Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 679292 (CVE-2019-9543, CVE-2019-9545) - app-text/poppler: multiple vulnerabilities (CVE-2019-{9543,9545})
Summary: app-text/poppler: multiple vulnerabilities (CVE-2019-{9543,9545})
Status: IN_PROGRESS
Alias: CVE-2019-9543, CVE-2019-9545
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: A3 [upstream cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2019-03-03 00:52 UTC by D'juan McDonald (domhnall)
Modified: 2023-02-27 00:24 UTC (History)
5 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description D'juan McDonald (domhnall) 2019-03-03 00:52:55 UTC
(https://nvd.nist.gov/vuln/detail/CVE-2019-9545):

An issue was discovered in Poppler 0.74.0. A recursive function call, in JBIG2Stream::readTextRegion() located in JBIG2Stream.cc, can be triggered by sending a crafted pdf file to (for example) the pdfimages binary. It allows an attacker to cause Denial of Service (Segmentation fault) or possibly have unspecified other impact. This is related to JBIG2Bitmap::clearToZero.

Reference: https://gitlab.freedesktop.org/poppler/poppler/issues/731

(https://nvd.nist.gov/vuln/detail/CVE-2019-9543):

An issue was discovered in Poppler 0.74.0. A recursive function call, in JBIG2Stream::readGenericBitmap() located in JBIG2Stream.cc, can be triggered by sending a crafted pdf file to (for example) the pdfseparate binary. It allows an attacker to cause Denial of Service (Segmentation fault) or possibly have unspecified other impact. This is related to JArithmeticDecoder::decodeBit.

Reference: https://gitlab.freedesktop.org/poppler/poppler/issues/730


Gentoo Security Padawan
(domhnall)
Comment 1 Agostino Sarubbo gentoo-dev 2019-03-03 08:18:32 UTC
poppler is a common lib, I'd set it to A
Comment 2 GLSAMaker/CVETool Bot gentoo-dev 2019-03-07 23:38:35 UTC
CVE-2019-9545 (https://nvd.nist.gov/vuln/detail/CVE-2019-9545):
  An issue was discovered in Poppler 0.74.0. A recursive function call, in
  JBIG2Stream::readTextRegion() located in JBIG2Stream.cc, can be triggered by
  sending a crafted pdf file to (for example) the pdfimages binary. It allows
  an attacker to cause Denial of Service (Segmentation fault) or possibly have
  unspecified other impact. This is related to JBIG2Bitmap::clearToZero.

CVE-2019-9543 (https://nvd.nist.gov/vuln/detail/CVE-2019-9543):
  An issue was discovered in Poppler 0.74.0. A recursive function call, in
  JBIG2Stream::readGenericBitmap() located in JBIG2Stream.cc, can be triggered
  by sending a crafted pdf file to (for example) the pdfseparate binary. It
  allows an attacker to cause Denial of Service (Segmentation fault) or
  possibly have unspecified other impact. This is related to
  JArithmeticDecoder::decodeBit.
Comment 3 jospezial 2019-12-29 00:17:51 UTC Comment hidden (obsolete)
Comment 4 Andreas Sturmlechner gentoo-dev 2019-12-29 00:19:10 UTC
Is the release related to this security bug?
Comment 5 Niklāvs Koļesņikovs 2022-02-27 16:23:41 UTC
For anyone wondering, if these CVE are still relevant in 2022, the upstream issues are open and without any upstream reaction:

CVE-2019-9543: https://gitlab.freedesktop.org/poppler/poppler/-/issues/730

CVE-2019-9545: https://gitlab.freedesktop.org/poppler/poppler/-/issues/731
Comment 6 Andreas Sturmlechner gentoo-dev 2022-02-27 16:26:50 UTC
Yes.
Comment 7 jospezial 2023-02-26 20:08:52 UTC
(In reply to Niklāvs Koļesņikovs from comment #5)
> For anyone wondering, if these CVE are still relevant in 2022, the upstream
> issues are open and without any upstream reaction:
> 
> CVE-2019-9543: https://gitlab.freedesktop.org/poppler/poppler/-/issues/730
> 
> CVE-2019-9545: https://gitlab.freedesktop.org/poppler/poppler/-/issues/731

One year ago, nothing changed at the upstream reports.
Is this still relevant for latest releases?
Comment 8 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2023-02-27 00:24:22 UTC
(In reply to jospezial from comment #7)
> (In reply to Niklāvs Koļesņikovs from comment #5)
> > For anyone wondering, if these CVE are still relevant in 2022, the upstream
> > issues are open and without any upstream reaction:
> > 
> > CVE-2019-9543: https://gitlab.freedesktop.org/poppler/poppler/-/issues/730
> > 
> > CVE-2019-9545: https://gitlab.freedesktop.org/poppler/poppler/-/issues/731
> 
> One year ago, nothing changed at the upstream reports.
> Is this still relevant for latest releases?

Until the upstream bugs are closed, I assume yes. You can try the reproducers given in the bug if you want, at your own risk.