1115186 – (CVE-2018-19059) VUL-1: CVE-2018-19059: poppler: out-of-bounds read in EmbFile:save2 in FileSpec.cc leading to denial of service

Bug 1115186 (CVE-2018-19059) - VUL-1: CVE-2018-19059: poppler: out-of-bounds read in EmbFile:save2 in FileSpec.cc leading to denial of service

Summary: VUL-1: CVE-2018-19059: poppler: out-of-bounds read in EmbFile:save2 in FileSp...

Status:	RESOLVED FIXED

Alias:	CVE-2018-19059

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P4 - Low Severity: Minor
Target Milestone:	---
Assignee:	Security Team bot
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/218858/
Whiteboard:	CVSSv3:SUSE:CVE-2018-19059:3.3:(AV:L/...
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2018-11-08 10:07 UTC by Robert Frohl
Modified:	2024-07-26 10:01 UTC (History)
CC List:	2 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
QA Reproducer (9.77 KB, application/pdf) 2018-11-08 10:14 UTC, Robert Frohl	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Robert Frohl 2018-11-08 10:07:53 UTC

CVE-2018-19059

An issue was discovered in Poppler 0.71.0. There is a out-of-bounds read in
EmbFile::save2 in FileSpec.cc, will lead to denial of service, as demonstrated
by utils/pdfdetach.cc not validating embedded files before save attempts.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-19059
http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-19059.html
https://gitlab.freedesktop.org/poppler/poppler/issues/661

Comment 1 Robert Frohl 2018-11-08 10:09:52 UTC

no upstream patch at this moment

Comment 2 Robert Frohl 2018-11-08 10:14:46 UTC

Created attachment 789008 [details]
QA Reproducer

$ pdfdetach -save 1 outofboundsread_FileSpec.cc_96 
Syntax Error (8598): Dictionary key must be a name object
[..]
Syntax Error: Invalid FileSpec: Embedded file stream is not an indirect reference
Segmentation fault (core dumped)

Comment 3 Robert Frohl 2018-11-08 10:21:13 UTC

missed the patch:
https://gitlab.freedesktop.org/poppler/poppler/commit/77a30e94d96220d7e22dff5b3f0a7f296f01b118

Comment 4 Robert Frohl 2018-11-08 10:22:53 UTC

Hi Peter,
the same codestreams are affected as in bnc#1115185: 
- SUSE:SLE-15:Update/poppler
- SUSE:SLE-12-SP2:Update/poppler
- SUSE:SLE-12:Update/poppler

Not affected, because pdfdetach does not exist yet: 
- SUSE:SLE-11-SP1:Update/poppler
- SUSE:SLE-10-SP3:Update/poppler

Comment 8 Swamp Workflow Management 2021-12-01 20:28:43 UTC

SUSE-SU-2021:3854-1: An update that fixes 21 vulnerabilities is now available.

Category: security (important)
Bug References: 1092945,1102531,1107597,1114966,1115185,1115186,1115187,1115626,1120495,1120496,1120939,1120956,1124150,1127329,1129202,1130229,1131696,1131722,1142465,1143950,1179163
CVE References: CVE-2017-18267,CVE-2018-13988,CVE-2018-16646,CVE-2018-18897,CVE-2018-19058,CVE-2018-19059,CVE-2018-19060,CVE-2018-19149,CVE-2018-20481,CVE-2018-20551,CVE-2018-20650,CVE-2018-20662,CVE-2019-10871,CVE-2019-10872,CVE-2019-14494,CVE-2019-7310,CVE-2019-9200,CVE-2019-9631,CVE-2019-9903,CVE-2019-9959,CVE-2020-27778
JIRA References: 
Sources used:
SUSE Linux Enterprise Workstation Extension 15-SP2 (src):    poppler-0.62.0-4.6.1
SUSE Linux Enterprise Server for SAP 15-SP1 (src):    poppler-0.62.0-4.6.1
SUSE Linux Enterprise Server for SAP 15 (src):    poppler-0.62.0-4.6.1
SUSE Linux Enterprise Server 15-SP1-LTSS (src):    poppler-0.62.0-4.6.1
SUSE Linux Enterprise Server 15-SP1-BCL (src):    poppler-0.62.0-4.6.1
SUSE Linux Enterprise Server 15-LTSS (src):    poppler-0.62.0-4.6.1
SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (src):    poppler-0.62.0-4.6.1
SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (src):    poppler-0.62.0-4.6.1
SUSE Linux Enterprise High Performance Computing 15-LTSS (src):    poppler-0.62.0-4.6.1
SUSE Linux Enterprise High Performance Computing 15-ESPOS (src):    poppler-0.62.0-4.6.1
SUSE Enterprise Storage 6 (src):    poppler-0.62.0-4.6.1
SUSE CaaS Platform 4.0 (src):    poppler-0.62.0-4.6.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 9 Swamp Workflow Management 2021-12-01 21:12:38 UTC

openSUSE-SU-2021:3854-1: An update that fixes 21 vulnerabilities is now available.

Category: security (important)
Bug References: 1092945,1102531,1107597,1114966,1115185,1115186,1115187,1115626,1120495,1120496,1120939,1120956,1124150,1127329,1129202,1130229,1131696,1131722,1142465,1143950,1179163
CVE References: CVE-2017-18267,CVE-2018-13988,CVE-2018-16646,CVE-2018-18897,CVE-2018-19058,CVE-2018-19059,CVE-2018-19060,CVE-2018-19149,CVE-2018-20481,CVE-2018-20551,CVE-2018-20650,CVE-2018-20662,CVE-2019-10871,CVE-2019-10872,CVE-2019-14494,CVE-2019-7310,CVE-2019-9200,CVE-2019-9631,CVE-2019-9903,CVE-2019-9959,CVE-2020-27778
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    poppler-0.62.0-4.6.1

Comment 10 Petr Gajdos 2023-06-16 09:15:17 UTC

15+ already fixed by a patch or a version update.

BEFORE

12sp2/poppler

:/115186 # pdfdetach -save 1 poc.pdf
Syntax Error (8598): Dictionary key must be a name object
Syntax Error (8598): Dictionary key must be a name object
Syntax Error (8598): Dictionary key must be a name object
Syntax Error (8600): Dictionary key must be a name object
Syntax Error: Invalid FileSpec: Embedded file stream is not an indirect reference
Syntax Error: Invalid FileSpec: Embedded file stream is not an indirect reference
Segmentation fault (core dumped)
:/115186 #

12/poppler

:/115186 # pdfdetach -save 1 poc.pdf
Syntax Error: Top-level pages object is wrong type (null)
Command Line Error: Invalid file number
:/115186 #
[not reproducible]


PATCH

in comment 3


AFTER

12sp2/poppler

:/115186 # pdfdetach -save 1 poc.pdf
Syntax Error (8598): Dictionary key must be a name object
Syntax Error (8598): Dictionary key must be a name object
Syntax Error (8598): Dictionary key must be a name object
Syntax Error (8600): Dictionary key must be a name object
Syntax Error: Invalid FileSpec: Embedded file stream is not an indirect reference
Syntax Error: Invalid FileSpec: Embedded file stream is not an indirect reference
:/115186 #

12/poppler

:/115186 # pdfdetach -save 1 poc.pdf
Syntax Error: Top-level pages object is wrong type (null)
Command Line Error: Invalid file number
:/115186 #
[no change]

Comment 11 Petr Gajdos 2023-06-16 09:15:34 UTC

Will submit for 12,12sp2/poppler.

Comment 14 Petr Gajdos 2023-07-18 10:45:06 UTC

I believe all fixed.

Comment 15 Maintenance Automation 2023-07-20 12:30:42 UTC

SUSE-SU-2023:2907-1: An update that solves 14 vulnerabilities can now be installed.

Category: security (moderate)
Bug References: 1092945, 1102531, 1107597, 1114966, 1115185, 1115186, 1115187, 1115626, 1120939, 1124150, 1136105, 1149635, 1199272
CVE References: CVE-2017-18267, CVE-2018-13988, CVE-2018-16646, CVE-2018-18897, CVE-2018-19058, CVE-2018-19059, CVE-2018-19060, CVE-2018-19149, CVE-2018-20481, CVE-2018-20650, CVE-2018-21009, CVE-2019-12293, CVE-2019-7310, CVE-2022-27337
Sources used:
SUSE Linux Enterprise Software Development Kit 12 SP5 (src): poppler-qt-0.43.0-16.25.1, poppler-0.43.0-16.25.1
SUSE Linux Enterprise High Performance Computing 12 SP5 (src): poppler-qt-0.43.0-16.25.1, poppler-0.43.0-16.25.1
SUSE Linux Enterprise Server 12 SP5 (src): poppler-qt-0.43.0-16.25.1, poppler-0.43.0-16.25.1
SUSE Linux Enterprise Server for SAP Applications 12 SP5 (src): poppler-qt-0.43.0-16.25.1, poppler-0.43.0-16.25.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 16 Maintenance Automation 2023-07-20 12:30:48 UTC

SUSE-SU-2023:2906-1: An update that solves 13 vulnerabilities can now be installed.

Category: security (moderate)
Bug References: 1092945, 1102531, 1107597, 1114966, 1115185, 1115186, 1115187, 1115626, 1120939, 1124150, 1149635, 1199272
CVE References: CVE-2017-18267, CVE-2018-13988, CVE-2018-16646, CVE-2018-18897, CVE-2018-19058, CVE-2018-19059, CVE-2018-19060, CVE-2018-19149, CVE-2018-20481, CVE-2018-20650, CVE-2018-21009, CVE-2019-7310, CVE-2022-27337
Sources used:
SUSE Linux Enterprise Software Development Kit 12 SP5 (src): poppler-0.24.4-14.26.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 17 Andrea Mattiazzo 2024-07-26 10:01:13 UTC

All done, closing.