Bugzilla – Bug 1120956
VUL-1: CVE-2018-20662: poppler: PDFDoc setup in PDFDoc.cc allows attackers to cause DOS because of a wrong return value from PDFDoc:setup
Last modified: 2024-05-07 09:27:06 UTC
CVE-2018-20662 In Poppler 0.72.0, PDFDoc::setup in PDFDoc.cc allows attackers to cause a denial-of-service (application crash caused by Object.h SIGABRT, because of a wrong return value from PDFDoc::setup) by crafting a PDF file in which an xref data structure is mishandled during extractPDFSubtype processing. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-20662 https://gitlab.freedesktop.org/poppler/poppler/commit/9fd5ec0e6e5f763b190f2a55ceb5427cfe851d5f https://gitlab.freedesktop.org/poppler/poppler/issues/706
According to upstream [1]. This was only introduced after commit de0c0b83 which was fixing CVE-2018-20650 and tracked in [2]. This commit has not introduced in any of our release and thus we are not affected. POCs can be found in [3]. There was an attempt for fixing in [4] but later this fix created regression and the fix was reverted [5]. Thus this is an open issue. [1] https://gitlab.freedesktop.org/poppler/poppler/issues/706 [2] https://bugzilla.suse.com/show_bug.cgi?id=1120939 [3] https://gitlab.freedesktop.org/poppler/poppler/uploads/6b9f371709bfbb06a391d0f3d02c401b/pdfunite.zip [4] https://gitlab.freedesktop.org/poppler/poppler/commit/9fd5ec0e6e5f763b190f2a55ceb5427cfe851d5f [5] https://gitlab.freedesktop.org/poppler/poppler/commit/1e99a1eeb3a144facf45165df9f457796c045daa
Working on S:M:10689:187745 i got core dumped before ad after update. here reproducer: https://gitlab.freedesktop.org/poppler/poppler/issues/706 BEFORE: ====== bragi:/tmp/test_poppler/pdfunite # rpm -qa|grep poppler libpoppler73-0.62.0-2.33.x86_64 libpoppler-glib8-0.62.0-2.33.x86_64 libpoppler-cpp0-0.62.0-2.33.x86_64 poppler-tools-0.62.0-2.33.x86_64 libpoppler-qt5-1-0.62.0-2.43.x86_64 libpoppler-devel-0.62.0-2.33.x86_64 libpoppler-qt5-devel-0.62.0-2.43.x86_64 libpoppler-glib-devel-0.62.0-2.33.x86_64 poppler-data-0.4.8-bp150.2.4.noarch bragi:/tmp/test_poppler/pdfunite # pdfunite RELEASE-NOTES.it.pdf sigabrt_Object.h:258_1.pdf OUTPUT.pdf Syntax Error: Couldn't find trailer dictionary Syntax Error: Invalid XRef entry Internal Error: xref num 21 not found but needed, try to reconstruct<0a> Syntax Error: Invalid XRef entry Syntax Error: Couldn't find trailer dictionary Syntax Error: Could not find catalog dictionary Syntax Error: Invalid XRef entry Syntax Error: Couldn't find trailer dictionary Internal Error (0): Call to Object where the object was type 5, not the expected type 7 Aborted (core dumped) bragi:/tmp/test_poppler/pdfunite # pdfunite RELEASE-NOTES.it.pdf sigabrt_Object.h:258_2.pdf OUTPUT.pdf Syntax Error: Couldn't find trailer dictionary Syntax Error (374): Illegal character <10> in hex string Syntax Error (603): Dictionary key must be a name object Syntax Error (605): Dictionary key must be a name object Syntax Error (611): Dictionary key must be a name object Syntax Error (603): Dictionary key must be a name object Syntax Error (605): Dictionary key must be a name object Syntax Error (611): Dictionary key must be a name object Syntax Error: Failed to parse XRef entry [1]. Internal Error: xref num 1 not found but needed, try to reconstruct<0a> Syntax Error: Couldn't find trailer dictionary Syntax Error (1014): Dictionary key must be a name object Syntax Error (1016): Dictionary key must be a name object Syntax Error (1018): Dictionary key must be a name object Syntax Error (1018): Dictionary key must be a name object Syntax Error (1020): Dictionary key must be a name object Syntax Error: Page count in top-level pages object is wrong type (null) Syntax Error: Couldn't find trailer dictionary Internal Error (0): Call to Object where the object was type 5, not the expected type 7 Aborted (core dumped) AFTER: ====== bragi:/tmp/test_poppler/pdfunite # rpm -qa|grep poppler libpoppler-qt5-1-0.62.0-4.3.2.x86_64 poppler-tools-0.62.0-4.3.2.x86_64 libpoppler-glib-devel-0.62.0-4.3.2.x86_64 libpoppler-cpp0-0.62.0-4.3.2.x86_64 libpoppler73-0.62.0-4.3.2.x86_64 poppler-data-0.4.8-bp150.2.4.noarch libpoppler-qt5-devel-0.62.0-4.3.2.x86_64 libpoppler-devel-0.62.0-4.3.2.x86_64 libpoppler-glib8-0.62.0-4.3.2.x86_64 bragi:/tmp/test_poppler/pdfunite # pdfunite RELEASE-NOTES.it.pdf sigabrt_Object.h:258_2.pdf OUTPUT.pdf Syntax Error: Couldn't find trailer dictionary Syntax Error (374): Illegal character <10> in hex string Syntax Error (603): Dictionary key must be a name object Syntax Error (605): Dictionary key must be a name object Syntax Error (611): Dictionary key must be a name object Syntax Error (603): Dictionary key must be a name object Syntax Error (605): Dictionary key must be a name object Syntax Error (611): Dictionary key must be a name object Syntax Error: Failed to parse XRef entry [1]. Internal Error: xref num 1 not found but needed, try to reconstruct<0a> Syntax Error: Couldn't find trailer dictionary Syntax Error (1014): Dictionary key must be a name object Syntax Error (1016): Dictionary key must be a name object Syntax Error (1018): Dictionary key must be a name object Syntax Error (1018): Dictionary key must be a name object Syntax Error (1020): Dictionary key must be a name object Syntax Error: Page count in top-level pages object is wrong type (null) Syntax Error: Couldn't find trailer dictionary Internal Error (0): Call to Object where the object was type 5, not the expected type 7 Aborted (core dumped) bragi:/tmp/test_poppler/pdfunite # pdfunite RELEASE-NOTES.it.pdf sigabrt_Object.h:258_1.pdf OUTPUT.pdf Syntax Error: Couldn't find trailer dictionary Syntax Error: Invalid XRef entry Internal Error: xref num 21 not found but needed, try to reconstruct<0a> Syntax Error: Invalid XRef entry Syntax Error: Couldn't find trailer dictionary Syntax Error: Could not find catalog dictionary Syntax Error: Invalid XRef entry Syntax Error: Couldn't find trailer dictionary Internal Error (0): Call to Object where the object was type 5, not the expected type 7 Aborted (core dumped) bragi:/tmp/test_poppler/pdfunite # pdfunite sigabrt_Object.h\:258_1.pdf sigabrt_Object.h:258_2.pdf OUTPUT.pdf Syntax Error: Couldn't find trailer dictionary Syntax Error (374): Illegal character <10> in hex string Syntax Error (603): Dictionary key must be a name object Syntax Error (605): Dictionary key must be a name object Syntax Error (611): Dictionary key must be a name object Syntax Error: Couldn't find trailer dictionary Syntax Error: Invalid XRef entry Internal Error: xref num 21 not found but needed, try to reconstruct<0a> Syntax Error: Invalid XRef entry Syntax Error: Couldn't find trailer dictionary Syntax Error: Catalog object is wrong type (null) Syntax Error: Cannot allocate page cache Syntax Error: Invalid XRef entry Syntax Error: Couldn't find trailer dictionary Syntax Error: Catalog object is wrong type (null) Internal Error (0): Call to Object where the object was type 5, not the expected type 7 Aborted (core dumped)
The wrong patch for CVE-2018-20662 has been applied. As it is explained in comment 0 that patch creates regression and upstream did not use it. The correct patch is located at [1]. Please resubmit. [1] https://gitlab.freedesktop.org/mkasik/poppler/commit/7b4e372deeb716eb3fe3a54b31ed41af759224f9
SUSE-SU-2021:3854-1: An update that fixes 21 vulnerabilities is now available. Category: security (important) Bug References: 1092945,1102531,1107597,1114966,1115185,1115186,1115187,1115626,1120495,1120496,1120939,1120956,1124150,1127329,1129202,1130229,1131696,1131722,1142465,1143950,1179163 CVE References: CVE-2017-18267,CVE-2018-13988,CVE-2018-16646,CVE-2018-18897,CVE-2018-19058,CVE-2018-19059,CVE-2018-19060,CVE-2018-19149,CVE-2018-20481,CVE-2018-20551,CVE-2018-20650,CVE-2018-20662,CVE-2019-10871,CVE-2019-10872,CVE-2019-14494,CVE-2019-7310,CVE-2019-9200,CVE-2019-9631,CVE-2019-9903,CVE-2019-9959,CVE-2020-27778 JIRA References: Sources used: SUSE Linux Enterprise Workstation Extension 15-SP2 (src): poppler-0.62.0-4.6.1 SUSE Linux Enterprise Server for SAP 15-SP1 (src): poppler-0.62.0-4.6.1 SUSE Linux Enterprise Server for SAP 15 (src): poppler-0.62.0-4.6.1 SUSE Linux Enterprise Server 15-SP1-LTSS (src): poppler-0.62.0-4.6.1 SUSE Linux Enterprise Server 15-SP1-BCL (src): poppler-0.62.0-4.6.1 SUSE Linux Enterprise Server 15-LTSS (src): poppler-0.62.0-4.6.1 SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (src): poppler-0.62.0-4.6.1 SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (src): poppler-0.62.0-4.6.1 SUSE Linux Enterprise High Performance Computing 15-LTSS (src): poppler-0.62.0-4.6.1 SUSE Linux Enterprise High Performance Computing 15-ESPOS (src): poppler-0.62.0-4.6.1 SUSE Enterprise Storage 6 (src): poppler-0.62.0-4.6.1 SUSE CaaS Platform 4.0 (src): poppler-0.62.0-4.6.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
openSUSE-SU-2021:3854-1: An update that fixes 21 vulnerabilities is now available. Category: security (important) Bug References: 1092945,1102531,1107597,1114966,1115185,1115186,1115187,1115626,1120495,1120496,1120939,1120956,1124150,1127329,1129202,1130229,1131696,1131722,1142465,1143950,1179163 CVE References: CVE-2017-18267,CVE-2018-13988,CVE-2018-16646,CVE-2018-18897,CVE-2018-19058,CVE-2018-19059,CVE-2018-19060,CVE-2018-19149,CVE-2018-20481,CVE-2018-20551,CVE-2018-20650,CVE-2018-20662,CVE-2019-10871,CVE-2019-10872,CVE-2019-14494,CVE-2019-7310,CVE-2019-9200,CVE-2019-9631,CVE-2019-9903,CVE-2019-9959,CVE-2020-27778 JIRA References: Sources used: openSUSE Leap 15.3 (src): poppler-0.62.0-4.6.1
I think fixed patch referenced in comment 4 has to be still applied for 15/poppler. 12/poppler remains, too.
15/poppler: Even if I use https://gitlab.freedesktop.org/mkasik/poppler/commit/7b4e372deeb716eb3fe3a54b31ed41af759224f9 instead of https://gitlab.freedesktop.org/poppler/poppler/commit/9fd5ec0e6e5f763b190f2a55ceb5427cfe851d5f the testcase still crashes, if I tested correctly. So something else is missing.
Reassigning to current poppler maintainer.
I do not see the crash anymore: for 15,12sp2, if I use the patch from comment 4 for 12, if I use the patch from comment 4 and backport 12sp2/poppler/0001-pdfunite-Fix-crash-with-broken-documents.patch there testcase used: $ pdfunite sigabrt_Object.h:258_1.pdf sigabrt_Object.h:258_2.pdf out.pdf
Submitted for 15,12sp2,12/poppler. I believe all fixed.
SUSE-SU-2023:4690-1: An update that solves one vulnerability can now be installed. Category: security (moderate) Bug References: 1120956 CVE References: CVE-2018-20662 Sources used: openSUSE Leap 15.4 (src): poppler-0.62.0-150000.4.34.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:4942-1: An update that solves one vulnerability can now be installed. Category: security (moderate) Bug References: 1120956 CVE References: CVE-2018-20662 Sources used: SUSE Linux Enterprise Software Development Kit 12 SP5 (src): poppler-0.43.0-16.43.1, poppler-qt-0.43.0-16.43.1 SUSE Linux Enterprise High Performance Computing 12 SP5 (src): poppler-0.43.0-16.43.1, poppler-qt-0.43.0-16.43.1 SUSE Linux Enterprise Server 12 SP5 (src): poppler-0.43.0-16.43.1, poppler-qt-0.43.0-16.43.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5 (src): poppler-0.43.0-16.43.1, poppler-qt-0.43.0-16.43.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:4941-1: An update that solves two vulnerabilities can now be installed. Category: security (moderate) Bug References: 1041783, 1120956 CVE References: CVE-2017-7511, CVE-2018-20662 Sources used: SUSE Linux Enterprise Software Development Kit 12 SP5 (src): poppler-0.24.4-14.44.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
All done, closing.