Hi Moritz, On Di 06 Nov 2018 17:14:35 CET, Moritz Mühlenhoff wrote:
On Fri, Sep 28, 2018 at 08:32:25PM +0200, Markus Koschany wrote:Package: poppler X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for poppler. CVE-2018-16646[0]: | In Poppler 0.68.0, the Parser::getObj() function in Parser.cc may cause | infinite recursion via a crafted file. A remote attacker can leverage | this for a DoS attack.For jessie the wrong patches got applied. They are based on MR 67, which didn't get merged in favour of the patch from MR 91. On a more general notice: This bug has virtually no security impact, it's hard too see why this change was made for an LTS release to begin with, but at least wait until it's applied/fixed in unstable before backporting.
Not security, but functionality. With the proof of malign content, I could successfully freeze 1 core on the test system endlessly.
Unideal is the application of the wrong MR (for others, see 17c991f7992270d9f7ecf004741c1c3acc235b8d in security-tracker).
I have a modified version (+deb8u6, regression fix) ready for upload to jessie LTS (see attached .debdiff). @Moritz: do you see any reason for holding it back at this moment?
Thanks+Greets, Mike -- DAS-NETZWERKTEAM mike gabriel, herweg 7, 24357 fleckeby mobile: +49 (1520) 1976 148 landline: +49 (4354) 8390 139 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: mike.gabr...@das-netzwerkteam.de, http://das-netzwerkteam.de
diff -Nru poppler-0.26.5/debian/changelog poppler-0.26.5/debian/changelog --- poppler-0.26.5/debian/changelog 2018-10-31 12:47:07.000000000 +0100 +++ poppler-0.26.5/debian/changelog 2018-11-08 11:38:57.000000000 +0100 @@ -1,3 +1,11 @@ +poppler (0.26.5-2+deb8u6) jessie-security; urgency=medium + + * CVE-2018-16646: Regression fix. Apply the patch from + upstream's MR #91 (which got merged upstream) and not + the proposed patches from MR #67. + + -- Mike Gabriel <sunwea...@debian.org> Thu, 08 Nov 2018 11:38:57 +0100 + poppler (0.26.5-2+deb8u5) jessie-security; urgency=medium * Non-maintainer upload by the LTS Team. diff -Nru poppler-0.26.5/debian/patches/mupstream_CVE-2018-16646.patch poppler-0.26.5/debian/patches/mupstream_CVE-2018-16646.patch --- poppler-0.26.5/debian/patches/mupstream_CVE-2018-16646.patch 1970-01-01 01:00:00.000000000 +0100 +++ poppler-0.26.5/debian/patches/mupstream_CVE-2018-16646.patch 2018-11-08 11:26:48.000000000 +0100 @@ -0,0 +1,62 @@ +From e16f2d5bf39842c647d413bbd6e16de73c76a2c8 Mon Sep 17 00:00:00 2001 +From: Marek Kasik <mka...@redhat.com> +Date: Mon, 22 Oct 2018 16:56:01 +0200 +Subject: [PATCH] Avoid cycles in PDF parsing + +Mark objects being processed in Parser::makeStream() as being processed +and check the mark when entering this method to avoid processing +of the same object recursively. +--- + poppler/Parser.cc | 15 +++++++++++++++ + poppler/XRef.h | 1 + + 2 files changed, 16 insertions(+) + +diff --git a/poppler/Parser.cc b/poppler/Parser.cc +index bd4845ab..6c8ae703 100644 +--- a/poppler/Parser.cc ++++ b/poppler/Parser.cc +@@ -197,6 +197,18 @@ Stream *Parser::makeStream(Object &&dict, Guchar *fileKey, + Stream *str; + Goffset length; + Goffset pos, endPos; ++ XRefEntry *entry; ++ ++ if (xref && (entry = xref->getEntry(objNum, gFalse))) { ++ if (!entry->getFlag(XRefEntry::Parsing) || ++ (objNum == 0 && objGen == 0)) { ++ entry->setFlag(XRefEntry::Parsing, gTrue); ++ } else { ++ error(errSyntaxError, getPos(), ++ "Object '{0:d} {1:d} obj' is being already parsed", objNum, objGen); ++ return nullptr; ++ } ++ } + + // get stream start position + lexer->skipToNextLine(); +@@ -278,6 +290,9 @@ Stream *Parser::makeStream(Object &&dict, Guchar *fileKey, + // get filters + str = str->addFilters(str->getDict(), recursion); + ++ if (entry) ++ entry->setFlag(XRefEntry::Parsing, gFalse); ++ + return str; + } + +diff --git a/poppler/XRef.h b/poppler/XRef.h +index 11ee5e03..2eb2f9fd 100644 +--- a/poppler/XRef.h ++++ b/poppler/XRef.h +@@ -65,6 +65,7 @@ struct XRefEntry { + enum Flag { + // Regular flags + Updated, // Entry was modified ++ Parsing, // Entry is currently being parsed + + // Special flags -- available only after xref->scanSpecialFlags() is run + Unencrypted, // Entry is stored in unencrypted form (meaningless in unencrypted documents) +-- +2.18.1 + + diff -Nru poppler-0.26.5/debian/patches/series poppler-0.26.5/debian/patches/series --- poppler-0.26.5/debian/patches/series 2018-10-31 12:47:07.000000000 +0100 +++ poppler-0.26.5/debian/patches/series 2018-11-08 11:29:46.000000000 +0100 @@ -20,8 +20,7 @@ upstream_Fix-rendering-of-some-broken-PDF-files.patch upstream_Allow-newlines-in-num-gen-obj-sequence.patch upstream_XRef-Fix-runtime-undefined-behaviour.patch -upstream_CVE-2018-16646_Fail-when-PDF-contains-duplicate-objects.patch -upstream_CVE-2018-16646_Allow-duplicated-objects-in-incremental-updates.patch +upstream_CVE-2018-16646.patch upstream_CVE-2018-10768.patch upstream_CVE-2017-18267.patch upstream-modified_CVE-2018-13988.patch diff -Nru poppler-0.26.5/debian/patches/upstream_CVE-2018-16646_Allow-duplicated-objects-in-incremental-updates.patch poppler-0.26.5/debian/patches/upstream_CVE-2018-16646_Allow-duplicated-objects-in-incremental-updates.patch --- poppler-0.26.5/debian/patches/upstream_CVE-2018-16646_Allow-duplicated-objects-in-incremental-updates.patch 2018-10-30 21:19:17.000000000 +0100 +++ poppler-0.26.5/debian/patches/upstream_CVE-2018-16646_Allow-duplicated-objects-in-incremental-updates.patch 1970-01-01 01:00:00.000000000 +0100 @@ -1,75 +0,0 @@ -From a1044e6639316ee876031595a0c09889c28098ce Mon Sep 17 00:00:00 2001 -From: Marek Kasik <mka...@redhat.com> -Date: Mon, 15 Oct 2018 17:53:45 +0200 -Subject: [PATCH 2/2] Allow duplicated objects in incremental updates - -Do not fail when encountering duplicated object in different -update section of the file. ---- - poppler/XRef.cc | 18 ++++++++++++++---- - 1 file changed, 14 insertions(+), 4 deletions(-) - ---- a/poppler/XRef.cc -+++ b/poppler/XRef.cc -@@ -905,6 +905,7 @@ - char* token = NULL; - bool oneCycle = true; - int offset = 0; -+ std::vector<bool> seen; - - gfree(entries); - capacity = 0; -@@ -925,6 +926,9 @@ - if (!str->getLine(buf, 256)) { - break; - } -+ if (strstr(buf, "%%EOF")) { -+ seen.assign(seen.size(), false); -+ } - p = buf; - - // skip whitespace -@@ -977,6 +981,9 @@ - if ((*p & 0xff) == 0) { - //new line, continue with next line! - str->getLine(buf, 256); -+ if (strstr(buf, "%%EOF")) { -+ seen.assign(seen.size(), false); -+ } - p = buf; - } else { - ++p; -@@ -991,6 +998,9 @@ - if ((*p & 0xff) == 0) { - //new line, continue with next line! - str->getLine(buf, 256); -+ if (strstr(buf, "%%EOF")) { -+ seen.assign(seen.size(), false); -+ } - p = buf; - } else { - ++p; -@@ -1006,12 +1016,11 @@ - if (resize(newSize) != newSize) { - error(errSyntaxError, -1, "Invalid 'obj' parameters"); - return gFalse; -+ } else { -+ seen.resize (newSize, false); - } - } -- if (entries[num].type != xrefEntryFree && -- gen == entries[num].gen && -- entries[num].offset != pos - start && -- entries[num].offset != -1) { -+ if (seen[num]) { - error(errSyntaxError, -1, "Duplicate object reference {0:d} {1:d}", num, gen); - return gFalse; - } -@@ -1020,6 +1029,7 @@ - entries[num].offset = pos - start; - entries[num].gen = gen; - entries[num].type = xrefEntryUncompressed; -+ seen[num] = true; - } - } - } diff -Nru poppler-0.26.5/debian/patches/upstream_CVE-2018-16646_Fail-when-PDF-contains-duplicate-objects.patch poppler-0.26.5/debian/patches/upstream_CVE-2018-16646_Fail-when-PDF-contains-duplicate-objects.patch --- poppler-0.26.5/debian/patches/upstream_CVE-2018-16646_Fail-when-PDF-contains-duplicate-objects.patch 2018-10-30 21:13:35.000000000 +0100 +++ poppler-0.26.5/debian/patches/upstream_CVE-2018-16646_Fail-when-PDF-contains-duplicate-objects.patch 1970-01-01 01:00:00.000000000 +0100 @@ -1,29 +0,0 @@ -From 9ea471459f37b4595f3032e64d2c6a659c050529 Mon Sep 17 00:00:00 2001 -From: Marek Kasik <mka...@redhat.com> -Date: Wed, 26 Sep 2018 16:13:06 +0200 -Subject: [PATCH 1/2] Fail when PDF contains duplicate objects - -Check whether current xrefEntry is already occupied during XRef::constructXRef(). -If yes then check its offset against current position and fail if they -are different. -This helps with files which reach recursionLimit in Parser.cc. ---- - poppler/XRef.cc | 7 +++++++ - 1 file changed, 7 insertions(+) - ---- a/poppler/XRef.cc -+++ b/poppler/XRef.cc -@@ -1008,6 +1008,13 @@ - return gFalse; - } - } -+ if (entries[num].type != xrefEntryFree && -+ gen == entries[num].gen && -+ entries[num].offset != pos - start && -+ entries[num].offset != -1) { -+ error(errSyntaxError, -1, "Duplicate object reference {0:d} {1:d}", num, gen); -+ return gFalse; -+ } - if (entries[num].type == xrefEntryFree || - gen >= entries[num].gen) { - entries[num].offset = pos - start; diff -Nru poppler-0.26.5/debian/patches/upstream_CVE-2018-16646.patch poppler-0.26.5/debian/patches/upstream_CVE-2018-16646.patch --- poppler-0.26.5/debian/patches/upstream_CVE-2018-16646.patch 1970-01-01 01:00:00.000000000 +0100 +++ poppler-0.26.5/debian/patches/upstream_CVE-2018-16646.patch 2018-11-08 11:29:13.000000000 +0100 @@ -0,0 +1,54 @@ +From e16f2d5bf39842c647d413bbd6e16de73c76a2c8 Mon Sep 17 00:00:00 2001 +From: Marek Kasik <mka...@redhat.com> +Date: Mon, 22 Oct 2018 16:56:01 +0200 +Subject: [PATCH] Avoid cycles in PDF parsing + +Mark objects being processed in Parser::makeStream() as being processed +and check the mark when entering this method to avoid processing +of the same object recursively. +--- + poppler/Parser.cc | 15 +++++++++++++++ + poppler/XRef.h | 1 + + 2 files changed, 16 insertions(+) + +--- a/poppler/Parser.cc ++++ b/poppler/Parser.cc +@@ -197,6 +197,18 @@ + Stream *str; + Goffset length; + Goffset pos, endPos; ++ XRefEntry *entry; ++ ++ if (xref && (entry = xref->getEntry(objNum, gFalse))) { ++ if (!entry->getFlag(XRefEntry::Parsing) || ++ (objNum == 0 && objGen == 0)) { ++ entry->setFlag(XRefEntry::Parsing, gTrue); ++ } else { ++ error(errSyntaxError, getPos(), ++ "Object '{0:d} {1:d} obj' is being already parsed", objNum, objGen); ++ return nullptr; ++ } ++ } + + // get stream start position + lexer->skipToNextLine(); +@@ -276,6 +288,9 @@ + // get filters + str = str->addFilters(dict, recursion); + ++ if (entry) ++ entry->setFlag(XRefEntry::Parsing, gFalse); ++ + return str; + } + +--- a/poppler/XRef.h ++++ b/poppler/XRef.h +@@ -69,6 +69,7 @@ + enum Flag { + // Regular flags + Updated, // Entry was modified ++ Parsing, // Entry is currently being parsed + + // Special flags -- available only after xref->scanSpecialFlags() is run + Unencrypted, // Entry is stored in unencrypted form (meaningless in unencrypted documents)
pgph6z7AODQvM.pgp
Description: Digitale PGP-Signatur