RHSA-2019:2022

https://bugzilla.redhat.com/show_bug.cgi?id=1622951

[debian-lts-announce] 20181031 [SECURITY] [DLA 1562-1] poppler security update

[debian-lts-announce] 20181130 [SECURITY] [DLA 1562-2] poppler security update

[debian-lts-announce] 20181214 [SECURITY] [DLA 1562-3] poppler regression update

USN-3837-1

USN-3837-2

According to the versions of the poppler packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - In Poppler 0.68.0, the Parser::getObj() function in     Parser.cc may cause infinite recursion via a crafted     file. A remote attacker can leverage this for a DoS     attack.(CVE-2018-16646)

  - An issue was discovered in Poppler 0.71.0. There is a     memory leak in GfxColorSpace::setDisplayProfile in     GfxState.cc, as demonstrated by     pdftocairo.(CVE-2018-18897)

  - An issue was discovered in Poppler 0.71.0. There is a     reachable abort in Object.h, will lead to denial of     service because EmbFile::save2 in FileSpec.cc lacks a     stream check before saving an embedded     file.(CVE-2018-19058)

  - An issue was discovered in Poppler 0.71.0. There is a     out-of-bounds read in EmbFile::save2 in FileSpec.cc,     will lead to denial of service, as demonstrated by     utils/pdfdetach.cc not validating embedded files before     save attempts.(CVE-2018-19059)

  - An issue was discovered in Poppler 0.71.0. There is a     NULL pointer dereference in goo/GooString.h, will lead     to denial of service, as demonstrated by     utils/pdfdetach.cc not validating a filename of an     embedded file before constructing a save     path.(CVE-2018-19060)

  - Poppler before 0.70.0 has a NULL pointer dereference in
    _poppler_attachment_new when called from     poppler_annot_file_attachment_get_attachment.(CVE-2018-     19149)

  - A reachable Object::dictLookup assertion in Poppler     0.72.0 allows attackers to cause a denial of service     due to the lack of a check for the dict data type, as     demonstrated by use of the FileSpec class (in     FileSpec.cc) in pdfdetach.(CVE-2018-20650)

  - In Poppler 0.72.0, PDFDoc::setup in PDFDoc.cc allows     attackers to cause a denial-of-service (application     crash caused by Object.h SIGABRT, because of a wrong     return value from PDFDoc::setup) by crafting a PDF file     in which an xref data structure is mishandled during     extractPDFSubtype processing.(CVE-2018-20662)

  - Poppler 0.74.0 has a heap-based buffer over-read in the     CairoRescaleBox.cc downsample_row_box_filter     function.(CVE-2019-9631)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the poppler packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - poppler through version 0.55.0 is vulnerable to an     uncontrolled recursion in pdfunite resulting into     potential denial-of-service.(CVE-2017-7515)

  - An issue was discovered in Poppler 0.71.0. There is a     reachable abort in Object.h, will lead to denial of     service because EmbFile::save2 in FileSpec.cc lacks a     stream check before saving an embedded     file.(CVE-2018-19058)

  - An issue was discovered in Poppler 0.71.0. There is a     out-of-bounds read in EmbFile::save2 in FileSpec.cc,     will lead to denial of service, as demonstrated by     utils/pdfdetach.cc not validating embedded files before     save attempts.(CVE-2018-19059)

  - An issue was discovered in Poppler 0.71.0. There is a     NULL pointer dereference in goo/GooString.h, will lead     to denial of service, as demonstrated by     utils/pdfdetach.cc not validating a filename of an     embedded file before constructing a save     path.(CVE-2018-19060)

  - Poppler before 0.70.0 has a NULL pointer dereference in
    _poppler_attachment_new when called from     poppler_annot_file_attachment_get_attachment.(CVE-2018-     19149)

  - A reachable Object::dictLookup assertion in Poppler     0.72.0 allows attackers to cause a denial of service     due to the lack of a check for the dict data type, as     demonstrated by use of the FileSpec class (in     FileSpec.cc) in pdfdetach.(CVE-2018-20650)

  - In Poppler 0.68.0, the Parser::getObj() function in     Parser.cc may cause infinite recursion via a crafted     file. A remote attacker can leverage this for a DoS     attack.(CVE-2018-16646)

  - An issue was discovered in Poppler 0.71.0. There is a     memory leak in GfxColorSpace::setDisplayProfile in     GfxState.cc, as demonstrated by     pdftocairo.(CVE-2018-18897)

  - In Poppler 0.72.0, PDFDoc::setup in PDFDoc.cc allows     attackers to cause a denial-of-service (application     crash caused by Object.h SIGABRT, because of a wrong     return value from PDFDoc::setup) by crafting a PDF file     in which an xref data structure is mishandled during     extractPDFSubtype processing.(CVE-2018-20662)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

In Poppler 0.68.0, the Parser::getObj() function in Parser.cc may cause infinite recursion via a crafted file. A remote attacker can leverage this for a DoS attack.(CVE-2018-16646)

An issue was discovered in Poppler 0.71.0. There is a memory leak in GfxColorSpace::setDisplayProfile in GfxState.cc, as demonstrated by pdftocairo.(CVE-2018-18897)

An issue was discovered in Poppler 0.71.0. There is a reachable abort in Object.h, will lead to denial of service because EmbFile::save2 in FileSpec.cc lacks a stream check before saving an embedded file.(CVE-2018-19058)

An issue was discovered in Poppler 0.71.0. There is a out-of-bounds read in EmbFile::save2 in FileSpec.cc, will lead to denial of service, as demonstrated by utils/pdfdetach.cc not validating embedded files before save attempts.(CVE-2018-19059)

An issue was discovered in Poppler 0.71.0. There is a NULL pointer dereference in goo/GooString.h, will lead to denial of service, as demonstrated by utils/pdfdetach.cc not validating a filename of an embedded file before constructing a save path.(CVE-2018-19060)

Poppler before 0.70.0 has a NULL pointer dereference in
_poppler_attachment_new when called from poppler_annot_file_attachment_get_attachment.(CVE-2018-19149)

XRef::getEntry in XRef.cc in Poppler 0.72.0 mishandles unallocated XRef entries, which allows remote attackers to cause a denial of service (NULL pointer dereference) via a crafted PDF document, when XRefEntry::setFlag in XRef.h is called from Parser::makeStream in Parser.cc.(CVE-2018-20481)

A reachable Object::dictLookup assertion in Poppler 0.72.0 allows attackers to cause a denial of service due to the lack of a check for the dict data type, as demonstrated by use of the FileSpec class (in FileSpec.cc) in pdfdetach.(CVE-2018-20650)

In Poppler 0.72.0, PDFDoc::setup in PDFDoc.cc allows attackers to cause a denial-of-service (application crash caused by Object.h SIGABRT, because of a wrong return value from PDFDoc::setup) by crafting a PDF file in which an xref data structure is mishandled during extractPDFSubtype processing.(CVE-2018-20662)

In Poppler 0.73.0, a heap-based buffer over-read (due to an integer signedness error in the XRef::getEntry function in XRef.cc) allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted PDF document, as demonstrated by pdftocairo.(CVE-2019-7310)

A heap-based buffer underwrite exists in ImageStream::getLine() located at Stream.cc in Poppler 0.74.0 that can (for example) be triggered by sending a crafted PDF file to the pdfimages binary. It allows an attacker to cause Denial of Service (Segmentation fault) or possibly have unspecified other impact.(CVE-2019-9200)

Poppler 0.74.0 has a heap-based buffer over-read in the CairoRescaleBox.cc downsample_row_box_filter function.(CVE-2019-9631)

The remote NewStart CGSL host, running version CORE 5.04 / MAIN 5.04, has poppler packages installed that are affected by multiple vulnerabilities:

  - Poppler before 0.70.0 has a NULL pointer dereference in
    _poppler_attachment_new when called from     poppler_annot_file_attachment_get_attachment.
    (CVE-2018-19149)

  - In Poppler 0.68.0, the Parser::getObj() function in     Parser.cc may cause infinite recursion via a crafted     file. A remote attacker can leverage this for a DoS     attack. (CVE-2018-16646)

  - An issue was discovered in Poppler 0.71.0. There is a     memory leak in GfxColorSpace::setDisplayProfile in     GfxState.cc, as demonstrated by pdftocairo.
    (CVE-2018-18897)

  - An issue was discovered in Poppler 0.71.0. There is a     reachable abort in Object.h, will lead to denial of     service because EmbFile::save2 in FileSpec.cc lacks a     stream check before saving an embedded file.
    (CVE-2018-19058)

  - An issue was discovered in Poppler 0.71.0. There is a     out-of-bounds read in EmbFile::save2 in FileSpec.cc,     will lead to denial of service, as demonstrated by     utils/pdfdetach.cc not validating embedded files before     save attempts. (CVE-2018-19059)

  - An issue was discovered in Poppler 0.71.0. There is a     NULL pointer dereference in goo/GooString.h, will lead     to denial of service, as demonstrated by     utils/pdfdetach.cc not validating a filename of an     embedded file before constructing a save path.
    (CVE-2018-19060)

  - In Poppler 0.73.0, a heap-based buffer over-read (due to     an integer signedness error in the XRef::getEntry     function in XRef.cc) allows remote attackers to cause a     denial of service (application crash) or possibly have     unspecified other impact via a crafted PDF document, as     demonstrated by pdftocairo. (CVE-2019-7310)

  - A heap-based buffer underwrite exists in     ImageStream::getLine() located at Stream.cc in Poppler     0.74.0 that can (for example) be triggered by sending a     crafted PDF file to the pdfimages binary. It allows an     attacker to cause Denial of Service (Segmentation fault)     or possibly have unspecified other impact.
    (CVE-2019-9200)

  - Poppler 0.74.0 has a heap-based buffer over-read in the     CairoRescaleBox.cc downsample_row_box_filter function.
    (CVE-2019-9631)

  - In Poppler 0.72.0, PDFDoc::setup in PDFDoc.cc allows     attackers to cause a denial-of-service (application     crash caused by Object.h SIGABRT, because of a wrong     return value from PDFDoc::setup) by crafting a PDF file     in which an xref data structure is mishandled during     extractPDFSubtype processing. (CVE-2018-20662)

  - A reachable Object::dictLookup assertion in Poppler     0.72.0 allows attackers to cause a denial of service due     to the lack of a check for the dict data type, as     demonstrated by use of the FileSpec class (in     FileSpec.cc) in pdfdetach. (CVE-2018-20650)

  - XRef::getEntry in XRef.cc in Poppler 0.72.0 mishandles     unallocated XRef entries, which allows remote attackers     to cause a denial of service (NULL pointer dereference)     via a crafted PDF document, when XRefEntry::setFlag in     XRef.h is called from Parser::makeStream in Parser.cc.
    (CVE-2018-20481)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

An update for poppler, evince, and okular is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Poppler is a Portable Document Format (PDF) rendering library, used by applications such as Evince or Okular.

Security Fix(es) :

* poppler: heap-based buffer over-read in XRef::getEntry in XRef.cc (CVE-2019-7310)

* poppler: heap-based buffer overflow in function ImageStream::getLine() in Stream.cc (CVE-2019-9200)

* poppler: infinite recursion in Parser::getObj function in Parser.cc (CVE-2018-16646)

* poppler: memory leak in GfxColorSpace::setDisplayProfile in GfxState.cc (CVE-2018-18897)

* poppler: reachable abort in Object.h (CVE-2018-19058)

* poppler: out-of-bounds read in EmbFile::save2 in FileSpec.cc (CVE-2018-19059)

* poppler: pdfdetach utility does not validate save paths (CVE-2018-19060)

* poppler: NULL pointer dereference in _poppler_attachment_new (CVE-2018-19149)

* poppler: NULL pointer dereference in the XRef::getEntry in XRef.cc (CVE-2018-20481)

* poppler: reachable Object::dictLookup assertion in FileSpec class in FileSpec.cc (CVE-2018-20650)

* poppler: SIGABRT PDFDoc::setup class in PDFDoc.cc (CVE-2018-20662)

* poppler: heap-based buffer over-read in function downsample_row_box_filter in CairoRescaleBox.cc (CVE-2019-9631)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Additional Changes :

For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.7 Release Notes linked from the References section.

XRef::getEntry in XRef.cc in Poppler 0.72.0 mishandles unallocated XRef entries, which allows remote attackers to cause a denial of service (NULL pointer dereference) via a crafted PDF document, when XRefEntry::setFlag in XRef.h is called from Parser::makeStream in Parser.cc.(CVE-2018-20481)

In Poppler 0.68.0, the Parser::getObj() function in Parser.cc may cause infinite recursion via a crafted file. A remote attacker can leverage this for a DoS attack. (CVE-2018-16646)

Poppler 0.74.0 has a heap-based buffer over-read in the CairoRescaleBox.cc downsample_row_box_filter function.(CVE-2019-9631)

A reachable Object::dictLookup assertion in Poppler 0.72.0 allows attackers to cause a denial of service due to the lack of a check for the dict data type, as demonstrated by use of the FileSpec class (in FileSpec.cc) in pdfdetach.(CVE-2018-20650)

An issue was discovered in Poppler 0.71.0. There is a out-of-bounds read in EmbFile::save2 in FileSpec.cc, will lead to denial of service, as demonstrated by utils/pdfdetach.cc not validating embedded files before save attempts.(CVE-2018-19059)

An issue was discovered in Poppler 0.71.0. There is a reachable abort in Object.h, will lead to denial of service because EmbFile::save2 in FileSpec.cc lacks a stream check before saving an embedded file.(CVE-2018-19058)

Poppler before 0.70.0 has a NULL pointer dereference in
_poppler_attachment_new when called from poppler_annot_file_attachment_get_attachment.(CVE-2018-19149)

In Poppler 0.73.0, a heap-based buffer over-read (due to an integer signedness error in the XRef::getEntry function in XRef.cc) allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted PDF document, as demonstrated by pdftocairo.(CVE-2019-7310)

An issue was discovered in Poppler 0.71.0. There is a memory leak in GfxColorSpace::setDisplayProfile in GfxState.cc, as demonstrated by pdftocairo.(CVE-2018-18897)

An issue was discovered in Poppler 0.71.0. There is a NULL pointer dereference in goo/GooString.h, will lead to denial of service, as demonstrated by utils/pdfdetach.cc not validating a filename of an embedded file before constructing a save path.(CVE-2018-19060)

A heap-based buffer underwrite exists in ImageStream::getLine() located at Stream.cc in Poppler 0.74.0 that can (for example) be triggered by sending a crafted PDF file to the pdfimages binary. It allows an attacker to cause Denial of Service (Segmentation fault) or possibly have unspecified other impact.(CVE-2019-9200)

In Poppler 0.72.0, PDFDoc::setup in PDFDoc.cc allows attackers to cause a denial-of-service (application crash caused by Object.h SIGABRT, because of a wrong return value from PDFDoc::setup) by crafting a PDF file in which an xref data structure is mishandled during extractPDFSubtype processing.(CVE-2018-20662)

Security Fix(es) :

  - poppler: heap-based buffer over-read in XRef::getEntry     in XRef.cc (CVE-2019-7310)

  - poppler: heap-based buffer overflow in function     ImageStream::getLine() in Stream.cc (CVE-2019-9200)

  - poppler: infinite recursion in Parser::getObj function     in Parser.cc (CVE-2018-16646)

  - poppler: memory leak in GfxColorSpace::setDisplayProfile     in GfxState.cc (CVE-2018-18897)

  - poppler: reachable abort in Object.h (CVE-2018-19058)

  - poppler: out-of-bounds read in EmbFile::save2 in     FileSpec.cc (CVE-2018-19059)

  - poppler: pdfdetach utility does not validate save paths     (CVE-2018-19060)

  - poppler: NULL pointer dereference in
    _poppler_attachment_new (CVE-2018-19149)

  - poppler: NULL pointer dereference in the XRef::getEntry     in XRef.cc (CVE-2018-20481)

  - poppler: reachable Object::dictLookup assertion in     FileSpec class in FileSpec.cc (CVE-2018-20650)

  - poppler: SIGABRT PDFDoc::setup class in PDFDoc.cc     (CVE-2018-20662)

  - poppler: heap-based buffer over-read in function     downsample_row_box_filter in CairoRescaleBox.cc     (CVE-2019-9631)

Security fix for CVE-2018-16646, CVE-2018-19058, CVE-2018-19059 and CVE-2018-19060.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update fixes CVE-2018-16646, CVE-2018-19058, CVE-2018-19059, CVE-2018-19060, CVE-2018-19149.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update fixes CVE-2017-18267, CVE-2018-13988, CVE-2018-16646, CVE-2018-19058, CVE-2018-19059, CVE-2018-19060, CVE-2018-19149

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

USN-3837-1 fixed vulnerabilities in poppler. A regression was reported regarding the previous update. This update fixes the problem.

We apologize for the inconvenience.

Original advisory details :

It was discovered that poppler incorrectly handled certain PDF files.
An attacker could possibly use this issue to cause a denial of service. (CVE-2018-16646)

It was discovered that poppler incorrectly handled certain PDF files. An attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 16.04 LTS. (CVE-2018-19149).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

It was discovered that poppler incorrectly handled certain PDF files.
An attacker could possibly use this issue to cause a denial of service. (CVE-2018-16646, CVE-2018-19058, CVE-2018-19059, CVE-2018-19060)

It was discovered that poppler incorrectly handled certain PDF files.
An attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 14.04 LTS and Ubuntu 16.04 LTS. (CVE-2018-19149).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

A second regression issue has been resolved in the poppler PDF rendering shared library this time introduced with version 0.26.5-2+deb8u6 (see DLA 1562-2).

CVE-2018-16646

In Poppler 0.68.0, the Parser::getObj() function in Parser.cc may cause infinite recursion via a crafted file. A remote attacker can leverage this for a DoS attack.

The poppler upstream developers added two more regression fixes on top of the original fix (upstream merge request #91). These two patches have now been added to the poppler package in Debian jessie LTS.

For Debian 8 'Jessie', this problem has been fixed in version 0.26.5-2+deb8u7.

We recommend that you upgrade your poppler packages.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
130731	EulerOS 2.0 SP3 : poppler (EulerOS-SA-2019-2269)	Nessus	Huawei Local Security Checks	high
130686	EulerOS 2.0 SP5 : poppler (EulerOS-SA-2019-2224)	Nessus	Huawei Local Security Checks	medium
130228	Amazon Linux 2 : poppler (ALAS-2019-1332)	Nessus	Amazon Linux Local Security Checks	high
129923	NewStart CGSL CORE 5.04 / MAIN 5.04 : poppler Multiple Vulnerabilities (NS-SA-2019-0202)	Nessus	NewStart CGSL Local Security Checks	high
128331	CentOS 7 : evince / okular / poppler (CESA-2019:2022)	Nessus	CentOS Local Security Checks	high
128294	Amazon Linux AMI : poppler (ALAS-2019-1271)	Nessus	Amazon Linux Local Security Checks	high
128252	Scientific Linux Security Update : poppler on SL7.x x86_64	Nessus	Scientific Linux Local Security Checks	high
127648	RHEL 7 : poppler (RHSA-2019:2022)	Nessus	Red Hat Local Security Checks	high
120870	Fedora 29 : poppler (2018-e805688895)	Nessus	Fedora Local Security Checks	medium
120486	Fedora 29 : mingw-poppler (2018-679f8aba03)	Nessus	Fedora Local Security Checks	medium
120434	Fedora 28 : poppler (2018-54ed26a423)	Nessus	Fedora Local Security Checks	medium
120243	Fedora 28 : mingw-poppler (2018-12b934e224)	Nessus	Fedora Local Security Checks	medium
119652	Ubuntu 14.04 LTS / 16.04 LTS / 18.04 LTS / 18.10 : poppler regression (USN-3837-2)	Nessus	Ubuntu Local Security Checks	medium
119458	Ubuntu 14.04 LTS / 16.04 LTS / 18.04 LTS / 18.10 : poppler vulnerabilities (USN-3837-1)	Nessus	Ubuntu Local Security Checks	medium
118578	Debian DLA-1562-3 : poppler regression update	Nessus	Debian Local Security Checks	medium

CVE-2018-16646

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Configuration 2

Configuration 3

Tenable Plugins