Bug 659828

Summary:	<app-text/poppler-0.68.0: multiple vulnerabilities
Product:	Gentoo Security	Reporter:	Hanno Böck <hanno>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	normal	CC:	printing, reavertm
Priority:	Normal	Keywords:	STABLEREQ
Version:	unspecified	Flags:	stable-bot: sanity-check+
Hardware:	All
OS:	Linux
See Also:	https://bugs.gentoo.org/show_bug.cgi?id=667150
Whiteboard:	B2 [glsa+]
Package list:	media-libs/openjpeg-2.3.0-r1 app-text/poppler-0.68.0	Runtime testing required:	---
Bug Depends on:	621712, 655052, 659940, 659942, 663000
Bug Blocks:

Description Hanno Böck gentoo-dev

2018-07-02 07:34:27 UTC

From upstream changelog:
poppler-0.66.0.tar.xz (Tue Jun 19, 2018):

        core:
         * Fix lots of security/leak issues found by oss-fuzz

poppler has recently been added to google's oss-fuzz project, which means a large number of security issues (buffer overflows, uninitialized memory, integer overflows etc.) have been found.

Just a few:
https://cgit.freedesktop.org/poppler/poppler/commit/?id=b245154fdebc9a78db163bc95959c6c8f5b4126f
https://cgit.freedesktop.org/poppler/poppler/commit/?id=9a8d33246601dbd2bea98bb3404596848f71162a
https://cgit.freedesktop.org/poppler/poppler/commit/?id=adb7cac1b787b35c4f5d25e0441e459ab92d0469

See also the git history:
https://cgit.freedesktop.org/poppler/poppler/log/

Many fixed in 0.66.0, but work is ongoing. We should treat 0.66.0 as a security update (and probably the next 1-2 versions as well).

Comment 1 Andreas Sturmlechner gentoo-dev

2018-07-03 13:01:33 UTC

We were planning to stabilise this version in any case.

Comment 2 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev

2018-07-20 13:51:51 UTC

Seems like they did not finish fixing those in 0.66.0:

Release 0.67.0
        core:
         * Fix lots of security/leak issues found by oss-fuzz

If you plan to stabilize 0.67.0 instead of 0.66.0, we need to stabilize >=net-print/cups-filters-1.20.4 first because I had to add a compile fix for poppler-0.67.0

Comment 3 Andreas Sturmlechner gentoo-dev

2018-08-07 07:14:29 UTC

(In reply to Lars Wendler (Polynomial-C) from comment #2)
> If you plan to stabilize 0.67.0 instead of 0.66.0, we need to stabilize
> >=net-print/cups-filters-1.20.4 first because I had to add a compile fix for
> poppler-0.67.0
That one in addition probably will not block us over the existing dependencies of this bug.

Comment 4 Hanno Böck gentoo-dev

2018-09-22 14:01:45 UTC

More fixes from upstream:

The latest stable release is poppler-0.69.0.tar.xz, released on Sep 21, 2018:
[...]
         * Fix security issues found by oss-fuzz

Comment 5 Andreas Sturmlechner gentoo-dev

2018-09-27 12:54:02 UTC

@Hanno: Can you identify the patch(es) we need to backport to 0.67.0?

Comment 6 Hanno Böck gentoo-dev

2018-09-27 13:08:43 UTC

There have been a lot of patches:
https://cgit.freedesktop.org/poppler/poppler/log/?ofs=100
https://cgit.freedesktop.org/poppler/poppler/log/?ofs=50

Countless referencing overflow and oss-fuzz. I don't think backporting is feasible.

Looking at the dependencies I think only inkscape is really blocking it right now, the others are only waiting for stabilization on minor archs.

Comment 7 Andreas Sturmlechner gentoo-dev

2018-09-29 07:04:53 UTC

(In reply to Hanno Boeck from comment #6)
> Looking at the dependencies I think only inkscape is really blocking it
> right now, the others are only waiting for stabilization on minor archs.
We know that about 0.67.0 that this tracker was about, but we have no idea what new problems 0.68 and 0.69 are going to introduce on revdeps.

Comment 8 Larry the Git Cow gentoo-dev

2018-11-03 21:46:14 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=26d130e47af495f6ab0937e2d45874101bfdfc4e

commit 26d130e47af495f6ab0937e2d45874101bfdfc4e
Author:     Andreas Sturmlechner <asturm@gentoo.org>
AuthorDate: 2018-11-03 21:25:13 +0000
Commit:     Andreas Sturmlechner <asturm@gentoo.org>
CommitDate: 2018-11-03 21:30:52 +0000

    app-text/poppler: 0.68.0 version bump
    
    Depend on >=media-libs/openjpeg-2.3.0-r1 with fixed cmake install paths.
    
    Bug: https://bugs.gentoo.org/659828
    Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org>
    Package-Manager: Portage-2.3.51, Repoman-2.3.11

 app-text/poppler/Manifest              |   1 +
 app-text/poppler/poppler-0.68.0.ebuild | 126 +++++++++++++++++++++++++++++++++
 2 files changed, 127 insertions(+)

Comment 9 Andreas Sturmlechner gentoo-dev

2018-11-03 21:50:08 UTC

We will target 0.68.0 for stabilisation soon, even if it fixes not all oss-fuzz security issues. Everything above requires patching practically every revdep.

Comment 10 Andreas Sturmlechner gentoo-dev

2018-12-15 15:15:56 UTC

Arches, please stabilise.

Comment 11 Frank Krömmelbein 2018-12-15 15:44:16 UTC

There is a dependency missing which also needs to be stabilized:

The following keyword changes are necessary to proceed:
 (see "package.accept_keywords" in the portage(5) man page for more details)
# required by app-text/poppler-0.68.0::gentoo[jpeg2k]
# required by app-office/libreoffice-6.0.6.2::gentoo[pdfimport]
# required by @__auto_slot_operator_replace_installed__ (argument)
=media-libs/openjpeg-2.3.0-r1 ~amd64

Comment 12 Stabilization helper bot gentoo-dev

2018-12-15 16:01:28 UTC

An automated check of this bug failed - repoman reported dependency errors (255 lines truncated): 

> dependency.bad app-text/poppler/poppler-0.68.0.ebuild: DEPEND: alpha(default/linux/alpha/13.0) ['>=media-libs/openjpeg-2.3.0-r1:2=']
> dependency.bad app-text/poppler/poppler-0.68.0.ebuild: RDEPEND: alpha(default/linux/alpha/13.0) ['>=media-libs/openjpeg-2.3.0-r1:2=']
> dependency.bad app-text/poppler/poppler-0.68.0.ebuild: DEPEND: alpha(default/linux/alpha/13.0/desktop) ['>=media-libs/openjpeg-2.3.0-r1:2=']

Comment 13 Thomas Deutschmann (RETIRED) gentoo-dev

2018-12-20 01:30:19 UTC

x86 stable

Comment 14 Rolf Eike Beer archtester

2018-12-25 13:30:19 UTC

sparc stable

Comment 15 Sergei Trofimovich (RETIRED) gentoo-dev

2018-12-26 12:13:06 UTC

ia64 stable

Comment 16 Matt Turner gentoo-dev

2018-12-26 17:23:43 UTC

alpha stable

Comment 17 Mikle Kolyada (RETIRED) archtester

2018-12-28 08:14:11 UTC

amd64 stable

Comment 18 ernsteiswuerfel archtester

2018-12-28 21:57:14 UTC

Looking good on ppc64.

openjpeg-2.3.0-r1 test failure (bug #673924).
rdeps failing: luatex (bug #673924), gimp (bug #669080), pillow (bug #662686).

# cat openjpeg-659828.report 
USE tests started on Fr 28. Dez 20:38:43 CET 2018

 FEATURES=' test' failed for =media-libs/openjpeg-2.3.0-r1
USE='-doc -static-libs' succeeded for =media-libs/openjpeg-2.3.0-r1
USE='doc -static-libs' succeeded for =media-libs/openjpeg-2.3.0-r1
USE='-doc static-libs' succeeded for =media-libs/openjpeg-2.3.0-r1
USE='doc static-libs' succeeded for =media-libs/openjpeg-2.3.0-r1

FEATURES=' test' USE='' succeeded for =app-text/poppler-0.68.0
USE='cairo cjk curl -cxx doc -introspection -jpeg -jpeg2k lcms -nss -png -qt5 -tiff -utils' succeeded for =app-text/poppler-0.68.0
USE='cairo cjk curl cxx -doc -introspection jpeg jpeg2k -lcms -nss -png qt5 -tiff -utils' succeeded for =app-text/poppler-0.68.0
USE='cairo -cjk curl cxx doc -introspection jpeg jpeg2k lcms -nss -png qt5 -tiff -utils' succeeded for =app-text/poppler-0.68.0
USE='cairo -cjk -curl cxx doc introspection jpeg jpeg2k -lcms nss -png qt5 -tiff -utils' succeeded for =app-text/poppler-0.68.0
USE='-cairo -cjk -curl -cxx -doc -introspection jpeg jpeg2k lcms -nss png -qt5 tiff -utils' succeeded for =app-text/poppler-0.68.0
USE='cairo -cjk -curl cxx doc -introspection jpeg jpeg2k -lcms -nss -png qt5 tiff -utils' succeeded for =app-text/poppler-0.68.0
USE='-cairo cjk -curl -cxx -doc -introspection -jpeg jpeg2k lcms -nss -png qt5 tiff -utils' succeeded for =app-text/poppler-0.68.0
USE='-cairo cjk curl cxx doc -introspection -jpeg -jpeg2k lcms nss -png qt5 tiff -utils' succeeded for =app-text/poppler-0.68.0
USE='cairo -cjk curl -cxx doc introspection jpeg -jpeg2k -lcms nss -png qt5 -tiff utils' succeeded for =app-text/poppler-0.68.0
USE='-cairo -cjk -curl -cxx -doc -introspection -jpeg jpeg2k lcms -nss png qt5 -tiff utils' succeeded for =app-text/poppler-0.68.0
USE='cairo -cjk -curl cxx -doc introspection -jpeg -jpeg2k -lcms -nss png -qt5 tiff utils' succeeded for =app-text/poppler-0.68.0
USE='cairo -cjk curl -cxx -doc introspection -jpeg -jpeg2k lcms nss png qt5 tiff utils' succeeded for =app-text/poppler-0.68.0

revdep tests started on Fr 28. Dez 21:04:16 CET 2018

FEATURES=' test' USE='jpeg2k' succeeded for media-video/ffmpeg
USE='jpeg2k' FEATURES=' test' failed for media-gfx/gimp
FEATURES=' test' USE='jpeg2k' succeeded for dev-libs/efl
FEATURES=' test' USE='-static' succeeded for app-text/llpp
FEATURES=' test' USE='' succeeded for app-text/ghostscript-gpl
FEATURES=' test' USE='jpeg2k' succeeded for media-video/gpac
FEATURES=' test' USE='jpeg2k' succeeded for sci-libs/gdal
FEATURES=' test' USE='jpeg2k' succeeded for app-text/poppler
FEATURES=' test' USE='jpeg2k' succeeded for media-video/libav
USE='jpeg2k' FEATURES=' test' failed for dev-python/pillow
 FEATURES=' test' failed for media-gfx/gimp
FEATURES=' test' USE='pdf' succeeded for dev-libs/efl
 FEATURES=' test' failed for dev-tex/luatex
FEATURES=' test' USE='pdf' succeeded for sci-libs/gdal
FEATURES=' test' USE='pdf' succeeded for dev-games/openscenegraph
FEATURES=' test' USE='' succeeded for app-office/scribus
FEATURES=' test' USE='pdf' succeeded for xfce-extra/tumbler
FEATURES=' test' USE='pdf' succeeded for media-gfx/graphviz
FEATURES=' test' USE='' succeeded for net-print/cups-filters
FEATURES=' test' USE='' succeeded for app-text/texlive-core

Comment 19 ernsteiswuerfel archtester

2018-12-29 00:31:55 UTC

Made a litte mistake, my last post was about ppc not ppc64. This one is about ppc64:

Looking good on ppc64.

openjpeg-2.3.0-r1 test failure (bug #673924).
rdeps failing: luatex (bug #673924), gimp (bug #669080), pillow (bug #662686).

# cat openjpeg-659828.report 
USE tests started on Do 27. Dez 13:45:10 CET 2018

 FEATURES=' test' failed for =media-libs/openjpeg-2.3.0-r1
USE='-doc -static-libs' succeeded for =media-libs/openjpeg-2.3.0-r1
USE='doc -static-libs' succeeded for =media-libs/openjpeg-2.3.0-r1
USE='-doc static-libs' succeeded for =media-libs/openjpeg-2.3.0-r1
USE='doc static-libs' succeeded for =media-libs/openjpeg-2.3.0-r1

FEATURES=' test' USE='' succeeded for =app-text/poppler-0.68.0
USE='cairo cjk -curl -cxx doc introspection jpeg jpeg2k lcms -nss -png -qt5 -tiff -utils' succeeded for =app-text/poppler-0.68.0
USE='cairo -cjk curl cxx doc -introspection jpeg -jpeg2k -lcms nss -png -qt5 -tiff -utils' succeeded for =app-text/poppler-0.68.0
USE='-cairo cjk curl -cxx -doc introspection -jpeg -jpeg2k lcms nss -png -qt5 -tiff -utils' succeeded for =app-text/poppler-0.68.0
USE='-cairo cjk -curl -cxx doc introspection jpeg jpeg2k lcms -nss png -qt5 -tiff -utils' succeeded for =app-text/poppler-0.68.0
USE='cairo -cjk -curl cxx doc introspection -jpeg -jpeg2k lcms -nss -png -qt5 tiff -utils' succeeded for =app-text/poppler-0.68.0
USE='-cairo cjk curl -cxx doc introspection -jpeg -jpeg2k -lcms -nss png -qt5 tiff -utils' succeeded for =app-text/poppler-0.68.0
USE='cairo -cjk curl -cxx doc introspection -jpeg jpeg2k -lcms -nss png -qt5 tiff -utils' succeeded for =app-text/poppler-0.68.0
USE='cairo -cjk -curl cxx -doc introspection -jpeg -jpeg2k -lcms nss -png qt5 tiff -utils' succeeded for =app-text/poppler-0.68.0
USE='-cairo cjk -curl -cxx -doc -introspection jpeg jpeg2k -lcms nss -png qt5 tiff -utils' succeeded for =app-text/poppler-0.68.0
USE='cairo -cjk curl cxx doc introspection -jpeg jpeg2k lcms -nss -png qt5 -tiff utils' succeeded for =app-text/poppler-0.68.0
USE='-cairo cjk -curl cxx -doc -introspection jpeg -jpeg2k lcms -nss -png qt5 tiff utils' succeeded for =app-text/poppler-0.68.0
USE='-cairo cjk -curl -cxx doc introspection -jpeg -jpeg2k lcms nss -png qt5 tiff utils' succeeded for =app-text/poppler-0.68.0

revdep tests started on Fr 28. Dez 23:59:19 CET 2018

FEATURES=' test' USE='jpeg2k' succeeded for app-text/poppler
FEATURES=' test' USE='jpeg2k' succeeded for sci-libs/gdal
USE='jpeg2k' FEATURES=' test' failed for dev-python/pillow
USE='jpeg2k' FEATURES=' test' failed for media-gfx/gimp
FEATURES=' test' USE='jpeg2k' succeeded for media-video/ffmpeg
FEATURES=' test' USE='' succeeded for app-text/ghostscript-gpl
FEATURES=' test' USE='jpeg2k' succeeded for media-video/libav
FEATURES=' test' USE='' succeeded for app-text/mupdf
FEATURES=' test' USE='jpeg2k' succeeded for media-gfx/imagemagick
FEATURES=' test' USE='jpeg2k' succeeded for media-libs/leptonica
FEATURES=' test' USE='' succeeded for net-print/cups-filters
FEATURES=' test' USE='' succeeded for app-office/scribus
FEATURES=' test' USE='latex' succeeded for dev-python/matplotlib
 FEATURES=' test' failed for dev-tex/luatex
FEATURES=' test' USE='' succeeded for media-gfx/inkscape
FEATURES=' test' USE='pdf' succeeded for sci-libs/gdal
FEATURES=' test' USE='pdf' succeeded for media-gfx/graphviz
FEATURES=' test' USE='' succeeded for app-text/texlive-core
FEATURES=' test' USE='' succeeded for media-gfx/fbida
FEATURES=' test' USE='pdf' succeeded for dev-games/openscenegraph

Comment 20 Matt Turner gentoo-dev

2018-12-30 22:17:14 UTC

hppa stable

Comment 21 Markus Meier gentoo-dev

2019-01-02 12:14:06 UTC

arm stable

Comment 22 Mart Raudsepp gentoo-dev

2019-01-04 00:47:16 UTC

arm64 stable

Comment 23 Andreas Sturmlechner gentoo-dev

2019-01-17 01:41:28 UTC

ping powerpc

Comment 24 Sergei Trofimovich (RETIRED) gentoo-dev

2019-01-17 23:19:12 UTC

ppc/ppc64 stable thanks to ernsteiswuerfel!

Comment 25 Mikle Kolyada (RETIRED) archtester

2019-01-29 11:53:44 UTC

s390 stable

Comment 26 Larry the Git Cow gentoo-dev

2019-01-30 22:31:34 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4090dfd2d2c2be4cd3eccf155db2a3ddf1dd4091

commit 4090dfd2d2c2be4cd3eccf155db2a3ddf1dd4091
Author:     Andreas Sturmlechner <asturm@gentoo.org>
AuthorDate: 2019-01-30 22:27:45 +0000
Commit:     Andreas Sturmlechner <asturm@gentoo.org>
CommitDate: 2019-01-30 22:29:25 +0000

    app-text/poppler: Security cleanup
    
    Bug: https://bugs.gentoo.org/659828
    Package-Manager: Portage-2.3.59, Repoman-2.3.12
    Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org>

 app-text/poppler/Manifest                          |   1 -
 app-text/poppler/files/poppler-0.62.0-glibc.patch  |  34 ------
 .../poppler/files/poppler-0.62.0-openjpeg2.patch   |  14 ---
 app-text/poppler/poppler-0.62.0-r1.ebuild          | 127 ---------------------
 4 files changed, 176 deletions(-)

Comment 27 Andreas Sturmlechner gentoo-dev

2019-01-31 11:52:33 UTC

kde/office is done here, anyway.

Comment 28 GLSAMaker/CVETool Bot gentoo-dev

2019-04-02 04:22:43 UTC

This issue was resolved and addressed in
 GLSA 201904-04 at https://security.gentoo.org/glsa/201904-04
by GLSA coordinator Aaron Bauman (b-man).