1115187 – (CVE-2018-19058) VUL-1: CVE-2018-19058: poppler: reachable abort in Object.h leading to denial of service

Bug 1115187 (CVE-2018-19058) - VUL-1: CVE-2018-19058: poppler: reachable abort in Object.h leading to denial of service

Summary: VUL-1: CVE-2018-19058: poppler: reachable abort in Object.h leading to denial...

Status:	RESOLVED FIXED

Alias:	CVE-2018-19058

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P4 - Low Severity: Minor
Target Milestone:	---
Assignee:	Security Team bot
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/218857/
Whiteboard:	CVSSv3:SUSE:CVE-2018-19058:3.3:(AV:L/...
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2018-11-08 10:09 UTC by Robert Frohl
Modified:	2024-07-19 13:05 UTC (History)
CC List:	2 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
QA Reproducer (9.77 KB, application/pdf) 2018-11-08 10:15 UTC, Robert Frohl	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Robert Frohl 2018-11-08 10:09:24 UTC

CVE-2018-19058

An issue was discovered in Poppler 0.71.0. There is a reachable abort in
Object.h, will lead to denial of service because EmbFile::save2 in FileSpec.cc
lacks a stream check before saving an embedded file.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-19058
http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-19058.html
https://gitlab.freedesktop.org/poppler/poppler/issues/659

Comment 1 Robert Frohl 2018-11-08 10:09:47 UTC

no upstream patch at this moment

Comment 2 Robert Frohl 2018-11-08 10:15:40 UTC

Created attachment 789009 [details]
QA Reproducer

$ pdfdetach -save 1 abort_Object.h_403
Internal Error (0): Call to Object where the object was type 7, not the expected type 8
Aborted (core dumped)

Comment 3 Robert Frohl 2018-11-08 10:23:23 UTC

upstream patch:
https://gitlab.freedesktop.org/poppler/poppler/commit/6912e06d9ab19ba28991b5cab3319d61d856bd6d

Comment 4 Robert Frohl 2018-11-08 10:26:51 UTC

Hi Peter,
same as bnc#1115186 and bnc#1115185
- SUSE:SLE-15:Update/poppler
- SUSE:SLE-12-SP2:Update/poppler
- SUSE:SLE-12:Update/poppler

Not affected, because code does not exist yet: 
- SUSE:SLE-11-SP1:Update/poppler
- SUSE:SLE-10-SP3:Update/poppler

Comment 8 Swamp Workflow Management 2021-12-01 20:28:50 UTC

SUSE-SU-2021:3854-1: An update that fixes 21 vulnerabilities is now available.

Category: security (important)
Bug References: 1092945,1102531,1107597,1114966,1115185,1115186,1115187,1115626,1120495,1120496,1120939,1120956,1124150,1127329,1129202,1130229,1131696,1131722,1142465,1143950,1179163
CVE References: CVE-2017-18267,CVE-2018-13988,CVE-2018-16646,CVE-2018-18897,CVE-2018-19058,CVE-2018-19059,CVE-2018-19060,CVE-2018-19149,CVE-2018-20481,CVE-2018-20551,CVE-2018-20650,CVE-2018-20662,CVE-2019-10871,CVE-2019-10872,CVE-2019-14494,CVE-2019-7310,CVE-2019-9200,CVE-2019-9631,CVE-2019-9903,CVE-2019-9959,CVE-2020-27778
JIRA References: 
Sources used:
SUSE Linux Enterprise Workstation Extension 15-SP2 (src):    poppler-0.62.0-4.6.1
SUSE Linux Enterprise Server for SAP 15-SP1 (src):    poppler-0.62.0-4.6.1
SUSE Linux Enterprise Server for SAP 15 (src):    poppler-0.62.0-4.6.1
SUSE Linux Enterprise Server 15-SP1-LTSS (src):    poppler-0.62.0-4.6.1
SUSE Linux Enterprise Server 15-SP1-BCL (src):    poppler-0.62.0-4.6.1
SUSE Linux Enterprise Server 15-LTSS (src):    poppler-0.62.0-4.6.1
SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (src):    poppler-0.62.0-4.6.1
SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (src):    poppler-0.62.0-4.6.1
SUSE Linux Enterprise High Performance Computing 15-LTSS (src):    poppler-0.62.0-4.6.1
SUSE Linux Enterprise High Performance Computing 15-ESPOS (src):    poppler-0.62.0-4.6.1
SUSE Enterprise Storage 6 (src):    poppler-0.62.0-4.6.1
SUSE CaaS Platform 4.0 (src):    poppler-0.62.0-4.6.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 9 Swamp Workflow Management 2021-12-01 21:12:46 UTC

openSUSE-SU-2021:3854-1: An update that fixes 21 vulnerabilities is now available.

Category: security (important)
Bug References: 1092945,1102531,1107597,1114966,1115185,1115186,1115187,1115626,1120495,1120496,1120939,1120956,1124150,1127329,1129202,1130229,1131696,1131722,1142465,1143950,1179163
CVE References: CVE-2017-18267,CVE-2018-13988,CVE-2018-16646,CVE-2018-18897,CVE-2018-19058,CVE-2018-19059,CVE-2018-19060,CVE-2018-19149,CVE-2018-20481,CVE-2018-20551,CVE-2018-20650,CVE-2018-20662,CVE-2019-10871,CVE-2019-10872,CVE-2019-14494,CVE-2019-7310,CVE-2019-9200,CVE-2019-9631,CVE-2019-9903,CVE-2019-9959,CVE-2020-27778
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    poppler-0.62.0-4.6.1

Comment 10 Petr Gajdos 2023-06-16 09:32:30 UTC

15+ already fixed by a patch or a version update.

I cannot reproduce with 12sp2,12/poppler, perhaps the issue is hidden by another patch yet:

$ valgrind  -q pdfdetach -save 1 poc.pdf
$

The patch is applicable and AFTER I get the same result.

Comment 11 Petr Gajdos 2023-06-16 09:32:56 UTC

Will submit for 12sp2,12/poppler.

Comment 14 Petr Gajdos 2023-07-18 10:44:28 UTC

I believe all fixed.

Comment 15 Maintenance Automation 2023-07-20 12:30:42 UTC

SUSE-SU-2023:2907-1: An update that solves 14 vulnerabilities can now be installed.

Category: security (moderate)
Bug References: 1092945, 1102531, 1107597, 1114966, 1115185, 1115186, 1115187, 1115626, 1120939, 1124150, 1136105, 1149635, 1199272
CVE References: CVE-2017-18267, CVE-2018-13988, CVE-2018-16646, CVE-2018-18897, CVE-2018-19058, CVE-2018-19059, CVE-2018-19060, CVE-2018-19149, CVE-2018-20481, CVE-2018-20650, CVE-2018-21009, CVE-2019-12293, CVE-2019-7310, CVE-2022-27337
Sources used:
SUSE Linux Enterprise Software Development Kit 12 SP5 (src): poppler-qt-0.43.0-16.25.1, poppler-0.43.0-16.25.1
SUSE Linux Enterprise High Performance Computing 12 SP5 (src): poppler-qt-0.43.0-16.25.1, poppler-0.43.0-16.25.1
SUSE Linux Enterprise Server 12 SP5 (src): poppler-qt-0.43.0-16.25.1, poppler-0.43.0-16.25.1
SUSE Linux Enterprise Server for SAP Applications 12 SP5 (src): poppler-qt-0.43.0-16.25.1, poppler-0.43.0-16.25.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 16 Maintenance Automation 2023-07-20 12:30:48 UTC

SUSE-SU-2023:2906-1: An update that solves 13 vulnerabilities can now be installed.

Category: security (moderate)
Bug References: 1092945, 1102531, 1107597, 1114966, 1115185, 1115186, 1115187, 1115626, 1120939, 1124150, 1149635, 1199272
CVE References: CVE-2017-18267, CVE-2018-13988, CVE-2018-16646, CVE-2018-18897, CVE-2018-19058, CVE-2018-19059, CVE-2018-19060, CVE-2018-19149, CVE-2018-20481, CVE-2018-20650, CVE-2018-21009, CVE-2019-7310, CVE-2022-27337
Sources used:
SUSE Linux Enterprise Software Development Kit 12 SP5 (src): poppler-0.24.4-14.26.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 17 Andrea Mattiazzo 2024-07-19 13:05:23 UTC

All done, closing.