Bug 1136105 (CVE-2019-12293) - VUL-1: CVE-2019-12293: poppler: heap-based buffer over-read in JPXStream:init in JPEG2000Stream.cc via data with inconsistent heights or widths
Summary: VUL-1: CVE-2019-12293: poppler: heap-based buffer over-read in JPXStream:init...
Status: RESOLVED FIXED
Alias: CVE-2019-12293
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P4 - Low : Minor
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/233595/
Whiteboard: CVSSv3:SUSE:CVE-2019-12293:5.1:(AV:L/...
Keywords:
Depends on:
Blocks:
 
Reported: 2019-05-23 15:56 UTC by Alexandros Toptsoglou
Modified: 2024-05-06 13:11 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Alexandros Toptsoglou 2019-05-23 15:56:31 UTC 
CVE-2019-12293

In Poppler through 0.76.1, there is a heap-based buffer over-read in
JPXStream::init in JPEG2000Stream.cc via data with inconsistent heights or
widths.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-12293
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12293
https://gitlab.freedesktop.org/poppler/poppler/issues/768
Comment 1 Alexandros Toptsoglou 2019-05-23 16:09:11 UTC 
A fix is available at [1] and has already been merged to the master. The issue seems to be introduced at [2] affecting any poppler version of 0.30 and on. The POC [3] was tested against SLE12 (version 0.43) and Leap15 (version 0.62). The following codestreams are tracked as affected: 

SLE-12:Update 
SLE-12-SP2:Update 
SLE-15:Update 

To run the POC just run: 

pdftotext $POC 

[1] https://gitlab.freedesktop.org/poppler/poppler/commit/89a5367d49b2556a2635dbb6d48d6a6b182a2c6c
[2] https://gitlab.freedesktop.org/poppler/poppler/commit/117af9c6bbd923954ef7de63adec8c22d51da1e4
[3] https://gitlab.freedesktop.org/poppler/poppler/uploads/3a902c7b97ebff3df1b884c8271de294/id_000011_sig_06_src_000099+004407_op_splice_rep_32
Comment 2 Peter Simons 2021-11-23 13:08:50 UTC 
The fix https://gitlab.freedesktop.org/poppler/poppler/commit/89a5367d49b2556a2635dbb6d48d6a6b182a2c6c does not apply anywhere, not even in SLE-15, which is pretty recent.
Comment 3 Petr Gajdos 2023-06-19 14:47:12 UTC 
15,12sp2/poppler crashes, unlike 15sp2+,12/poppler.

:/136105 # pdftotext id_000011_sig_06_src_000099+004407_op_splice_rep_32 2>&1| head
Syntax Error (187130): Illegal character '>'
Syntax Error (187132): Illegal character <3f> in hex string
Syntax Error (187135): Illegal character <6f> in hex string
Syntax Error (187138): Illegal character <2d> in hex string
Syntax Error (187139): Illegal character <78> in hex string
Syntax Error (187141): Illegal character <70> in hex string
Syntax Error (187142): Illegal character <2d> in hex string
Syntax Error (187144): Illegal character <69> in hex string
Syntax Error (187145): Illegal character <6c> in hex string
Syntax Error (187146): Illegal character <74> in hex string
[..]
Syntax Error (188521): Illegal character <3f> in hex string
Syntax Error: End of file inside array
Syntax Error: End of file inside dictionary
Segmentation fault (core dumped)
:/136105 #
Comment 4 Petr Gajdos 2023-06-20 15:36:33 UTC 
After patching, 15/poppler does not crash anymore, but the memory corruption is unchanged in 12sp2/poppler. It may be also openjpeg2 problem, will not investigate further at this stage.
Comment 5 Petr Gajdos 2023-06-20 15:38:35 UTC 
Will submit for 15,12sp2/poppler, the memory corruption in 12sp2/poppler still reproduces.
Comment 7 Maintenance Automation 2023-07-14 21:42:56 UTC 
SUSE-SU-2023:2838-1: An update that solves three vulnerabilities can now be installed.

Category: security (moderate)
Bug References: 1136105, 1149635, 1199272
CVE References: CVE-2018-21009, CVE-2019-12293, CVE-2022-27337
Sources used:
openSUSE Leap 15.4 (src): poppler-0.62.0-150000.4.15.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 8 Petr Gajdos 2023-07-18 10:40:27 UTC 
I believe all fixed.
Comment 9 Maintenance Automation 2023-07-20 12:30:44 UTC 
SUSE-SU-2023:2907-1: An update that solves 14 vulnerabilities can now be installed.

Category: security (moderate)
Bug References: 1092945, 1102531, 1107597, 1114966, 1115185, 1115186, 1115187, 1115626, 1120939, 1124150, 1136105, 1149635, 1199272
CVE References: CVE-2017-18267, CVE-2018-13988, CVE-2018-16646, CVE-2018-18897, CVE-2018-19058, CVE-2018-19059, CVE-2018-19060, CVE-2018-19149, CVE-2018-20481, CVE-2018-20650, CVE-2018-21009, CVE-2019-12293, CVE-2019-7310, CVE-2022-27337
Sources used:
SUSE Linux Enterprise Software Development Kit 12 SP5 (src): poppler-qt-0.43.0-16.25.1, poppler-0.43.0-16.25.1
SUSE Linux Enterprise High Performance Computing 12 SP5 (src): poppler-qt-0.43.0-16.25.1, poppler-0.43.0-16.25.1
SUSE Linux Enterprise Server 12 SP5 (src): poppler-qt-0.43.0-16.25.1, poppler-0.43.0-16.25.1
SUSE Linux Enterprise Server for SAP Applications 12 SP5 (src): poppler-qt-0.43.0-16.25.1, poppler-0.43.0-16.25.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 10 Thomas Leroy 2024-05-06 13:11:35 UTC 
All done, closing.