Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 308017 (CVE-2009-3938) - <app-text/poppler-{0.14.5-r1,0.16.3-r1}: Code execution vulnerability via crafted PDF (CVE-2009-3938)
Summary: <app-text/poppler-{0.14.5-r1,0.16.3-r1}: Code execution vulnerability via cra...
Status: RESOLVED FIXED
Alias: CVE-2009-3938
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL: http://bugs.freedesktop.org/show_bug....
Whiteboard: B2 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2010-03-06 14:40 UTC by Stefan Behte (RETIRED)
Modified: 2013-10-06 16:08 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Stefan Behte (RETIRED) gentoo-dev Security 2010-03-06 14:40:24 UTC
CVE-2009-3938 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3938):
  Buffer overflow in the ABWOutputDev::endWord function in
  poppler/ABWOutputDev.cc in Poppler (aka libpoppler) 0.10.6, 0.12.0,
  and possibly other versions, as used by the Abiword pdftoabw utility,
  allows user-assisted remote attackers to cause a denial of service
  and possibly execute arbitrary code via a crafted PDF file.
Comment 1 Stefan Behte (RETIRED) gentoo-dev Security 2010-03-06 14:43:06 UTC
For some reason, I do not see this patch for CVE-2009-3938 in poppler-0.12.4!
http://bugs.freedesktop.org/attachment.cgi?id=30599&action=edit

@herds: please advice/prepare a new ebuild/bump it.
Comment 2 Maciej Mrozowski gentoo-dev 2010-05-03 18:02:28 UTC
"Albert Astals Cid 2010-03-24 13:21:18 PDT
Well, it seems that Vincent wasn't really sure the patch was correct and noone
is really really interested in fixing the code so it has not been commited.

So well, if you guys want i can commit it, i really do not have an opinion, not
sure if anyone really uses that code."
Comment 3 Andreas K. Hüttel archtester gentoo-dev 2010-09-26 12:22:20 UTC
@security: So what's gonna happen with this bug?! :)
Comment 4 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2011-02-19 10:48:50 UTC
Sounds like we have a problem here.

There is an upstream patch at https://bugs.freedesktop.org/attachment.cgi?id=30599 but the upstream itself isn't sure whether it's good, and they seem not to have committed it to their repo.

Is it possible to rip out the vulnerable part of the library? I guess masking poppler is not really an option.
Comment 5 Andreas K. Hüttel archtester gentoo-dev 2011-04-03 18:25:41 UTC
From upstream:

Albert Astals Cid 2011-03-22 15:50:25 PDT
pdftoabw was just removed from poppler as it was unmaintained so this won't be
fixed. Sorry. If you were using it, this is the moment to step up and be its
maintainer.

Seems like the problem will solve itself (but in which version?)
Comment 6 Andreas K. Hüttel archtester gentoo-dev 2011-04-12 22:49:04 UTC
From the poppler homepage:

The latest unstable release is Poppler 0.17.0 (0.18 Alpha) poppler-0.17.0.tar.gz, released on Mar 30, 2011:
        core:
         [...]
         * Remove abiword output device

        utils:
         [...]
         * pdftoabw has been removed
Comment 7 Tim Sammut (RETIRED) gentoo-dev 2011-04-13 03:42:37 UTC
(In reply to comment #6)
> From the poppler homepage:
> 
> The latest unstable release is Poppler 0.17.0 (0.18 Alpha)
> poppler-0.17.0.tar.gz, released on Mar 30, 2011:
>         core:
>          [...]
>          * Remove abiword output device
> 
>         utils:
>          [...]
>          * pdftoabw has been removed

Great, thank you.

@kde, @printing, Maciej, is 0.17.0 something we can add to the tree and stabilize? Thank you.
Comment 8 Andreas K. Hüttel archtester gentoo-dev 2011-04-13 21:36:20 UTC
Alternative suggestion, given that poppler is one of these more tricky packages breaking reverse-deps. 

Building the abiword backend is controlled by a useflag and a cmake switch. How about just force-disabling this? Should be possible with both current stable and ~arch.

The functionality will disappear anyway...

(Disclaimer- I'm looking at the internals of this package for the very first time now...)
Comment 9 Maciej Mrozowski gentoo-dev 2011-04-14 00:59:37 UTC
Odd numbers are for unstable poppler releases, so 0.17.0 is what kernels 2.5.x used to be, so no, cannot be stabilized.

I prefer removing abiword USE flag and passing -DENABLE_ABIWORD=OFF to mycmakeargs.

Unfortunately I cannot fix it myself since my Linux box is broken for over a week and one of new hardware replacements - Asus p8p67 deluxe 3.0 - appeared to have buggy HW/SW/whatever and hangs in POST when connected to my WD2500YS disks so my Gentoo break-off will take a little longer...
Comment 10 Andreas K. Hüttel archtester gentoo-dev 2011-04-14 19:16:43 UTC
*poppler-0.16.3-r1 (14 Apr 2011)
*poppler-0.14.5-r1 (14 Apr 2011)

  14 Apr 2011; Andreas K. Huettel <dilfridge@gentoo.org>
  +poppler-0.14.5-r1.ebuild, -poppler-0.16.3.ebuild,
  +poppler-0.16.3-r1.ebuild:
  Disable abiword backend (not supported anymore, security issues, bug
  308017)

Arches, please stabilize app-text/poppler-0.14.5-r1
Only change is force-disabling abiword support (formerly controlled by abiword useflag).

Target: 
"alpha amd64 arm hppa ia64 ~mips ppc ppc64 s390 sh sparc x86 ~sparc-fbsd ~x86-fbsd ~x64-freebsd ~x86-freebsd ~amd64-linux ~ia64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris"

i.e. stabilization on
alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86
Comment 11 Agostino Sarubbo gentoo-dev 2011-04-15 13:32:06 UTC
works on amd64
Comment 12 Jeroen Roovers (RETIRED) gentoo-dev 2011-04-15 14:30:43 UTC
Stable for HPPA.
Comment 13 Christoph Mende (RETIRED) gentoo-dev 2011-04-15 21:37:40 UTC
amd64 stable
Comment 14 Thomas Kahle (RETIRED) gentoo-dev 2011-04-16 05:56:10 UTC
x86 stable
Comment 15 Alex Buell 2011-04-17 23:41:00 UTC
Tested along with evince 2.32.0-r2 on SPARC, seems to display PDF documents OK, could stabilise.
Comment 16 Andreas K. Hüttel archtester gentoo-dev 2011-04-21 22:36:37 UTC
arm stable
Comment 17 Brent Baude (RETIRED) gentoo-dev 2011-04-22 16:52:55 UTC
ppc done
Comment 18 Raúl Porcel (RETIRED) gentoo-dev 2011-04-23 12:08:15 UTC
alpha/ia64/s390/sh/sparc stable
Comment 19 Kacper Kowalik (Xarthisius) (RETIRED) gentoo-dev 2011-04-26 07:45:53 UTC
ppc64 stable, last arch done
Comment 20 Tim Sammut (RETIRED) gentoo-dev 2011-04-26 14:00:57 UTC
Thanks, everyone. Added to existing GLSA request.
Comment 21 Andreas K. Hüttel archtester gentoo-dev 2011-05-14 14:03:50 UTC
Nothing to do for kde here anymore.
Comment 22 Andreas K. Hüttel archtester gentoo-dev 2011-06-05 20:59:27 UTC
(In reply to comment #21)
> Nothing to do for kde here anymore.

Nor for printing.
Comment 23 Andreas K. Hüttel archtester gentoo-dev 2013-03-16 11:43:08 UTC
Will anyone still read this GLSA if it ever comes out? Come on, stable is poppler-0.20 by now.
Comment 24 GLSAMaker/CVETool Bot gentoo-dev 2013-10-06 16:08:33 UTC
This issue was resolved and addressed in
 GLSA 201310-03 at http://security.gentoo.org/glsa/glsa-201310-03.xml
by GLSA coordinator Sean Amoss (ackle).