Ubuntu
poppler package

Nullpointer dereference

Bug #1803059 reported by Dhiraj
268
This bug affects 2 people
Affects Status Importance Assigned to Milestone
poppler (Ubuntu)
Fix Released
High
Unassigned
Bionic
Fix Released
Undecided
Unassigned
Cosmic
Fix Released
Undecided
Unassigned

Bug Description

* Impact
Evince segfaults on some pdf documents

* Test case
Download and try to open https://bugs.freedesktop.org/attachment.cgi?id=138927 with evince, it shouldn't segfault

* Regression potential
Nothing special to test, make sure evince still opens pdfs without issue

-----------------------------

System Info: Linux zero 4.15.0-38-generic #41-Ubuntu SMP Wed Oct 10 10:59:38 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux

Evince version: GNOME Document Viewer 3.28.4

While fuzzing evince v3.28.4, on linux 4.15.0-38-generic (Ubuntu 18.04 LTS), a null-pointer dereference was observed, initially this was reported to evince but the evince team advised that the issue is in poppler, the library used by evince to render PDF, poppler version: 0.62.0-2ubuntu2.2 is vulnerable to null-pointer dereference, however the issue is already fixed in poppler 0.70, but this will still crash your evince v3.28.4 in ubuntu if poppler is not updated to v.0.70.

Fuzzing result showing a very important vulnerability in a package currently shipped by a major Linux distribution is still of interest, even if that Linux distribution does not package the latest released upstream version. I think Ubuntu is still using,

Source: poppler
Version: 0.62.0-2ubuntu2.2

So, most of the systems will be affected to this issue.

Upstream: https://gitlab.freedesktop.org/poppler/poppler/issues/664

See original description
Steve Beattie (sbeattie)
information type: Private Security → Public Security
Revision history for this message
Sebastien Bacher (seb128) wrote :

The bug is fixed in 0.70 according to upstream

Changed in evince (Ubuntu):
importance: Undecided → High
status: New → Fix Committed
affects: evince (Ubuntu) → poppler (Ubuntu)
Revision history for this message
Sebastien Bacher (seb128) wrote :

upstream suggests the fix might be https://gitlab.freedesktop.org/poppler/poppler/commit/f162ecde

Sebastien Bacher (seb128)
description: updated
Revision history for this message
Brian Murray (brian-murray) wrote : Please test proposed package

Hello Dhiraj, or anyone else affected,

Accepted poppler into cosmic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/poppler/0.68.0-0ubuntu1.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-cosmic to verification-done-cosmic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-cosmic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in poppler (Ubuntu Cosmic):
status: New → Fix Committed
tags: added: verification-needed verification-needed-cosmic
Revision history for this message
Brian Murray (brian-murray) wrote :

Hello Dhiraj, or anyone else affected,

Accepted poppler into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/poppler/0.62.0-2ubuntu2.3 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in poppler (Ubuntu Bionic):
status: New → Fix Committed
tags: added: verification-needed-bionic
Revision history for this message
Dhiraj (mishra-dhiraj95) wrote :

Hey, this is fix now i cannot reproduce the crash. Also was any CVE assigned to this ?

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package poppler - 0.62.0-2ubuntu2.4

---------------
poppler (0.62.0-2ubuntu2.4) bionic-security; urgency=medium

  [ Marc Deslauriers ]
  * SECURITY UPDATE: infinite recursion via crafted file
    - debian/patches/CVE-2018-16646.patch: avoid cycles in PDF parsing in
      poppler/Parser.cc, poppler/XRef.h.
    - CVE-2018-16646
  * SECURITY UPDATE: denial of service via reachable abort
    - debian/patches/CVE-2018-19058.patch: check for stream before calling
      stream methods when saving an embedded file in poppler/FileSpec.cc.
    - CVE-2018-19058
  * SECURITY UPDATE: denial of service via out-of-bounds read
    - debian/patches/CVE-2018-19059.patch: check for valid embedded file
      before trying to save it in utils/pdfdetach.cc.
    - CVE-2018-19059
  * SECURITY UPDATE: denial of service via NULL pointer dereference
    - debian/patches/CVE-2018-19060.patch: check for valid file name of
      embedded file in utils/pdfdetach.cc.
    - CVE-2018-19060

 -- <email address hidden> (Leonidas S. Barbosa) Fri, 30 Nov 2018 14:36:01 -0300

Changed in poppler (Ubuntu Bionic):
status: Fix Committed → Fix Released
Revision history for this message
Sebastien Bacher (seb128) wrote :

> Hey, this is fix now i cannot reproduce the crash. Also was any CVE assigned to this ?

No CVE assigned, do you believe it should have one? It seems a segfault but no sign of being possible to exploit? I'm Ccing the security team in case they want to comment though

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

The upstream commit was assigned CVE-2018-19149.

Revision history for this message
Sebastien Bacher (seb128) wrote :

The SRU was superseeded by proper security updates it looks like, closing the bug manually now

Changed in poppler (Ubuntu Cosmic):
status: Fix Committed → Fix Released
Revision history for this message
Miguel (miguel34) wrote :

I am getting reproducible crashes after update from poppler 0.62.0-2ubuntu2.2 to poppler 0.62.0-2ubuntu2.4

Test PDF file attached.

Crashed experiences since following upgrades:
    libpoppler-cpp-dev (0.62.0-2ubuntu2.2) to 0.62.0-2ubuntu2.4
    libpoppler-cpp0v5 (0.62.0-2ubuntu2.2) to 0.62.0-2ubuntu2.4
    libpoppler-dev (0.62.0-2ubuntu2.2) to 0.62.0-2ubuntu2.4
    libpoppler-glib8 (0.62.0-2ubuntu2.2) to 0.62.0-2ubuntu2.4
    libpoppler-private-dev (0.62.0-2ubuntu2.2) to 0.62.0-2ubuntu2.4
    libpoppler-qt5-1 (0.62.0-2ubuntu2.2) to 0.62.0-2ubuntu2.4
    libpoppler73 (0.62.0-2ubuntu2.2) to 0.62.0-2ubuntu2.4
    poppler-utils (0.62.0-2ubuntu2.2) to 0.62.0-2ubuntu2.4

Reverting to previous versions fixes the crashes.

System: 18.04.1 LTS bionic (32 bit)
Linux 4.15.0-42-generic #45-Ubuntu SMP Thu Nov 15 19:32:10 UTC 2018 i686 i686 i686 GNU/Linux
PC

gdb trace:
Starting program: /usr/bin/evince Bureau/evince/test_CGV_FORFAIT_hors_opt_20170308.pdf
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/i386-linux-gnu/libthread_db.so.1".
[New Thread 0xb5b82b40 (LWP 6602)]
[New Thread 0xb51ffb40 (LWP 6603)]
[New Thread 0xb47ffb40 (LWP 6604)]
warning: Error reading shared library list entry at 0x6840
warning: Error reading shared library list entry at 0x5a60
[New Thread 0xb3c77b40 (LWP 6608)]
warning: Error reading shared library list entry at 0x75e0
[New Thread 0xb1356b40 (LWP 6609)]
warning: Error reading shared library list entry at 0x5130
warning: Error reading shared library list entry at 0xffff97b0

Thread 6 "EvJobScheduler" received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0xb1356b40 (LWP 6609)]
0xb096a379 in Parser::makeStream(Object&&, unsigned char*, CryptAlgorithm, int, int, int, int, bool) () from /usr/lib/i386-linux-gnu/libpoppler.so.73

Revision history for this message
Miguel (miguel34) wrote :

Problem seems to be still present, possibly due to previous change.
Crashes when opening PDF files since last update in Ubuntu

Changed in poppler (Ubuntu):
status: Fix Committed → Confirmed
Revision history for this message
Leonidas S. Barbosa (leosilvab) wrote :

Hi Miguel,

Sorry for the inconvenient, I`m aware of the situation and I`m working to fix this issue.

Thanks tor report this.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package poppler - 0.71.0-0ubuntu3

---------------
poppler (0.71.0-0ubuntu3) disco; urgency=medium

  * Re-upload the 0.71 update which was deleted from disco-proposed to
    not get in the way of other transitions (lp: #1796717)
    - include a fix for a crash due to missing embedded file (lp: #1803059)

poppler (0.71.0-0ubuntu2) disco; urgency=medium

  * Declare some symbols optional to fix the build

poppler (0.71.0-0ubuntu1) disco; urgency=medium

  * New upstream version
  * Changed the binary name according to the soname update
  * Updated the symbols

 -- Sebastien Bacher <email address hidden> Fri, 23 Nov 2018 15:35:31 +0100

Changed in poppler (Ubuntu):
status: Confirmed → Fix Released
Revision history for this message
Leonidas S. Barbosa (leosilvab) wrote :

Fix released for trusty, bionic, xenial and cosmic https://usn.ubuntu.com/3837-2/

Revision history for this message
Miguel (miguel34) wrote :

Thank you, the bug is fixed for me.

To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.