Gentoo Bug 260266 - <app-text/poppler-0.10.4 Two Denial of Service Vulnerabilities (CVE-2009-{0755,0756})

Description:

Opened: 2009-02-25 16:24 0000

On Thursday 19 February 2009, Michael K. Johnson wrote:
> On Fri, Feb 13, 2009 at 11:20:40AM +0200, Pinar Yanardag wrote:
> > 1) An uninitialised memory access error in the
> > "FormWidgetChoice::loadDefaults()" function can be exploited to
> > cause a crash via a specially crafted PDF document.
>
> This is changeset 1fc342eadcbbb41302f190b215c5daf23c9ec9b1 in
> poppler's git and is associated with poppler bug 19790
>
> > 2) An error in the "JBIG2Stream::readSymbolDictSeg()" function can
> > be exploited to cause a crash via a specially crafted PDF document.
>
> This is changeset d3f04f537fb3e963c149a7e2d8d83c7cb19da8c0 in
> poppler's git and is associated with poppler bug 19702
>
> These bugs were reported fixed in poppler-0.10.4.tar.gz, released on
> February 10, 2009

------- Comment #6 From Clemmitt M. Sigler 2009-02-26 14:49:48 0000 -------

(In reply to comment #4)
> ... and =app-text/poppler-bindings-0.10.4
> Be sure to get the newest version from CVS or it will fail with libtool-1.5

It's possible I've been bitten by this bug.  Emerge of poppler-bindings-0.10.4
fails during "Configuring source in
/var/tmp/portage/app-text/poppler-bindings-0.10.4/work/poppler-0.10.4" with
these messages:

checking for Qt headers... no
checking for Qt libraries... no
configure: error: in
`/var/tmp/portage/app-text/poppler-bindings-0.10.4/work/poppler-0.10.4':
configure: error: Qt development libraries not found

Here's what I've got installed for libtool:

[I--] [  ] sys-devel/libtool-1.5.26 (1.5)

and for qt:

[I--] [  ] x11-libs/qt-3.3.8b-r1 (3)
[I--] [  ] x11-libs/qt-4.4.2 (4)
[I--] [  ] x11-libs/qt-assistant-4.4.2-r1 (4)
[I--] [  ] x11-libs/qt-core-4.4.2 (4)
[I--] [  ] x11-libs/qt-dbus-4.4.2 (4)
[I--] [  ] x11-libs/qt-gui-4.4.2-r1 (4)
[I--] [  ] x11-libs/qt-opengl-4.4.2 (4)
[I--] [  ] x11-libs/qt-qt3support-4.4.2 (4)
[I--] [  ] x11-libs/qt-script-4.4.2 (4)
[I--] [  ] x11-libs/qt-sql-4.4.2 (4)
[I--] [  ] x11-libs/qt-svg-4.4.2 (4)
[I--] [  ] x11-libs/qt-test-4.4.2 (4)
[I--] [  ] x11-libs/qt-webkit-4.4.2 (4)
[I--] [  ] x11-libs/qt-xmlpatterns-4.4.2 (4)

so, of course, Qt is installed.  Applicable USE flags for emerging
poppler-bindings are:

 U I
 + + cairo : Enable support for the cairo graphics library
 + + gtk   : Adds support for x11-libs/gtk+ (The GIMP Toolkit)
 + + qt3   : Adds support for the Qt GUI/Application Toolkit version 3.x
 + + qt4   : Adds support for the Qt GUI/Application Toolkit version 4.x

HTH.

Clemmitt

------- Comment #7 From Peter Alfredsen 2009-02-26 17:34:24 0000 -------

(In reply to comment #6)
> (In reply to comment #4)
> > ... and =app-text/poppler-bindings-0.10.4
> > Be sure to get the newest version from CVS or it will fail with libtool-1.5
> 
> It's possible I've been bitten by this bug.  Emerge of poppler-bindings-0.10.4
> fails during "Configuring source in
> /var/tmp/portage/app-text/poppler-bindings-0.10.4/work/poppler-0.10.4" with
> these messages:

QTDIR is probably unset. Try with a fresh root-shell. I've just made the ebuild
inherit qt3 so a sane value is set even if you've not yet sourced
/etc/env.d/50qtdir3 . If that doesn't work, file a new bug and CC me.

------- Comment #8 From Brent Baude 2009-02-26 17:59:01 0000 -------

I have done poppler for ppc64.  poppler-bindings fails tests like:

PASS: check_permissions
********* Start testing of TestPageMode *********
Config: Using QTest library 4.4.2, Qt 4.4.2
PASS   : TestPageMode::initTestCase()
PASS   : TestPageMode::checkNone()
PASS   : TestPageMode::checkFullScreen()
PASS   : TestPageMode::checkAttachments()
PASS   : TestPageMode::checkThumbs()
PASS   : TestPageMode::checkOC()
PASS   : TestPageMode::cleanupTestCase()
Totals: 7 passed, 0 failed, 0 skipped
********* Finished testing of TestPageMode *********
PASS: check_pagemode
********* Start testing of TestPassword *********
Config: Using QTest library 4.4.2, Qt 4.4.2
PASS   : TestPassword::initTestCase()
Error: Couldn't open file '../../../test/unittestcases/Gday garon - open.pdf'
FAIL!  : TestPassword::password1() 'doc' returned FALSE. ()
   Loc: [check_password.cpp(23)]
QDEBUG : TestPassword::password1a() Error: Couldn't open file
'../../../test/unittestcases/Gday garon - open.pdf' 
FAIL!  : TestPassword::password1a() 'doc' returned FALSE. ()
   Loc: [check_password.cpp(34)]
QDEBUG : TestPassword::password2() Error: Couldn't open file
'../../../test/unittestcases/Gday garon - owner.pdf' 
FAIL!  : TestPassword::password2() 'doc' returned FALSE. ()
   Loc: [check_password.cpp(46)]
QDEBUG : TestPassword::password2a() Error: Couldn't open file
'../../../test/unittestcases/Gday garon - owner.pdf' 
FAIL!  : TestPassword::password2a() 'doc' returned FALSE. ()
   Loc: [check_password.cpp(56)]
QDEBUG : TestPassword::password2b() Error: Couldn't open file
'../../../test/unittestcases/Gday garon - owner.pdf' 
FAIL!  : TestPassword::password2b() 'doc' returned FALSE. ()
   Loc: [check_password.cpp(66)]
PASS   : TestPassword::password3()
PASS   : TestPassword::cleanupTestCase()
Totals: 3 passed, 5 failed, 0 skipped
********* Finished testing of TestPassword *********
FAIL: check_password
********* Start testing of TestPageLayout *********
Config: Using QTest library 4.4.2, Qt 4.4.2
PASS   : TestPageLayout::initTestCase()
PASS   : TestPageLayout::checkNone()
PASS   : TestPageLayout::checkSingle()
PASS   : TestPageLayout::checkFacing()
PASS   : TestPageLayout::cleanupTestCase()
Totals: 5 passed, 0 failed, 0 skipped
********* Finished testing of TestPageLayout *********
PASS: check_pagelayout
********* Start testing of TestSearch *********
Config: Using QTest library 4.4.2, Qt 4.4.2
PASS   : TestSearch::initTestCase()
PASS   : TestSearch::bug7063()
PASS   : TestSearch::cleanupTestCase()
Totals: 3 passed, 0 failed, 0 skipped
********* Finished testing of TestSearch *********
PASS: check_search
====================
1 of 11 tests failed
====================
make[3]: *** [check-TESTS] Error 1
make[3]: Leaving directory
`/var/tmp/portage/app-text/poppler-bindings-0.10.4/work/poppler-0.10.4/qt4/tests'
make[2]: *** [check-am] Error 2
make[2]: Leaving directory
`/var/tmp/portage/app-text/poppler-bindings-0.10.4/work/poppler-0.10.4/qt4/tests'
make[1]: *** [check-recursive] Error 1
make[1]: Leaving directory
`/var/tmp/portage/app-text/poppler-bindings-0.10.4/work/poppler-0.10.4/qt4'
make: *** [check-recursive] Error 1

------- Comment #12 From Clemmitt M. Sigler 2009-02-27 05:33:37 0000 -------

(In reply to comment #7)
> QTDIR is probably unset. Try with a fresh root-shell. I've just made the ebuild
> inherit qt3 so a sane value is set even if you've not yet sourced
> /etc/env.d/50qtdir3 . If that doesn't work, file a new bug and CC me.

Wow, hugely helpful!  Fixed.  Thank you very much!  The end conclusion is I
didn't think the problem through very well.

I had recently changed QTDIR so that Qt4 could be used to compile the Qt
version of WebKit.  With QTDIR as defined in /etc/env.d/50qtdir3 the WebKit Qt
build barfed.  Thanks again :^)

Clemmitt

------- Comment #14 From Robert Buchholz 2009-03-04 17:07:58 0000 -------

CVE-2009-0755 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0755):
  The FormWidgetChoice::loadDefaults function in Poppler before 0.10.4
  allows remote attackers to cause a denial of service (crash) via a
  PDF file with an invalid Form Opt entry.

CVE-2009-0756 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0756):
  The JBIG2Stream::readSymbolDictSeg function in Poppler before 0.10.4
  allows remote attackers to cause a denial of service (crash) via a
  PDF file that triggers a parsing error, which is not properly handled
  by JBIG2SymbolDict::~JBIG2SymbolDict and triggers an invalid memory
  dereference.

Bug 260266 depends on:	260298		Show dependency tree
Bug 260266 blocks:			Show dependency tree

Bugzilla Bug 260266

<app-text/poppler-0.10.4 Two Denial of Service Vulnerabilities (CVE-2009-{0755,0756})

Last modified: 2009-04-23 17:02:35 0000