Bugzilla – Bug 1120939
VUL-1: CVE-2018-20650: poppler: A reachable Object in dictLookup assertion allows attackers to cause DOS
Last modified: 2024-05-07 09:22:37 UTC
A reachable Object::dictLookup assertion in Poppler 0.72.0 allows attackers to cause a denial of service due to the lack of a check for the dict data type, as demonstrated by use of the FileSpec class (in FileSpec.cc) in pdfdetach. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-20650 https://gitlab.freedesktop.org/poppler/poppler/commit/de0c0b8324e776f0b851485e0fc9622fc35695b7 https://gitlab.freedesktop.org/poppler/poppler/issues/704
There is a POC in [1]. The fix can be found and the description of the issue can be found in the references of the above comment. Both codestreams of SLE 12 (Update and SP2 update) , and SLE 15 are affected. Any previous version is not affected since pdfdetach was not available. Before commit 9773c153 the code was slightly different but still vulnerable. [1] https://gitlab.freedesktop.org/poppler/poppler/uploads/89b0d6bf44de7a83374c7aee71444b78/reachabort2.pdf
The upstream fix for this bug Commit de0c0b83 introduces CVE-2018-20662 tracked in [1] in where more information can be found. [1] https://bugzilla.opensuse.org/show_bug.cgi?id=1120956
SUSE-SU-2021:3854-1: An update that fixes 21 vulnerabilities is now available. Category: security (important) Bug References: 1092945,1102531,1107597,1114966,1115185,1115186,1115187,1115626,1120495,1120496,1120939,1120956,1124150,1127329,1129202,1130229,1131696,1131722,1142465,1143950,1179163 CVE References: CVE-2017-18267,CVE-2018-13988,CVE-2018-16646,CVE-2018-18897,CVE-2018-19058,CVE-2018-19059,CVE-2018-19060,CVE-2018-19149,CVE-2018-20481,CVE-2018-20551,CVE-2018-20650,CVE-2018-20662,CVE-2019-10871,CVE-2019-10872,CVE-2019-14494,CVE-2019-7310,CVE-2019-9200,CVE-2019-9631,CVE-2019-9903,CVE-2019-9959,CVE-2020-27778 JIRA References: Sources used: SUSE Linux Enterprise Workstation Extension 15-SP2 (src): poppler-0.62.0-4.6.1 SUSE Linux Enterprise Server for SAP 15-SP1 (src): poppler-0.62.0-4.6.1 SUSE Linux Enterprise Server for SAP 15 (src): poppler-0.62.0-4.6.1 SUSE Linux Enterprise Server 15-SP1-LTSS (src): poppler-0.62.0-4.6.1 SUSE Linux Enterprise Server 15-SP1-BCL (src): poppler-0.62.0-4.6.1 SUSE Linux Enterprise Server 15-LTSS (src): poppler-0.62.0-4.6.1 SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (src): poppler-0.62.0-4.6.1 SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (src): poppler-0.62.0-4.6.1 SUSE Linux Enterprise High Performance Computing 15-LTSS (src): poppler-0.62.0-4.6.1 SUSE Linux Enterprise High Performance Computing 15-ESPOS (src): poppler-0.62.0-4.6.1 SUSE Enterprise Storage 6 (src): poppler-0.62.0-4.6.1 SUSE CaaS Platform 4.0 (src): poppler-0.62.0-4.6.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
openSUSE-SU-2021:3854-1: An update that fixes 21 vulnerabilities is now available. Category: security (important) Bug References: 1092945,1102531,1107597,1114966,1115185,1115186,1115187,1115626,1120495,1120496,1120939,1120956,1124150,1127329,1129202,1130229,1131696,1131722,1142465,1143950,1179163 CVE References: CVE-2017-18267,CVE-2018-13988,CVE-2018-16646,CVE-2018-18897,CVE-2018-19058,CVE-2018-19059,CVE-2018-19060,CVE-2018-19149,CVE-2018-20481,CVE-2018-20551,CVE-2018-20650,CVE-2018-20662,CVE-2019-10871,CVE-2019-10872,CVE-2019-14494,CVE-2019-7310,CVE-2019-9200,CVE-2019-9631,CVE-2019-9903,CVE-2019-9959,CVE-2020-27778 JIRA References: Sources used: openSUSE Leap 15.3 (src): poppler-0.62.0-4.6.1
15/poppler fixed (causes a regression, comment 2), 12/poppler remains.
BEFORE 12sp2/poppler: :/120939 # pdfdetach -save 1 reachabort2.pdf Syntax Error: Unterminated hex string Syntax Error (8586): Illegal character <2f> in hex string Syntax Error (8587): Illegal character <58> in hex string Syntax Error (8588): Illegal character <4f> in hex string Syntax Error (8590): Illegal character <6a> in hex string Syntax Error (8590): Illegal character <74> in hex string Syntax Error (8591): Illegal character <3c> in hex string Syntax Error (8591): Illegal character <3c> in hex string Syntax Error (8591): Illegal character <2f> in hex string Syntax Error (8593): Illegal character <58> in hex string Syntax Error (8594): Illegal character <58> in hex string Syntax Error (8598): Illegal character <52> in hex string Syntax Error (8601): Illegal character '>' Syntax Error: Unterminated string Syntax Error: End of file inside dictionary Syntax Error: Invalid FileSpec Internal Error (0): Call to Object where the object was type 3, not the expected type 7 Aborted (core dumped) :/120939 # 12/poppler: :/120939 # pdfdetach -save 1 reachabort2.pdf Syntax Error: Top-level pages object is wrong type (null) Command Line Error: Invalid file number :/120939 # [could not reproduce] PATCH in comment 0 AFTER 12sp2/poppler :/120939 # pdfdetach -save 1 reachabort2.pdf Syntax Error: Unterminated hex string Syntax Error (8586): Illegal character <2f> in hex string Syntax Error (8587): Illegal character <58> in hex string Syntax Error (8588): Illegal character <4f> in hex string Syntax Error (8590): Illegal character <6a> in hex string Syntax Error (8590): Illegal character <74> in hex string Syntax Error (8591): Illegal character <3c> in hex string Syntax Error (8591): Illegal character <3c> in hex string Syntax Error (8591): Illegal character <2f> in hex string Syntax Error (8593): Illegal character <58> in hex string Syntax Error (8594): Illegal character <58> in hex string Syntax Error (8598): Illegal character <52> in hex string Syntax Error (8601): Illegal character '>' Syntax Error: Unterminated string Syntax Error: End of file inside dictionary Syntax Error: Invalid FileSpec :/120939 # [the crash fixed] 12/poppler /120939 # pdfdetach -save 1 reachabort2.pdf Syntax Error: Top-level pages object is wrong type (null) Command Line Error: Invalid file number :/120939 # [no change]
Will submit for 12sp2,12/poppler.
I believe all fixed.
SUSE-SU-2023:2907-1: An update that solves 14 vulnerabilities can now be installed. Category: security (moderate) Bug References: 1092945, 1102531, 1107597, 1114966, 1115185, 1115186, 1115187, 1115626, 1120939, 1124150, 1136105, 1149635, 1199272 CVE References: CVE-2017-18267, CVE-2018-13988, CVE-2018-16646, CVE-2018-18897, CVE-2018-19058, CVE-2018-19059, CVE-2018-19060, CVE-2018-19149, CVE-2018-20481, CVE-2018-20650, CVE-2018-21009, CVE-2019-12293, CVE-2019-7310, CVE-2022-27337 Sources used: SUSE Linux Enterprise Software Development Kit 12 SP5 (src): poppler-qt-0.43.0-16.25.1, poppler-0.43.0-16.25.1 SUSE Linux Enterprise High Performance Computing 12 SP5 (src): poppler-qt-0.43.0-16.25.1, poppler-0.43.0-16.25.1 SUSE Linux Enterprise Server 12 SP5 (src): poppler-qt-0.43.0-16.25.1, poppler-0.43.0-16.25.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5 (src): poppler-qt-0.43.0-16.25.1, poppler-0.43.0-16.25.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:2906-1: An update that solves 13 vulnerabilities can now be installed. Category: security (moderate) Bug References: 1092945, 1102531, 1107597, 1114966, 1115185, 1115186, 1115187, 1115626, 1120939, 1124150, 1149635, 1199272 CVE References: CVE-2017-18267, CVE-2018-13988, CVE-2018-16646, CVE-2018-18897, CVE-2018-19058, CVE-2018-19059, CVE-2018-19060, CVE-2018-19149, CVE-2018-20481, CVE-2018-20650, CVE-2018-21009, CVE-2019-7310, CVE-2022-27337 Sources used: SUSE Linux Enterprise Software Development Kit 12 SP5 (src): poppler-0.24.4-14.26.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
All done, closing.