** Please note that this issue is confidential and no information should be disclosed until it is made public, see "Whiteboard" for a date ** Braden Thomas and Drew Yao of Apple Product Security discovered multiple security issues in the JBIG2 decoding of Poppler/Xpdf: CVE-2009-0165: g*allocn integer overflow that probably only affects Mac OS X CVE-2009-0146: buffer overflows in JBIG2SymbolDict::setBitmap and JBIG2Stream::readSymbolDictSeg CVE-2009-0147: integer overflows in JBIG2Stream::readSymbolDictSeg, JBIG2Stream::readSymbolDictSeg and JBIG2Stream::readGenericBitmap CVE-2009-0166: JBIG2SymbolDict::~JBIG2SymbolDict uninitialized free() that does not affect Mac OS X but may affect others
Apple provided reproducers and patches, however these are still being discussed upstream.
Created attachment 187052 [details] xpdf-3.02pl3.patch Xpdf upstream's patch.
Created attachment 187053 [details] poppler-0.10.5-xpdf-3.02pl3.patch I ported the Xpdf patch to poppler. Three of the NULL dereference errors fixed in xpdf have previously been fixed in poppler as well, and there are other places needed manual merging.
bug 263028: * app-text/poppler bug 264601: * app-text/tetex * app-text/texlive-core * app-text/ptex bug 264603: * app-office/kword * app-office/koffice * kde-base/kpdf * kde-base/kdegraphics
embargo has been pushed back to 2009-04-16. I have been running with a patched version of poppler since I posted the patch here, and have noticed no failures in evince yet. dang/loki, are you planning to participate in the prestable testing?
Correct me if I'm wrong, but there's nothing specific to do for evince, yes? If so, it'll have to be up to loki to do the popper bump, since I'm not up on the various real/virtual and lib splitup transitions going on right now, so I'd probably break something.
Created attachment 187488 [details, diff] poppler-0.10.5-xpdf-3.02pl3.patch The patch upstream is going to apply, only minor differences from the port posted above. But since we are not yet prestable testing, we can use this copy.
Created attachment 187498 [details] dev-libs/poppler-0.10.5-r1 Ebuild for upstream patch.
Created attachment 187506 [details] app-text/poppler-0.10.5-r1 Stabling dev-libs/poppler and GLSAing it proves to be too much of a bother due to the mechanics of GLSAing not having provided very well for a transition such as the one poppler is in at the moment. app-text/poppler-0.10.5-r1 is the package we will be requesting to be stabled, so that's the one arch liaisons should test. I'll be pushing for dev-libs/poppler stabilization later independently of this bug.
Peter, thanks for considering the shortcomings of actually not the GLSA format, but the tools working with them. Arch Security Liaisons, please test the attached ebuild and report it stable on this bug. Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86" CC'ing current Liaisons: alpha : armin76, klausman amd64 : keytoaster, tester hppa : jer ppc : josejx, ranger ppc64 : josejx, ranger sparc : fmccor x86 : armin76, maekke
On sparc, builds and installs as expected, xpdf and evince appear to work fine. Utilities (pdfinfo, pdftops, ...) work as well.
ppc and ppc64 likey
Created attachment 187654 [details, diff] poppler-0.10.5-xpdf-3.02pl3.patch Additional invalid free() calls are fixed in this patch. Since we have a few days left, it'd be great to run additional tests.
Sparc is still good. I note, however, that a version bump for poppler will need several other upgrades. It seems that poppler-bindings virtual/poppler, virtual/poppler-utils all need to bump to -0.10.5, otherwise portage insists on downgrading poppler to -0.10.4 (things like cups want virtual/poppler-utils or virtual/poppler, and the versions of those are tied to the underlying poppler version. Similarly so is the version of poppler-bindings tied.)
HPPA appears OK.
This is now public. Please commit with the stable keywords gathered in this bug. and also, amd64 stable, I have been running the version for weeks without an issue. Furtheremore, new CVEs have arisen. CVE-2009-1187 and CVE-2009-1188 handle additional integer overflows in CairoOutputDev and SplashBitmap. poppler upstream is pushing updates into git, so we might want to fix those via version bumps.
Created attachment 188617 [details, diff] poppler-CVE-2009-1187.patch
Created attachment 188619 [details, diff] poppler-CVE-2009-1188.patch
poppler 0.10.6 is released containing all fixes referenced in this bug.
Ebuilds in tree, but no need to do all this twice. 0.10.6 will be a stable target for the split poppler stuff, so I'd like to avoid bumping app-text/poppler{,-bindings} to that version. Arches, please test and mark stable: app-text/poppler-bindings-0.10.5-r1 app-text/poppler-0.10.5-r1 virtual/poppler-glib-0.10.5 virtual/poppler-0.10.5 virtual/poppler-qt3-0.10.5 virtual/poppler-qt4-0.10.5 virtual/poppler-utils-0.10.5 amd64, sparc, ppc, ppc64 and hppa; all you've got to approve are the two tiny patches for 1188 and 1187. I still haven't arsed myself to fix bug 239556, so you need a UTF-8 locale to get tests to pass.
Stable for HPPA.
amd64/x86 stable
ppc and ppc64 done
When building with USE="cairo gtk qt3 qt4", app-text/poppler-bindings-0.10.5-r1 fails thusly during tests on alpha: libtool: link: alpha-unknown-linux-gnu-g++ -Wall -Wno-write-strings -mieee -pipe -O2 -mcpu=ev67 -Wl,-O1 -o .libs/test-poppler-qt4 test-poppler-qt4.o -pthread ../../qt4/src/.libs/libpoppler-qt4.so -L/usr/lib/qt4 -L/usr/X11R6/lib -lpoppler /usr/lib/qt4/libQtGui.so /usr/lib/libpng12.so /usr/lib/libSM.so -luuid /usr/lib/libICE.so /usr/lib/libXrandr.so /usr/lib/libXrender.so /usr/lib/libfontconfig.so /usr/lib/libfreetype.so /usr/lib/libexpat.so /usr/lib/libXext.so /usr/lib/libX11.so /usr/lib/libxcb-xlib.so /usr/lib/libxcb.so /usr/lib/libXau.so /usr/lib/libXdmcp.so /usr/lib/qt4/libQtXml.so /usr/lib/qt4/libQtCore.so -lz -lm /usr/lib/libgthread-2.0.so -lrt /usr/lib/libglib-2.0.so -lpthread -ldl -pthread libtool: link: alpha-unknown-linux-gnu-g++ -Wall -Wno-write-strings -mieee -pipe -O2 -mcpu=ev67 -Wl,-O1 -o .libs/stress-poppler-qt4 stress-poppler-qt4.o -pthread ../../qt4/src/.libs/libpoppler-qt4.so -L/usr/lib/qt4 -L/usr/X11R6/lib -lpoppler /usr/lib/qt4/libQtGui.so /usr/lib/libpng12.so /usr/lib/libSM.so -luuid /usr/lib/libICE.so /usr/lib/libXrandr.so /usr/lib/libXrender.so /usr/lib/libfontconfig.so /usr/lib/libfreetype.so /usr/lib/libexpat.so /usr/lib/libXext.so /usr/lib/libX11.so /usr/lib/libxcb-xlib.so /usr/lib/libxcb.so /usr/lib/libXau.so /usr/lib/libXdmcp.so /usr/lib/qt4/libQtXml.so /usr/lib/qt4/libQtCore.so -lz -lm /usr/lib/libgthread-2.0.so -lrt /usr/lib/libglib-2.0.so -lpthread -ldl -pthread /usr/lib/qt4/libQtGui.so: undefined reference to `QDateTimeParser::parse(QString const&, QDateTime const&, bool) const' collect2: ld returned 1 exit status distcc[8073] ERROR: compile (null) on localhost failed make[3]: *** [test-poppler-qt4] Error 1 make[3]: *** Waiting for unfinished jobs.... /usr/lib/qt4/libQtGui.so: undefined reference to `QDateTimeParser::parse(QString const&, QDateTime const&, bool) const' collect2: ld returned 1 exit status distcc[8117] ERROR: compile (null) on localhost failed make[3]: *** [stress-poppler-qt4] Error 1 make[3]: Leaving directory `/var/tmp/portage/app-text/poppler-bindings-0.10.5-r1/work/poppler-0.10.5/qt4/tests' make[2]: *** [all-recursive] Error 1 make[2]: Leaving directory `/var/tmp/portage/app-text/poppler-bindings-0.10.5-r1/work/poppler-0.10.5/qt4' make[1]: *** [all-recursive] Error 1 make[1]: Leaving directory `/var/tmp/portage/app-text/poppler-bindings-0.10.5-r1/work/poppler-0.10.5' make: *** [all] Error 2 # emerge --info Portage 2.1.6.11 (default/linux/alpha/2008.0, gcc-4.3.3, glibc-2.9_p20081201-r2, 2.6.30-rc2 alpha) ================================================================= System uname: Linux-2.6.30-rc2-alpha-EV68AL-with-glibc2.0 Timestamp of tree: Sat, 18 Apr 2009 14:15:01 +0000 distcc 3.1 alpha-unknown-linux-gnu [enabled] app-shells/bash: 4.0_p10-r1 dev-lang/python: 2.4.4-r15, 2.5.4-r2 dev-util/cmake: 2.6.3 sys-apps/baselayout: 2.0.0 sys-apps/openrc: 0.4.3-r1 sys-apps/sandbox: 1.6-r2 sys-devel/autoconf: 2.13, 2.63 sys-devel/automake: 1.5, 1.7.9-r1, 1.9.6-r2, 1.10.2 sys-devel/binutils: 2.19.1-r1 sys-devel/gcc-config: 1.4.1 sys-devel/libtool: 2.2.6a virtual/os-headers: 2.6.28-r1 ACCEPT_KEYWORDS="alpha ~alpha" CBUILD="alpha-unknown-linux-gnu" CFLAGS="-mieee -pipe -O2 -mcpu=ev67" CHOST="alpha-unknown-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/config /var/qmail/alias /var/qmail/control" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/eselect/postgresql /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo /etc/udev/rules.d" CXXFLAGS="-mieee -pipe -O2 -mcpu=ev67" DISTDIR="/usr/portage/distfiles" FEATURES="distcc distlocks fixpackages parallel-fetch protect-owned sandbox sfperms strict unmerge-orphans usepkg userfetch userpriv usersandbox" GENTOO_MIRRORS="http://gentoo.tiscali.nl/ http://mirrors.sec.informatik.tu-darmstadt.de/gentoo/" LC_ALL="en_US.utf8" LDFLAGS="-Wl,-O1" MAKEOPTS="-j2" PKGDIR="/usr/portage/packages" PORTAGE_CONFIGROOT="/" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/portage" SYNC="rsync://rsync5.de.gentoo.org/gentoo-portage" USE="X acl alpha alsa apache2 audiofile bash-completion berkdb bzip2 calendar cdparanoia cdr cli cracklib crypt dio dri encode ethereal exif ffmpeg fftw firefox flac fortran ftp gdbm gpm iconv imlib2 isdnlog jpeg kdeenablefinal libcaca lua mad matroska midi mmap mng moznocompose moznoirc moznomail mozsvg mpeg mudflap ncurses network-cron nls nptl nptlonly offensive ogg openmp pam pcre pdflib perl png pnm ppds pppd python rar readline recode reflection session sharedmem sockets sox spl ssl svg sysfs szip tcpd tetex theora truetype unicode usb v4l v4l2 vcd vidix vim vim-pager vlm vorbis xcb xorg xosd xpm xvid zlib" ALSA_CARDS="ali5451 als4000 bt87x ca0106 cmipci emu10k1 ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 maestro3 trident usb-audio via82xx ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" ELIBC="glibc" INPUT_DEVICES="keyboard mouse" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" USERLAND="GNU" VIDEO_CARDS="vga glint mga nvidia vesa r128 " Unset: CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, FFLAGS, INSTALL_MASK, LANG, LINGUAS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS LC_ALL is en_US.utf8
All of them stable on alpha. ("bug" was a shlib with missing deps)
arm/ia64/s390/sh/sparc stable
GLSA request filed.
CVE-2009-0146 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0146): Multiple buffer overflows in the JBIG2 decoder in Xpdf 3.02pl2 and earlier, CUPS 1.3.9 and earlier, and other products allow remote attackers to cause a denial of service (crash) via a crafted PDF file, related to (1) JBIG2SymbolDict::setBitmap and (2) JBIG2Stream::readSymbolDictSeg. CVE-2009-0147 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0147): Multiple integer overflows in the JBIG2 decoder in Xpdf 3.02pl2 and earlier, CUPS 1.3.9 and earlier, and other products allow remote attackers to cause a denial of service (crash) via a crafted PDF file, related to (1) JBIG2Stream::readSymbolDictSeg, (2) JBIG2Stream::readSymbolDictSeg, and (3) JBIG2Stream::readGenericBitmap. CVE-2009-0165 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0165): Integer overflow in the JBIG2 decoder in Xpdf 3.02pl2 and earlier, as used in Poppler and other products, when running on Mac OS X, has unspecified impact, related to "g*allocn." CVE-2009-0166 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0166): The JBIG2 decoder in Xpdf 3.02pl2 and earlier, CUPS 1.3.9 and earlier, and other products allows remote attackers to cause a denial of service (crash) via a crafted PDF file that triggers a free of uninitialized memory. CVE-2009-1187 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1187): Integer overflow in the JBIG2 decoding feature in Poppler before 0.10.6 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via vectors related to CairoOutputDev (CairoOutputDev.cc). CVE-2009-1188 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1188): Integer overflow in the JBIG2 decoding feature in Poppler before 0.10.6 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via vectors related to SplashBitmap (splash/SplashBitmap.cc).
CVE-2009-0195 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0195): Heap-based buffer overflow in Xpdf 3.02pl2 and earlier, CUPS 1.3.9, and probably other products, allows remote attackers to execute arbitrary code via a PDF file with crafted JBIG2 symbol dictionary segments. CVE-2009-0799 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0799): The JBIG2 decoder in Xpdf 3.02pl2 and earlier, CUPS 1.3.9 and earlier, Poppler before 0.10.6, and other products allows remote attackers to cause a denial of service (crash) via a crafted PDF file that triggers an out-of-bounds read. CVE-2009-0800 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0800): Multiple "input validation flaws" in the JBIG2 decoder in Xpdf 3.02pl2 and earlier, CUPS 1.3.9 and earlier, Poppler before 0.10.6, and other products allow remote attackers to execute arbitrary code via a crafted PDF file. CVE-2009-1179 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1179): Integer overflow in the JBIG2 decoder in Xpdf 3.02pl2 and earlier, CUPS 1.3.9 and earlier, Poppler before 0.10.6, and other products allows remote attackers to execute arbitrary code via a crafted PDF file. CVE-2009-1180 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1180): The JBIG2 decoder in Xpdf 3.02pl2 and earlier, CUPS 1.3.9 and earlier, Poppler before 0.10.6, and other products allows remote attackers to execute arbitrary code via a crafted PDF file that triggers a free of invalid data. CVE-2009-1181 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1181): The JBIG2 decoder in Xpdf 3.02pl2 and earlier, CUPS 1.3.9 and earlier, Poppler before 0.10.6, and other products allows remote attackers to cause a denial of service (crash) via a crafted PDF file that triggers a NULL pointer dereference. CVE-2009-1182 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1182): Multiple buffer overflows in the JBIG2 MMR decoder in Xpdf 3.02pl2 and earlier, CUPS 1.3.9 and earlier, Poppler before 0.10.6, and other products allow remote attackers to execute arbitrary code via a crafted PDF file. CVE-2009-1183 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1183): The JBIG2 MMR decoder in Xpdf 3.02pl2 and earlier, CUPS 1.3.9 and earlier, Poppler before 0.10.6, and other products allows remote attackers to cause a denial of service (infinite loop and hang) via a crafted PDF file.
The most recent stable we have in portage is app-text/poppler-0.12.3-r3
Oldest version in portage is 0.14.5-r1 Nothing to do for printing here anymore.
Will anyone still read this GLSA if it ever comes out? Come on, stable is poppler-0.20 by now.
This issue was resolved and addressed in GLSA 201310-03 at http://security.gentoo.org/glsa/glsa-201310-03.xml by GLSA coordinator Sean Amoss (ackle).
