Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 619558 (CVE-2017-9083) - <app-text/poppler-0.57.0-r1 [-jpeg,-jpeg2k]: Null pointer dereference in the JPXStream::readUByte function
Summary: <app-text/poppler-0.57.0-r1 [-jpeg,-jpeg2k]: Null pointer dereference in the ...
Status: RESOLVED FIXED
Alias: CVE-2017-9083
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: A3 [glsa+ cve]
Keywords:
Depends on:
Blocks: CVE-2017-2820
  Show dependency tree
 
Reported: 2017-05-24 13:51 UTC by Agostino Sarubbo
Modified: 2018-01-17 13:43 UTC (History)
4 users (show)

See Also:
Package list:
app-text/poppler-0.57.0-r1
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2017-05-24 13:51:52 UTC
From ${URL} :

poppler 0.54.0, as used in Evince and other products, has a NULL pointer dereference in the JPXStream::readUByte function in JPXStream.cc. For example, the perf_test utility will crash (segmentation 
fault) when parsing an invalid PDF file.

Upstream bug:

https://bugs.freedesktop.org/show_bug.cgi?id=101084


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Manuel Rüger (RETIRED) gentoo-dev 2017-05-24 14:07:14 UTC
commit 2f137d79eb6929fa0606f158f86e4520fff958a2 (HEAD -> master, origin/master, origin/HEAD)
Author: Manuel Rüger <mrueg@gentoo.org>
Date:   Wed May 24 16:05:05 2017 +0200

    app-text/poppler: Version bump to 0.55.0
    
    Package-Manager: Portage-2.3.6, Repoman-2.3.2
Comment 2 Ulenrich 2017-05-24 16:04:49 UTC
Now I can recognize something is missing, while doing:

emerge -1 =app-text/poppler-0.55.0
----
-- Performing Test ICONV_SECOND_ARGUMENT_IS_CONST
-- Performing Test ICONV_SECOND_ARGUMENT_IS_CONST - Failed
-- Found Iconv: /usr/lib/libc.so
CMake Error at CMakeLists.txt:233 (message):
  Invalid ENABLE_LIBOPENJPEG value:

-- Configuring incomplete, errors occurred!
----

I don't know what is missing:  qlist -Iv jpeg shows:
media-libs/libjpeg-turbo-1.5.1
media-libs/openjpeg-2.1.2
media-video/mjpegtools-2.1.0-r2
virtual/jpeg-0-r2
Comment 3 Thomas Deutschmann gentoo-dev Security 2017-05-24 16:23:13 UTC
FYI: poppler-0.55 didn't address CVE-2017-9083.

@ Ulenrich: I cannot reproduce. However, please file a new bug.
Comment 4 Michael Palimaka (kensington) gentoo-dev 2017-06-03 15:24:18 UTC
(In reply to Ulenrich from comment #2)
> Now I can recognize something is missing, while doing:
> 
> emerge -1 =app-text/poppler-0.55.0
> ----
> -- Performing Test ICONV_SECOND_ARGUMENT_IS_CONST
> -- Performing Test ICONV_SECOND_ARGUMENT_IS_CONST - Failed
> -- Found Iconv: /usr/lib/libc.so
> CMake Error at CMakeLists.txt:233 (message):
>   Invalid ENABLE_LIBOPENJPEG value:
> 
> -- Configuring incomplete, errors occurred!
> ----
> 
> I don't know what is missing:  qlist -Iv jpeg shows:
> media-libs/libjpeg-turbo-1.5.1
> media-libs/openjpeg-2.1.2
> media-video/mjpegtools-2.1.0-r2
> virtual/jpeg-0-r2

That's being tracked in bug #619720.
Comment 5 Michael Palimaka (kensington) gentoo-dev 2017-10-01 11:50:20 UTC
There's no evidence this is fixed.
Comment 6 Andreas Sturmlechner gentoo-dev 2017-11-24 20:39:26 UTC
Adding blocking CVEs that are all variations of this security issue [internal unmaintained JPX decoder] that is caused when building without system-jpeg libs. Fedora does not care because they always build with system-jpeg, however in Gentoo we allow the user to disable both options and poppler's buildsystem is making us believe there would be no JPX decoder built in that case, when later the following happens:

---
if(LIBOPENJPEG_FOUND)
  set(poppler_SRCS ${poppler_SRCS}
    poppler/JPEG2000Stream.cc
  )
  set(poppler_LIBS ${poppler_LIBS} ${LIBOPENJPEG_LIBRARIES})
  add_definitions(-DUSE_OPENJPEG1)
elseif (LIBOPENJPEG2_FOUND)
  set(poppler_SRCS ${poppler_SRCS}
    poppler/JPEG2000Stream.cc
  )
  add_definitions(-DUSE_OPENJPEG2)
  set(poppler_LIBS ${poppler_LIBS} ${LIBOPENJPEG2_LIBRARIES})
else ()
  set(poppler_SRCS ${poppler_SRCS}
    poppler/JPXStream.cc
  )
endif()
---

Even though the rest of the code is all built with HAVE_JPX_DECODER=OFF, so is probably not making use of it. If we trust the ifdefs.

1.) The easiest way to solve this without any patching of code necessary would be adding REQUIRED_USE="|| ( jpeg jpeg2k )", and we can introduce this as a stable revbump.

2.) Patch CMakeLists.txt and let the stabilisations begin again:

--- a/CMakeLists.txt 2017-07-31 23:39:14.000000000 +0200
+++ b/CMakeLists.txt 2017-11-24 21:34:54.651636371 +0100
@@ -506,9 +506,11 @@
   add_definitions(-DUSE_OPENJPEG2)
   set(poppler_LIBS ${poppler_LIBS} ${LIBOPENJPEG2_LIBRARIES})
 else ()
-  set(poppler_SRCS ${poppler_SRCS}
-    poppler/JPXStream.cc
-  )
+  if(NOT WITH_OPENJPEG AND HAVE_JPX_DECODER)
+    set(poppler_SRCS ${poppler_SRCS}
+      poppler/JPXStream.cc
+    )
+  endif()
 endif()
 if(USE_CMS)

It builds fine.
   if(LCMS_FOUND)
Comment 7 Larry the Git Cow gentoo-dev 2017-11-24 23:07:41 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b0f7e72d6950013ea98f65116dc44cedd8923dd5

commit b0f7e72d6950013ea98f65116dc44cedd8923dd5
Author:     Andreas Sturmlechner <asturm@gentoo.org>
AuthorDate: 2017-11-24 22:55:47 +0000
Commit:     Andreas Sturmlechner <asturm@gentoo.org>
CommitDate: 2017-11-24 23:06:22 +0000

    app-text/poppler: Fix CVE-2017-{2820,9083}
    
    Bug: https://bugs.gentoo.org/619558
    Bug: https://bugs.gentoo.org/624708
    Package-Manager: Portage-2.3.16, Repoman-2.3.6

 .../poppler-0.57.0-disable-internal-jpx.patch      | 25 ++++++++++++++++++++++
 app-text/poppler/poppler-0.57.0-r1.ebuild          |  1 +
 2 files changed, 26 insertions(+)}
Comment 8 Andreas Sturmlechner gentoo-dev 2017-11-26 10:32:20 UTC
Arches, please stabilise.
Comment 9 Sergei Trofimovich gentoo-dev 2017-11-26 19:18:12 UTC
ppc64 stable
Comment 10 Sergei Trofimovich gentoo-dev 2017-11-26 20:07:49 UTC
hppa stable
Comment 11 ernsteiswuerfel 2017-11-27 18:24:09 UTC
Looking good on ppc.

# cat poppler.report 
USE='-cairo -cjk -curl -cxx -doc -introspection -jpeg -jpeg2k -lcms -nss -png -qt4 -qt5 -tiff -utils'  succeeded for =app-text/poppler-0.57.0-r1
USE='cairo -cjk curl cxx -doc introspection jpeg jpeg2k lcms -nss -png -qt4 -qt5 -tiff -utils'  succeeded for =app-text/poppler-0.57.0-r1
USE='-cairo cjk -curl cxx -doc introspection -jpeg jpeg2k lcms -nss png -qt4 -qt5 -tiff -utils'  succeeded for =app-text/poppler-0.57.0-r1
USE='-cairo -cjk curl -cxx -doc introspection jpeg jpeg2k -lcms -nss png -qt4 qt5 -tiff -utils'  succeeded for =app-text/poppler-0.57.0-r1
USE='-cairo cjk curl -cxx -doc introspection -jpeg -jpeg2k lcms nss -png -qt4 qt5 tiff -utils'  succeeded for =app-text/poppler-0.57.0-r1
USE='cairo -cjk -curl cxx -doc introspection -jpeg -jpeg2k lcms -nss png qt4 qt5 tiff -utils'  succeeded for =app-text/poppler-0.57.0-r1
USE='cairo -cjk curl cxx doc -introspection jpeg jpeg2k -lcms nss -png -qt4 -qt5 -tiff utils'  succeeded for =app-text/poppler-0.57.0-r1
USE='-cairo -cjk curl cxx doc introspection -jpeg jpeg2k lcms nss -png qt4 -qt5 -tiff utils'  succeeded for =app-text/poppler-0.57.0-r1
USE='cairo -cjk curl -cxx -doc introspection jpeg jpeg2k -lcms -nss png -qt4 qt5 -tiff utils'  succeeded for =app-text/poppler-0.57.0-r1
USE='-cairo cjk curl -cxx -doc introspection -jpeg -jpeg2k -lcms -nss -png qt4 qt5 -tiff utils'  succeeded for =app-text/poppler-0.57.0-r1
USE='-cairo -cjk curl -cxx doc introspection jpeg jpeg2k -lcms nss -png qt4 qt5 -tiff utils'  succeeded for =app-text/poppler-0.57.0-r1
USE='-cairo cjk curl -cxx doc introspection jpeg -jpeg2k -lcms nss png qt4 qt5 -tiff utils'  succeeded for =app-text/poppler-0.57.0-r1
USE='cairo cjk curl cxx -doc -introspection jpeg -jpeg2k lcms nss png qt4 qt5 tiff utils'  succeeded for =app-text/poppler-0.57.0-r1
USE='cairo cjk curl cxx doc introspection jpeg jpeg2k lcms nss png qt4 qt5 tiff utils'  succeeded for =app-text/poppler-0.57.0-r1
 FEATURES= test succeeded for =app-text/poppler-0.57.0-r1
Comment 12 Sergei Trofimovich gentoo-dev 2017-11-27 19:58:27 UTC
ppc stable (ernsteiswuerfel)
Comment 13 Agostino Sarubbo gentoo-dev 2017-11-29 11:19:18 UTC
amd64 stable
Comment 14 Thomas Deutschmann gentoo-dev Security 2017-11-29 18:55:17 UTC
x86 stable
Comment 15 Sergei Trofimovich gentoo-dev 2017-11-29 20:30:05 UTC
ia64 stable
Comment 16 Tobias Klausmann gentoo-dev 2017-11-30 20:22:15 UTC
Stable on alpha.
Comment 17 Andreas Sturmlechner gentoo-dev 2017-12-09 21:33:00 UTC
arm ping
Comment 18 Sergei Trofimovich gentoo-dev 2017-12-10 00:27:20 UTC
sparc stable (thanks to Rolf Eike Beer)
Comment 19 Markus Meier gentoo-dev 2017-12-12 18:38:38 UTC
arm stable, all arches done.
Comment 20 Larry the Git Cow gentoo-dev 2017-12-12 18:55:50 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9283eee020cca78236442b948c74b1327c6a80e6

commit 9283eee020cca78236442b948c74b1327c6a80e6
Author:     Andreas Sturmlechner <asturm@gentoo.org>
AuthorDate: 2017-12-12 18:55:28 +0000
Commit:     Andreas Sturmlechner <asturm@gentoo.org>
CommitDate: 2017-12-12 18:55:28 +0000

    app-text/poppler: Drop vulnerable 0.57.0 (r0)
    
    Bug: https://bugs.gentoo.org/619558
    Package-Manager: Portage-2.3.18, Repoman-2.3.6

 app-text/poppler/poppler-0.57.0.ebuild | 146 ---------------------------------
 1 file changed, 146 deletions(-)}
Comment 21 Andreas Sturmlechner gentoo-dev 2017-12-12 18:58:51 UTC
kde, office teams done.
Comment 22 Larry the Git Cow gentoo-dev 2017-12-20 23:08:19 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=25a02f548c6203536c02e119b06d16a80be7fc73

commit 25a02f548c6203536c02e119b06d16a80be7fc73
Author:     Andreas Sturmlechner <asturm@gentoo.org>
AuthorDate: 2017-12-20 23:07:07 +0000
Commit:     Andreas Sturmlechner <asturm@gentoo.org>
CommitDate: 2017-12-20 23:07:55 +0000

    app-text/poppler: Fix CVE-2017-{2820,9083}
    
    Bug: https://bugs.gentoo.org/619558
    Bug: https://bugs.gentoo.org/624708
    Package-Manager: Portage-2.3.19, Repoman-2.3.6

 app-text/poppler/poppler-0.61.1.ebuild | 1 +
 app-text/poppler/poppler-0.62.0.ebuild | 1 +
 app-text/poppler/poppler-9999.ebuild   | 1 +
 3 files changed, 3 insertions(+)}
Comment 23 GLSAMaker/CVETool Bot gentoo-dev 2018-01-17 13:43:06 UTC
This issue was resolved and addressed in
 GLSA 201801-17 at https://security.gentoo.org/glsa/201801-17
by GLSA coordinator Aaron Bauman (b-man).