ubuntu.com/security/notices/USN-7213-1
========================

Updated packages in core/updates_testing:
========================
lib(64)poppler126-23.02.0-1.4.mga9
lib(64)poppler-cpp0-23.02.0-1.4.mga9
lib(64)poppler-cpp-devel-23.02.0-1.4.mga9
lib(64)poppler-devel-23.02.0-1.4.mga9
lib(64)poppler-gir0.18-23.02.0-1.4.mga9
lib(64)poppler-glib8-23.02.0-1.4.mga9
lib(64)poppler-glib-devel-23.02.0-1.4.mga9
lib(64)poppler-qt5_1-23.02.0-1.4.mga9
lib(64)poppler-qt5-devel-23.02.0-1.4.mga9
lib(64)poppler-qt6_3-23.02.0-1.4.mga9
lib(64)poppler-qt6-devel-23.02.0-1.4.mga9
poppler-23.02.0-1.4.mga9

from SRPM:
poppler-23.02.0-1.4.mga9.src.rpm

Source RPM: poppler-24.06.0-3.mga10.src.rpm, poppler-23.02.0-1.3.mga9.src.rpm => poppler-23.02.0-1.3.mga9.src.rpm
Status comment: Fixed upstream in 25.01.0 and patch available from upstream => (none)
Assignee: bugsquad => qa-bugs
Version: Cauldron => 9
Whiteboard: MGA9TOO => (none)
Status: NEW => ASSIGNED

katnatek 2025-01-22 19:02:25 CET

Keywords: (none) => advisory

Comment 3 katnatek 2025-01-22 21:00:30 CET 
RH x86_64

The poc don't crash with the command for test :S , it produces a pbm image

installing lib64poppler-glib8-23.02.0-1.4.mga9.x86_64.rpm poppler-23.02.0-1.4.mga9.x86_64.rpm lib64poppler-qt5_1-23.02.0-1.4.mga9.x86_64.rpm lib64poppler-qt6_3-23.02.0-1.4.mga9.x86_64.rpm lib64poppler-cpp0-23.02.0-1.4.mga9.x86_64.rpm lib64poppler126-23.02.0-1.4.mga9.x86_64.rpm from //home/katnatek/qa-testing/x86_64
Preparing...                     ##################################################################################################
      1/6: lib64poppler126       ##################################################################################################
      2/6: lib64poppler-glib8    ##################################################################################################
      3/6: poppler               ##################################################################################################
      4/6: lib64poppler-qt5_1    ##################################################################################################
      5/6: lib64poppler-qt6_3    ##################################################################################################
      6/6: lib64poppler-cpp0     ##################################################################################################
      1/6: removing lib64poppler-cpp0-23.02.0-1.3.mga9.x86_64
                                 ##################################################################################################
      2/6: removing lib64poppler-qt6_3-23.02.0-1.3.mga9.x86_64
                                 ##################################################################################################
      3/6: removing lib64poppler-qt5_1-23.02.0-1.3.mga9.x86_64
                                 ##################################################################################################
      4/6: removing poppler-23.02.0-1.3.mga9.x86_64
                                 ##################################################################################################
      5/6: removing lib64poppler-glib8-23.02.0-1.3.mga9.x86_64
                                 ##################################################################################################
      6/6: removing lib64poppler126-23.02.0-1.3.mga9.x86_64
                                 ##################################################################################################

same result with the test of poc with the updated packages

Reference bug#33298 comment#2

pdftohtml works as described

Let to you Thomas decide if is OK and must be validated

CC: (none) => andrewsfarm

Comment 4 Thomas Andrews 2025-01-24 01:09:33 CET 
Validating.

CC: (none) => sysadmin-bugs
Whiteboard: (none) => MGA9-64-OK
Keywords: (none) => validated_update

Comment 5 Mageia Robot 2025-01-24 20:46:47 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2025-0022.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.