679292 – (CVE-2019-9543, CVE-2019-9545) app-text/poppler: multiple vulnerabilities (CVE-2019-{9543,9545})

Bug 679292 (CVE-2019-9543, CVE-2019-9545) - app-text/poppler: multiple vulnerabilities (CVE-2019-{9543,9545})

Summary: app-text/poppler: multiple vulnerabilities (CVE-2019-{9543,9545})

Status:	IN_PROGRESS

Alias:	CVE-2019-9543, CVE-2019-9545

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal
Assignee:	Gentoo Security

URL:
Whiteboard:	A3 [upstream cve]
Keywords:

Depends on:
Blocks:

Reported:	2019-03-03 00:52 UTC by D'juan McDonald (domhnall)
Modified:	2023-02-27 00:24 UTC (History)
CC List:	5 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description D'juan McDonald (domhnall) 2019-03-03 00:52:55 UTC

(https://nvd.nist.gov/vuln/detail/CVE-2019-9545):

An issue was discovered in Poppler 0.74.0. A recursive function call, in JBIG2Stream::readTextRegion() located in JBIG2Stream.cc, can be triggered by sending a crafted pdf file to (for example) the pdfimages binary. It allows an attacker to cause Denial of Service (Segmentation fault) or possibly have unspecified other impact. This is related to JBIG2Bitmap::clearToZero.

Reference: https://gitlab.freedesktop.org/poppler/poppler/issues/731

(https://nvd.nist.gov/vuln/detail/CVE-2019-9543):

An issue was discovered in Poppler 0.74.0. A recursive function call, in JBIG2Stream::readGenericBitmap() located in JBIG2Stream.cc, can be triggered by sending a crafted pdf file to (for example) the pdfseparate binary. It allows an attacker to cause Denial of Service (Segmentation fault) or possibly have unspecified other impact. This is related to JArithmeticDecoder::decodeBit.

Reference: https://gitlab.freedesktop.org/poppler/poppler/issues/730


Gentoo Security Padawan
(domhnall)

Comment 1 Agostino Sarubbo gentoo-dev

2019-03-03 08:18:32 UTC

poppler is a common lib, I'd set it to A

Comment 2 GLSAMaker/CVETool Bot gentoo-dev

2019-03-07 23:38:35 UTC

CVE-2019-9545 (https://nvd.nist.gov/vuln/detail/CVE-2019-9545):
  An issue was discovered in Poppler 0.74.0. A recursive function call, in
  JBIG2Stream::readTextRegion() located in JBIG2Stream.cc, can be triggered by
  sending a crafted pdf file to (for example) the pdfimages binary. It allows
  an attacker to cause Denial of Service (Segmentation fault) or possibly have
  unspecified other impact. This is related to JBIG2Bitmap::clearToZero.

CVE-2019-9543 (https://nvd.nist.gov/vuln/detail/CVE-2019-9543):
  An issue was discovered in Poppler 0.74.0. A recursive function call, in
  JBIG2Stream::readGenericBitmap() located in JBIG2Stream.cc, can be triggered
  by sending a crafted pdf file to (for example) the pdfseparate binary. It
  allows an attacker to cause Denial of Service (Segmentation fault) or
  possibly have unspecified other impact. This is related to
  JArithmeticDecoder::decodeBit.

Comment 3 jospezial 2019-12-29 00:17:51 UTC Comment hidden (obsolete)

"The latest stable release is poppler-0.84.0.tar.xz, released on December 28, 2019:

Release 0.84.0:
        core:
         * Fix crash when converting from Unicode to ASCII-7
         * Splash::scaleImageYdXu: Protect against crash if srcWidth is too big
         * JBIG2Stream: fix potential crash in malformed documents
         * JBIG2Stream: fix leak in reset() if called several times
         * Internal code improvements

        utils:
         * pdfimages: Add error message if first page is larger then number of pages.
         * pdfinfo: Improved paper size recognition
         * pdfsig: Fix exit code when dumping signatures
         * pdftocairo: Error out when even/odd selects 0 pages
         * pdftohtml: Fix memory leak
         * pdftoppm: Add an option to scale before rotate
         * pdftoppm: Add -hide-annotations option
         * pdftoppm: Error out when even/odd selects 0 pages
         * pdftops: Improve -optimizecolorspace

        qt5:
         * Code cleanups

        glib:
         * Fix compiler warnings
"

Comment 4 Andreas Sturmlechner gentoo-dev

2019-12-29 00:19:10 UTC

Is the release related to this security bug?

Comment 5 Niklāvs Koļesņikovs 2022-02-27 16:23:41 UTC

For anyone wondering, if these CVE are still relevant in 2022, the upstream issues are open and without any upstream reaction:

CVE-2019-9543: https://gitlab.freedesktop.org/poppler/poppler/-/issues/730

CVE-2019-9545: https://gitlab.freedesktop.org/poppler/poppler/-/issues/731

Comment 6 Andreas Sturmlechner gentoo-dev

2022-02-27 16:26:50 UTC

Yes.

Comment 7 jospezial 2023-02-26 20:08:52 UTC

(In reply to Niklāvs Koļesņikovs from comment #5)
> For anyone wondering, if these CVE are still relevant in 2022, the upstream
> issues are open and without any upstream reaction:
> 
> CVE-2019-9543: https://gitlab.freedesktop.org/poppler/poppler/-/issues/730
> 
> CVE-2019-9545: https://gitlab.freedesktop.org/poppler/poppler/-/issues/731

One year ago, nothing changed at the upstream reports.
Is this still relevant for latest releases?

Comment 8 Sam James archtester

2023-02-27 00:24:22 UTC

(In reply to jospezial from comment #7)
> (In reply to Niklāvs Koļesņikovs from comment #5)
> > For anyone wondering, if these CVE are still relevant in 2022, the upstream
> > issues are open and without any upstream reaction:
> > 
> > CVE-2019-9543: https://gitlab.freedesktop.org/poppler/poppler/-/issues/730
> > 
> > CVE-2019-9545: https://gitlab.freedesktop.org/poppler/poppler/-/issues/731
> 
> One year ago, nothing changed at the upstream reports.
> Is this still relevant for latest releases?

Until the upstream bugs are closed, I assume yes. You can try the reproducers given in the bug if you want, at your own risk.