Bug 867958 (CVE-2021-30860, CVE-2022-38784)

Summary:	<app-text/poppler-22.09.0: JBIG2 integer overflow to code execution
Product:	Gentoo Security	Reporter:	John Helmert III <ajak>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	critical	CC:	mgorny, printing, reavertm, sam
Priority:	Normal	Keywords:	PullRequest
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	https://poppler.freedesktop.org/releases.html
See Also:	https://github.com/gentoo/gentoo/pull/27755
Whiteboard:	A1 [glsa+]
Package list:		Runtime testing required:	---
Bug Depends on:	859184, 867094
Bug Blocks:

Description John Helmert III archtester

2022-09-02 02:18:47 UTC

CVE-2022-38784:

Poppler prior to and including 22.08.0 contains an integer overflow in the JBIG2 decoder (JBIG2Stream::readTextRegionSeg() in JBIGStream.cc). Processing a specially crafted PDF file or JBIG2 image could lead to a crash or the execution of arbitrary code. This is similar to the vulnerability described by CVE-2022-38171 in Xpdf.

Fixed in: https://gitlab.freedesktop.org/poppler/poppler/-/merge_requests/1261/diffs?commit_id=27354e9d9696ee2bc063910a6c9a6b27c5184a52
See also: https://gist.github.com/zmanion/b2ed0d1a0cec163ecd07d5e3d9740dc6

Please bump to 22.09.0.

Comment 1 Sam James archtester

2022-09-02 02:34:11 UTC

Fixes CVE-2021-30860 too (https://github.com/freedesktop/poppler/commit/27354e9d9696ee2bc063910a6c9a6b27c5184a52).

"An integer overflow was addressed with improved input validation. This issue is fixed in Security Update 2021-005 Catalina, iOS 14.8 and iPadOS 14.8, macOS Big Sur 11.6, watchOS 7.6.2. Processing a maliciously crafted PDF may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited."

https://www.sans.org/blog/what-you-need-to-know-about-cve-2021-30860-aka-forcedentry/

Comment 2 Larry the Git Cow gentoo-dev

2022-09-02 02:34:37 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=819d8f855df663924e6c124088cdc215653f852a

commit 819d8f855df663924e6c124088cdc215653f852a
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2022-09-02 02:26:55 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2022-09-02 02:27:10 +0000

    app-text/poppler: add 22.09.0
    
    Bug: https://bugs.gentoo.org/867958
    Signed-off-by: Sam James <sam@gentoo.org>

 app-text/poppler/Manifest               |   2 +
 app-text/poppler/poppler-22.09.0.ebuild | 134 ++++++++++++++++++++++++++++++++
 app-text/poppler/poppler-9999.ebuild    |   2 +-
 3 files changed, 137 insertions(+), 1 deletion(-)

Comment 3 Sam James archtester

2022-09-02 02:38:24 UTC

(In reply to Sam James from comment #1)
> Fixes CVE-2021-30860 too
> (https://github.com/freedesktop/poppler/commit/
> 27354e9d9696ee2bc063910a6c9a6b27c5184a52).
> 
> "An integer overflow was addressed with improved input validation. This
> issue is fixed in Security Update 2021-005 Catalina, iOS 14.8 and iPadOS
> 14.8, macOS Big Sur 11.6, watchOS 7.6.2. Processing a maliciously crafted
> PDF may lead to arbitrary code execution. Apple is aware of a report that
> this issue may have been actively exploited."
> 
> https://www.sans.org/blog/what-you-need-to-know-about-cve-2021-30860-aka-
> forcedentry/

(fwiw, I'm not convinced at all it's actually this, unless Apple is vendoring a lot of Poppler, but...)

Comment 4 Larry the Git Cow gentoo-dev

2022-09-02 02:41:54 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a5c8dc5fbd1bff22f355891078c55c777c532c93

commit a5c8dc5fbd1bff22f355891078c55c777c532c93
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2022-09-02 02:41:41 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2022-09-02 02:41:41 +0000

    app-text/poppler: unkeyword 22.09.0 for a moment
    
    LO needs a patch
    
    Bug: https://bugs.gentoo.org/867958
    Signed-off-by: Sam James <sam@gentoo.org>

 app-text/poppler/poppler-22.09.0.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comment 5 Sam James archtester

2022-09-02 04:39:01 UTC

commit 5908d48769d80baedb730c61b2605a983d97bb0f (HEAD -> master, origin/master, origin/HEAD)
Author: Sam James <sam@gentoo.org>
Date:   Fri Sep 2 05:37:21 2022 +0100

    app-office/scribus: fix build with Poppler 22.09.0

    Signed-off-by: Sam James <sam@gentoo.org>

commit 9f2169be9339bfaad54aa9bf60373ff01a79f8c3
Author: Sam James <sam@gentoo.org>
Date:   Fri Sep 2 05:25:00 2022 +0100

    media-gfx/inkscape: fix build with Poppler 22.09.0

    Signed-off-by: Sam James <sam@gentoo.org>

commit 3fe3e0dc873e97eb1bb5ccb2846fffee35182caa
Author: Sam James <sam@gentoo.org>
Date:   Fri Sep 2 05:20:17 2022 +0100

    app-office/libreoffice: fix build with Poppler 22.09.0

    Signed-off-by: Sam James <sam@gentoo.org>

Comment 6 Larry the Git Cow gentoo-dev

2022-09-02 05:52:08 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8f27c346bd97bc4dad857c09cdec1f06766020aa

commit 8f27c346bd97bc4dad857c09cdec1f06766020aa
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2022-09-02 04:40:34 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2022-09-02 05:33:19 +0000

    app-text/poppler: keyword 22.09.0
    
    I swear I did try LO + Scribus beforehand! But didn't have
    have pdfimport on and I have no idea about Scribus.
    
    All fixed now.
    
    Bug: https://bugs.gentoo.org/867958
    Signed-off-by: Sam James <sam@gentoo.org>

 app-text/poppler/poppler-22.09.0.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comment 7 John Helmert III archtester

2022-09-26 14:40:20 UTC

GLSA request filed

Comment 8 Larry the Git Cow gentoo-dev

2022-09-29 14:48:52 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=24c3c45a48d60afb92442f5f869534360b8bdef4

commit 24c3c45a48d60afb92442f5f869534360b8bdef4
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2022-09-29 14:23:57 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2022-09-29 14:48:01 +0000

    [ GLSA 202209-21 ] Poppler: Arbitrary Code Execution
    
    Bug: https://bugs.gentoo.org/867958
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 glsa-202209-21.xml | 43 +++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 43 insertions(+)

Comment 9 Larry the Git Cow gentoo-dev

2022-10-12 18:22:34 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8bcfcfa95f14ed5ebd402f323b9959006a3ab0c1

commit 8bcfcfa95f14ed5ebd402f323b9959006a3ab0c1
Author:     Andreas Sturmlechner <asturm@gentoo.org>
AuthorDate: 2022-10-12 18:00:26 +0000
Commit:     Andreas Sturmlechner <asturm@gentoo.org>
CommitDate: 2022-10-12 18:22:17 +0000

    app-text/poppler: unkeyword 22.07.0
    
    Bug: https://bugs.gentoo.org/867958
    Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org>

 app-text/poppler/poppler-22.07.0.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comment 10 Larry the Git Cow gentoo-dev

2022-10-21 07:20:44 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4f72879034c37c6d73333bd823185bd879f33166

commit 4f72879034c37c6d73333bd823185bd879f33166
Author:     Andreas Sturmlechner <asturm@gentoo.org>
AuthorDate: 2022-10-21 07:19:13 +0000
Commit:     Andreas Sturmlechner <asturm@gentoo.org>
CommitDate: 2022-10-21 07:19:39 +0000

    app-text/poppler: unkeyword 22.07.0 for arm64, ppc
    
    Only ppc64 remains.
    
    Bug: https://bugs.gentoo.org/867958
    Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org>

 app-text/poppler/poppler-22.07.0.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comment 11 Michał Górny archtester

2022-10-22 14:55:11 UTC

cleanup done.

Comment 12 Andreas Sturmlechner gentoo-dev

2022-10-22 15:39:38 UTC

Perfect, kde proj out.

Comment 13 John Helmert III archtester

2022-10-22 17:08:09 UTC

All done! \o/