Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 659828

Summary: <app-text/poppler-0.68.0: multiple vulnerabilities
Product: Gentoo Security Reporter: Hanno Böck <hanno>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: printing, reavertm
Priority: Normal Keywords: STABLEREQ
Version: unspecifiedFlags: stable-bot: sanity-check+
Hardware: All   
OS: Linux   
See Also: https://bugs.gentoo.org/show_bug.cgi?id=667150
Whiteboard: B2 [glsa+]
Package list:
media-libs/openjpeg-2.3.0-r1 app-text/poppler-0.68.0
Runtime testing required: ---
Bug Depends on: 621712, 655052, 659940, 659942, 663000    
Bug Blocks:    

Description Hanno Böck gentoo-dev 2018-07-02 07:34:27 UTC
From upstream changelog:
poppler-0.66.0.tar.xz (Tue Jun 19, 2018):

        core:
         * Fix lots of security/leak issues found by oss-fuzz

poppler has recently been added to google's oss-fuzz project, which means a large number of security issues (buffer overflows, uninitialized memory, integer overflows etc.) have been found.

Just a few:
https://cgit.freedesktop.org/poppler/poppler/commit/?id=b245154fdebc9a78db163bc95959c6c8f5b4126f
https://cgit.freedesktop.org/poppler/poppler/commit/?id=9a8d33246601dbd2bea98bb3404596848f71162a
https://cgit.freedesktop.org/poppler/poppler/commit/?id=adb7cac1b787b35c4f5d25e0441e459ab92d0469

See also the git history:
https://cgit.freedesktop.org/poppler/poppler/log/

Many fixed in 0.66.0, but work is ongoing. We should treat 0.66.0 as a security update (and probably the next 1-2 versions as well).
Comment 1 Andreas Sturmlechner gentoo-dev 2018-07-03 13:01:33 UTC
We were planning to stabilise this version in any case.
Comment 2 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev 2018-07-20 13:51:51 UTC
Seems like they did not finish fixing those in 0.66.0:

Release 0.67.0
        core:
         * Fix lots of security/leak issues found by oss-fuzz

If you plan to stabilize 0.67.0 instead of 0.66.0, we need to stabilize >=net-print/cups-filters-1.20.4 first because I had to add a compile fix for poppler-0.67.0
Comment 3 Andreas Sturmlechner gentoo-dev 2018-08-07 07:14:29 UTC
(In reply to Lars Wendler (Polynomial-C) from comment #2)
> If you plan to stabilize 0.67.0 instead of 0.66.0, we need to stabilize
> >=net-print/cups-filters-1.20.4 first because I had to add a compile fix for
> poppler-0.67.0
That one in addition probably will not block us over the existing dependencies of this bug.
Comment 4 Hanno Böck gentoo-dev 2018-09-22 14:01:45 UTC
More fixes from upstream:

The latest stable release is poppler-0.69.0.tar.xz, released on Sep 21, 2018:
[...]
         * Fix security issues found by oss-fuzz
Comment 5 Andreas Sturmlechner gentoo-dev 2018-09-27 12:54:02 UTC
@Hanno: Can you identify the patch(es) we need to backport to 0.67.0?
Comment 6 Hanno Böck gentoo-dev 2018-09-27 13:08:43 UTC
There have been a lot of patches:
https://cgit.freedesktop.org/poppler/poppler/log/?ofs=100
https://cgit.freedesktop.org/poppler/poppler/log/?ofs=50

Countless referencing overflow and oss-fuzz. I don't think backporting is feasible.

Looking at the dependencies I think only inkscape is really blocking it right now, the others are only waiting for stabilization on minor archs.
Comment 7 Andreas Sturmlechner gentoo-dev 2018-09-29 07:04:53 UTC
(In reply to Hanno Boeck from comment #6)
> Looking at the dependencies I think only inkscape is really blocking it
> right now, the others are only waiting for stabilization on minor archs.
We know that about 0.67.0 that this tracker was about, but we have no idea what new problems 0.68 and 0.69 are going to introduce on revdeps.
Comment 8 Larry the Git Cow gentoo-dev 2018-11-03 21:46:14 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=26d130e47af495f6ab0937e2d45874101bfdfc4e

commit 26d130e47af495f6ab0937e2d45874101bfdfc4e
Author:     Andreas Sturmlechner <asturm@gentoo.org>
AuthorDate: 2018-11-03 21:25:13 +0000
Commit:     Andreas Sturmlechner <asturm@gentoo.org>
CommitDate: 2018-11-03 21:30:52 +0000

    app-text/poppler: 0.68.0 version bump
    
    Depend on >=media-libs/openjpeg-2.3.0-r1 with fixed cmake install paths.
    
    Bug: https://bugs.gentoo.org/659828
    Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org>
    Package-Manager: Portage-2.3.51, Repoman-2.3.11

 app-text/poppler/Manifest              |   1 +
 app-text/poppler/poppler-0.68.0.ebuild | 126 +++++++++++++++++++++++++++++++++
 2 files changed, 127 insertions(+)
Comment 9 Andreas Sturmlechner gentoo-dev 2018-11-03 21:50:08 UTC
We will target 0.68.0 for stabilisation soon, even if it fixes not all oss-fuzz security issues. Everything above requires patching practically every revdep.
Comment 10 Andreas Sturmlechner gentoo-dev 2018-12-15 15:15:56 UTC
Arches, please stabilise.
Comment 11 Frank Krömmelbein 2018-12-15 15:44:16 UTC
There is a dependency missing which also needs to be stabilized:

The following keyword changes are necessary to proceed:
 (see "package.accept_keywords" in the portage(5) man page for more details)
# required by app-text/poppler-0.68.0::gentoo[jpeg2k]
# required by app-office/libreoffice-6.0.6.2::gentoo[pdfimport]
# required by @__auto_slot_operator_replace_installed__ (argument)
=media-libs/openjpeg-2.3.0-r1 ~amd64
Comment 12 Stabilization helper bot gentoo-dev 2018-12-15 16:01:28 UTC
An automated check of this bug failed - repoman reported dependency errors (255 lines truncated): 

> dependency.bad app-text/poppler/poppler-0.68.0.ebuild: DEPEND: alpha(default/linux/alpha/13.0) ['>=media-libs/openjpeg-2.3.0-r1:2=']
> dependency.bad app-text/poppler/poppler-0.68.0.ebuild: RDEPEND: alpha(default/linux/alpha/13.0) ['>=media-libs/openjpeg-2.3.0-r1:2=']
> dependency.bad app-text/poppler/poppler-0.68.0.ebuild: DEPEND: alpha(default/linux/alpha/13.0/desktop) ['>=media-libs/openjpeg-2.3.0-r1:2=']
Comment 13 Thomas Deutschmann (RETIRED) gentoo-dev 2018-12-20 01:30:19 UTC
x86 stable
Comment 14 Rolf Eike Beer archtester 2018-12-25 13:30:19 UTC
sparc stable
Comment 15 Sergei Trofimovich (RETIRED) gentoo-dev 2018-12-26 12:13:06 UTC
ia64 stable
Comment 16 Matt Turner gentoo-dev 2018-12-26 17:23:43 UTC
alpha stable
Comment 17 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2018-12-28 08:14:11 UTC
amd64 stable
Comment 18 ernsteiswuerfel archtester 2018-12-28 21:57:14 UTC
Looking good on ppc64.

openjpeg-2.3.0-r1 test failure (bug #673924).
rdeps failing: luatex (bug #673924), gimp (bug #669080), pillow (bug #662686).

# cat openjpeg-659828.report 
USE tests started on Fr 28. Dez 20:38:43 CET 2018

 FEATURES=' test' failed for =media-libs/openjpeg-2.3.0-r1
USE='-doc -static-libs' succeeded for =media-libs/openjpeg-2.3.0-r1
USE='doc -static-libs' succeeded for =media-libs/openjpeg-2.3.0-r1
USE='-doc static-libs' succeeded for =media-libs/openjpeg-2.3.0-r1
USE='doc static-libs' succeeded for =media-libs/openjpeg-2.3.0-r1

FEATURES=' test' USE='' succeeded for =app-text/poppler-0.68.0
USE='cairo cjk curl -cxx doc -introspection -jpeg -jpeg2k lcms -nss -png -qt5 -tiff -utils' succeeded for =app-text/poppler-0.68.0
USE='cairo cjk curl cxx -doc -introspection jpeg jpeg2k -lcms -nss -png qt5 -tiff -utils' succeeded for =app-text/poppler-0.68.0
USE='cairo -cjk curl cxx doc -introspection jpeg jpeg2k lcms -nss -png qt5 -tiff -utils' succeeded for =app-text/poppler-0.68.0
USE='cairo -cjk -curl cxx doc introspection jpeg jpeg2k -lcms nss -png qt5 -tiff -utils' succeeded for =app-text/poppler-0.68.0
USE='-cairo -cjk -curl -cxx -doc -introspection jpeg jpeg2k lcms -nss png -qt5 tiff -utils' succeeded for =app-text/poppler-0.68.0
USE='cairo -cjk -curl cxx doc -introspection jpeg jpeg2k -lcms -nss -png qt5 tiff -utils' succeeded for =app-text/poppler-0.68.0
USE='-cairo cjk -curl -cxx -doc -introspection -jpeg jpeg2k lcms -nss -png qt5 tiff -utils' succeeded for =app-text/poppler-0.68.0
USE='-cairo cjk curl cxx doc -introspection -jpeg -jpeg2k lcms nss -png qt5 tiff -utils' succeeded for =app-text/poppler-0.68.0
USE='cairo -cjk curl -cxx doc introspection jpeg -jpeg2k -lcms nss -png qt5 -tiff utils' succeeded for =app-text/poppler-0.68.0
USE='-cairo -cjk -curl -cxx -doc -introspection -jpeg jpeg2k lcms -nss png qt5 -tiff utils' succeeded for =app-text/poppler-0.68.0
USE='cairo -cjk -curl cxx -doc introspection -jpeg -jpeg2k -lcms -nss png -qt5 tiff utils' succeeded for =app-text/poppler-0.68.0
USE='cairo -cjk curl -cxx -doc introspection -jpeg -jpeg2k lcms nss png qt5 tiff utils' succeeded for =app-text/poppler-0.68.0

revdep tests started on Fr 28. Dez 21:04:16 CET 2018

FEATURES=' test' USE='jpeg2k' succeeded for media-video/ffmpeg
USE='jpeg2k' FEATURES=' test' failed for media-gfx/gimp
FEATURES=' test' USE='jpeg2k' succeeded for dev-libs/efl
FEATURES=' test' USE='-static' succeeded for app-text/llpp
FEATURES=' test' USE='' succeeded for app-text/ghostscript-gpl
FEATURES=' test' USE='jpeg2k' succeeded for media-video/gpac
FEATURES=' test' USE='jpeg2k' succeeded for sci-libs/gdal
FEATURES=' test' USE='jpeg2k' succeeded for app-text/poppler
FEATURES=' test' USE='jpeg2k' succeeded for media-video/libav
USE='jpeg2k' FEATURES=' test' failed for dev-python/pillow
 FEATURES=' test' failed for media-gfx/gimp
FEATURES=' test' USE='pdf' succeeded for dev-libs/efl
 FEATURES=' test' failed for dev-tex/luatex
FEATURES=' test' USE='pdf' succeeded for sci-libs/gdal
FEATURES=' test' USE='pdf' succeeded for dev-games/openscenegraph
FEATURES=' test' USE='' succeeded for app-office/scribus
FEATURES=' test' USE='pdf' succeeded for xfce-extra/tumbler
FEATURES=' test' USE='pdf' succeeded for media-gfx/graphviz
FEATURES=' test' USE='' succeeded for net-print/cups-filters
FEATURES=' test' USE='' succeeded for app-text/texlive-core
Comment 19 ernsteiswuerfel archtester 2018-12-29 00:31:55 UTC
Made a litte mistake, my last post was about ppc not ppc64. This one is about ppc64:

Looking good on ppc64.

openjpeg-2.3.0-r1 test failure (bug #673924).
rdeps failing: luatex (bug #673924), gimp (bug #669080), pillow (bug #662686).

# cat openjpeg-659828.report 
USE tests started on Do 27. Dez 13:45:10 CET 2018

 FEATURES=' test' failed for =media-libs/openjpeg-2.3.0-r1
USE='-doc -static-libs' succeeded for =media-libs/openjpeg-2.3.0-r1
USE='doc -static-libs' succeeded for =media-libs/openjpeg-2.3.0-r1
USE='-doc static-libs' succeeded for =media-libs/openjpeg-2.3.0-r1
USE='doc static-libs' succeeded for =media-libs/openjpeg-2.3.0-r1

FEATURES=' test' USE='' succeeded for =app-text/poppler-0.68.0
USE='cairo cjk -curl -cxx doc introspection jpeg jpeg2k lcms -nss -png -qt5 -tiff -utils' succeeded for =app-text/poppler-0.68.0
USE='cairo -cjk curl cxx doc -introspection jpeg -jpeg2k -lcms nss -png -qt5 -tiff -utils' succeeded for =app-text/poppler-0.68.0
USE='-cairo cjk curl -cxx -doc introspection -jpeg -jpeg2k lcms nss -png -qt5 -tiff -utils' succeeded for =app-text/poppler-0.68.0
USE='-cairo cjk -curl -cxx doc introspection jpeg jpeg2k lcms -nss png -qt5 -tiff -utils' succeeded for =app-text/poppler-0.68.0
USE='cairo -cjk -curl cxx doc introspection -jpeg -jpeg2k lcms -nss -png -qt5 tiff -utils' succeeded for =app-text/poppler-0.68.0
USE='-cairo cjk curl -cxx doc introspection -jpeg -jpeg2k -lcms -nss png -qt5 tiff -utils' succeeded for =app-text/poppler-0.68.0
USE='cairo -cjk curl -cxx doc introspection -jpeg jpeg2k -lcms -nss png -qt5 tiff -utils' succeeded for =app-text/poppler-0.68.0
USE='cairo -cjk -curl cxx -doc introspection -jpeg -jpeg2k -lcms nss -png qt5 tiff -utils' succeeded for =app-text/poppler-0.68.0
USE='-cairo cjk -curl -cxx -doc -introspection jpeg jpeg2k -lcms nss -png qt5 tiff -utils' succeeded for =app-text/poppler-0.68.0
USE='cairo -cjk curl cxx doc introspection -jpeg jpeg2k lcms -nss -png qt5 -tiff utils' succeeded for =app-text/poppler-0.68.0
USE='-cairo cjk -curl cxx -doc -introspection jpeg -jpeg2k lcms -nss -png qt5 tiff utils' succeeded for =app-text/poppler-0.68.0
USE='-cairo cjk -curl -cxx doc introspection -jpeg -jpeg2k lcms nss -png qt5 tiff utils' succeeded for =app-text/poppler-0.68.0

revdep tests started on Fr 28. Dez 23:59:19 CET 2018

FEATURES=' test' USE='jpeg2k' succeeded for app-text/poppler
FEATURES=' test' USE='jpeg2k' succeeded for sci-libs/gdal
USE='jpeg2k' FEATURES=' test' failed for dev-python/pillow
USE='jpeg2k' FEATURES=' test' failed for media-gfx/gimp
FEATURES=' test' USE='jpeg2k' succeeded for media-video/ffmpeg
FEATURES=' test' USE='' succeeded for app-text/ghostscript-gpl
FEATURES=' test' USE='jpeg2k' succeeded for media-video/libav
FEATURES=' test' USE='' succeeded for app-text/mupdf
FEATURES=' test' USE='jpeg2k' succeeded for media-gfx/imagemagick
FEATURES=' test' USE='jpeg2k' succeeded for media-libs/leptonica
FEATURES=' test' USE='' succeeded for net-print/cups-filters
FEATURES=' test' USE='' succeeded for app-office/scribus
FEATURES=' test' USE='latex' succeeded for dev-python/matplotlib
 FEATURES=' test' failed for dev-tex/luatex
FEATURES=' test' USE='' succeeded for media-gfx/inkscape
FEATURES=' test' USE='pdf' succeeded for sci-libs/gdal
FEATURES=' test' USE='pdf' succeeded for media-gfx/graphviz
FEATURES=' test' USE='' succeeded for app-text/texlive-core
FEATURES=' test' USE='' succeeded for media-gfx/fbida
FEATURES=' test' USE='pdf' succeeded for dev-games/openscenegraph
Comment 20 Matt Turner gentoo-dev 2018-12-30 22:17:14 UTC
hppa stable
Comment 21 Markus Meier gentoo-dev 2019-01-02 12:14:06 UTC
arm stable
Comment 22 Mart Raudsepp gentoo-dev 2019-01-04 00:47:16 UTC
arm64 stable
Comment 23 Andreas Sturmlechner gentoo-dev 2019-01-17 01:41:28 UTC
ping powerpc
Comment 24 Sergei Trofimovich (RETIRED) gentoo-dev 2019-01-17 23:19:12 UTC
ppc/ppc64 stable thanks to ernsteiswuerfel!
Comment 25 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2019-01-29 11:53:44 UTC
s390 stable
Comment 26 Larry the Git Cow gentoo-dev 2019-01-30 22:31:34 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4090dfd2d2c2be4cd3eccf155db2a3ddf1dd4091

commit 4090dfd2d2c2be4cd3eccf155db2a3ddf1dd4091
Author:     Andreas Sturmlechner <asturm@gentoo.org>
AuthorDate: 2019-01-30 22:27:45 +0000
Commit:     Andreas Sturmlechner <asturm@gentoo.org>
CommitDate: 2019-01-30 22:29:25 +0000

    app-text/poppler: Security cleanup
    
    Bug: https://bugs.gentoo.org/659828
    Package-Manager: Portage-2.3.59, Repoman-2.3.12
    Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org>

 app-text/poppler/Manifest                          |   1 -
 app-text/poppler/files/poppler-0.62.0-glibc.patch  |  34 ------
 .../poppler/files/poppler-0.62.0-openjpeg2.patch   |  14 ---
 app-text/poppler/poppler-0.62.0-r1.ebuild          | 127 ---------------------
 4 files changed, 176 deletions(-)
Comment 27 Andreas Sturmlechner gentoo-dev 2019-01-31 11:52:33 UTC
kde/office is done here, anyway.
Comment 28 GLSAMaker/CVETool Bot gentoo-dev 2019-04-02 04:22:43 UTC
This issue was resolved and addressed in
 GLSA 201904-04 at https://security.gentoo.org/glsa/201904-04
by GLSA coordinator Aaron Bauman (b-man).