Bugzilla – Bug 1114966
VUL-1: CVE-2018-18897: poppler: memory leak in GfxColorSpace:setDisplayProfile in GfxState.cc
Last modified: 2024-07-25 03:44:07 UTC
rh#1646546 An issue was discovered in Poppler 0.71.0. There is a memory leak in GfxColorSpace::setDisplayProfile in GfxState.cc, as demonstrated by pdftocairo. References: https://bugzilla.redhat.com/show_bug.cgi?id=1646546 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-18897 http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-18897.html https://gitlab.freedesktop.org/poppler/poppler/issues/654
No fix upstream at the moment and reproducer does not seem to work, still investigating
Created attachment 788729 [details] QA Reproducer Could not reproduce the described behavior i.e. I do not see any leaks. Documenting the reproducer anyway: $ pdftocairo memoryleak\@wildmidi_lib.c\:2066 -ps
Created attachment 789473 [details] QA Reproducer The comment #c2 contains the wrong reproducer. Upstream added the correct one. $ pdftocairo memoryleak@GfxState.cc:245 -ps valgrind shows losses on SLE12 but none for SLE15: ==371== LEAK SUMMARY: ==371== definitely lost: 24 bytes in 1 blocks ==371== indirectly lost: 17,936 bytes in 25 blocks ==371== possibly lost: 8,192 bytes in 1 blocks ==371== still reachable: 164,537 bytes in 2,917 blocks
We now have an upstream commit. It looks like these codestreams are affected: - SUSE:SLE-11-SP1:Update - SUSE:SLE-12:Update - SUSE:SLE-12-SP2:Update - SUSE:SLE-15:Update fix: https://gitlab.freedesktop.org/poppler/poppler/commit/e07c8b4784234383cb5ddcf1133ea91a772506e2
I continue to see Direct leak of 24 byte in GfxColorSpace::setDisplayProfile(void*) as reported here https://gitlab.freedesktop.org/poppler/poppler/issues/654 (output from issues 654) Direct leak of 24 byte(s) in 1 object(s) allocated from: #0 0x51dc40 in operator new(unsigned long) /home/pwd/llvm_dev/llvm/projects/compiler-rt/lib/asan/asan_new_delete.cc:92 #1 0x7f9291dfb863 in GfxColorSpace::setDisplayProfile(void*) /home/pwd/fuzz/fuzz-poppler/poppler-0.71.0/poppler/GfxState.cc:245:30 #2 0x7f9290300b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310 Could you please give me some feedback? Below my report after update. AFTER: ===== bragi:/tmp/test_poppler # rpm -qa|grep poppler libpoppler-qt5-1-0.62.0-4.3.2.x86_64 poppler-tools-0.62.0-4.3.2.x86_64 libpoppler-qt5-devel-0.62.0-4.3.2.x86_64 libpoppler73-0.62.0-4.3.2.x86_64 libpoppler-devel-0.62.0-4.3.2.x86_64 libpoppler-glib8-0.62.0-4.3.2.x86_64 libpoppler-glib-devel-0.62.0-4.3.2.x86_64 libpoppler-cpp0-0.62.0-4.3.2.x86_64 poppler-data-0.4.8-bp150.2.4.noarch bragi:/tmp/test_poppler # valgrind --track-origins=yes --leak-check=full pdftocairo memoryleak@GfxState.cc:245 -ps ==17519== Memcheck, a memory error detector ==17519== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al. ==17519== Using Valgrind-3.13.0 and LibVEX; rerun with -h for copyright info ==17519== Command: pdftocairo memoryleak@GfxState.cc:245 -ps ==17519== ... .... ==17519== 26,152 (24 direct, 26,128 indirect) bytes in 1 blocks are definitely lost in loss record 292 of 294 ==17519== at 0x4C2E68F: operator new(unsigned long) (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so) ==17519== by 0x5556373: GfxColorSpace::setDisplayProfile(void*) (in /usr/lib64/libpoppler.so.73.0.0) ==17519== by 0x117F57: main (in /usr/bin/pdftocairo) ==17519== ==17519== LEAK SUMMARY: ==17519== definitely lost: 8,996 bytes in 21 blocks ==17519== indirectly lost: 27,132 bytes in 62 blocks ==17519== possibly lost: 0 bytes in 0 blocks ==17519== still reachable: 558,598 bytes in 9,529 blocks ==17519== suppressed: 0 bytes in 0 blocks ==17519== Reachable blocks (those to which a pointer was found) are not shown. ==17519== To see them, rerun with: --leak-check=full --show-leak-kinds=all ==17519== ==17519== For counts of detected and suppressed errors, rerun with: -v ==17519== ERROR SUMMARY: 15 errors from 10 contexts (suppressed: 0 from 0)
SUSE-SU-2021:3854-1: An update that fixes 21 vulnerabilities is now available. Category: security (important) Bug References: 1092945,1102531,1107597,1114966,1115185,1115186,1115187,1115626,1120495,1120496,1120939,1120956,1124150,1127329,1129202,1130229,1131696,1131722,1142465,1143950,1179163 CVE References: CVE-2017-18267,CVE-2018-13988,CVE-2018-16646,CVE-2018-18897,CVE-2018-19058,CVE-2018-19059,CVE-2018-19060,CVE-2018-19149,CVE-2018-20481,CVE-2018-20551,CVE-2018-20650,CVE-2018-20662,CVE-2019-10871,CVE-2019-10872,CVE-2019-14494,CVE-2019-7310,CVE-2019-9200,CVE-2019-9631,CVE-2019-9903,CVE-2019-9959,CVE-2020-27778 JIRA References: Sources used: SUSE Linux Enterprise Workstation Extension 15-SP2 (src): poppler-0.62.0-4.6.1 SUSE Linux Enterprise Server for SAP 15-SP1 (src): poppler-0.62.0-4.6.1 SUSE Linux Enterprise Server for SAP 15 (src): poppler-0.62.0-4.6.1 SUSE Linux Enterprise Server 15-SP1-LTSS (src): poppler-0.62.0-4.6.1 SUSE Linux Enterprise Server 15-SP1-BCL (src): poppler-0.62.0-4.6.1 SUSE Linux Enterprise Server 15-LTSS (src): poppler-0.62.0-4.6.1 SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (src): poppler-0.62.0-4.6.1 SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (src): poppler-0.62.0-4.6.1 SUSE Linux Enterprise High Performance Computing 15-LTSS (src): poppler-0.62.0-4.6.1 SUSE Linux Enterprise High Performance Computing 15-ESPOS (src): poppler-0.62.0-4.6.1 SUSE Enterprise Storage 6 (src): poppler-0.62.0-4.6.1 SUSE CaaS Platform 4.0 (src): poppler-0.62.0-4.6.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
openSUSE-SU-2021:3854-1: An update that fixes 21 vulnerabilities is now available. Category: security (important) Bug References: 1092945,1102531,1107597,1114966,1115185,1115186,1115187,1115626,1120495,1120496,1120939,1120956,1124150,1127329,1129202,1130229,1131696,1131722,1142465,1143950,1179163 CVE References: CVE-2017-18267,CVE-2018-13988,CVE-2018-16646,CVE-2018-18897,CVE-2018-19058,CVE-2018-19059,CVE-2018-19060,CVE-2018-19149,CVE-2018-20481,CVE-2018-20551,CVE-2018-20650,CVE-2018-20662,CVE-2019-10871,CVE-2019-10872,CVE-2019-14494,CVE-2019-7310,CVE-2019-9200,CVE-2019-9631,CVE-2019-9903,CVE-2019-9959,CVE-2020-27778 JIRA References: Sources used: openSUSE Leap 15.3 (src): poppler-0.62.0-4.6.1
Will submit this for 12sp2,12/poppler. No valgrind errors before or after. I do not see any valgrind errors for the testcase on 15/poppler.
I believe all fixed.
SUSE-SU-2023:2907-1: An update that solves 14 vulnerabilities can now be installed. Category: security (moderate) Bug References: 1092945, 1102531, 1107597, 1114966, 1115185, 1115186, 1115187, 1115626, 1120939, 1124150, 1136105, 1149635, 1199272 CVE References: CVE-2017-18267, CVE-2018-13988, CVE-2018-16646, CVE-2018-18897, CVE-2018-19058, CVE-2018-19059, CVE-2018-19060, CVE-2018-19149, CVE-2018-20481, CVE-2018-20650, CVE-2018-21009, CVE-2019-12293, CVE-2019-7310, CVE-2022-27337 Sources used: SUSE Linux Enterprise Software Development Kit 12 SP5 (src): poppler-qt-0.43.0-16.25.1, poppler-0.43.0-16.25.1 SUSE Linux Enterprise High Performance Computing 12 SP5 (src): poppler-qt-0.43.0-16.25.1, poppler-0.43.0-16.25.1 SUSE Linux Enterprise Server 12 SP5 (src): poppler-qt-0.43.0-16.25.1, poppler-0.43.0-16.25.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5 (src): poppler-qt-0.43.0-16.25.1, poppler-0.43.0-16.25.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:2906-1: An update that solves 13 vulnerabilities can now be installed. Category: security (moderate) Bug References: 1092945, 1102531, 1107597, 1114966, 1115185, 1115186, 1115187, 1115626, 1120939, 1124150, 1149635, 1199272 CVE References: CVE-2017-18267, CVE-2018-13988, CVE-2018-16646, CVE-2018-18897, CVE-2018-19058, CVE-2018-19059, CVE-2018-19060, CVE-2018-19149, CVE-2018-20481, CVE-2018-20650, CVE-2018-21009, CVE-2019-7310, CVE-2022-27337 Sources used: SUSE Linux Enterprise Software Development Kit 12 SP5 (src): poppler-0.24.4-14.26.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.