Debian Bug report logs - #890826
libpoppler46: [regression] Broken rendering of scan PDF from Xerox WorkCentre 5945

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Chris Boot <bootc@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: libpoppler46: [regression] Broken rendering of scan PDF from Xerox WorkCentre 5945

Date: Mon, 19 Feb 2018 12:48:02 +0000

Package: libpoppler46
Version: 0.26.5-2+deb8u2
Severity: important
Tags: security

Hi,

libpoppler46 version 0.26.5-2+deb8u2 breaks PDFs generated by a Xerox
WorkCentre 5945, which are scans of paper documents. The deb8u3 upload
does not correct the problem, but deb8u1 is confirmed fine.

libpoppler64 on stretch does not exhibit the problem. This appears to be
restricted to jessie.

I will follow up this bug with a PDF that exhibits the problem and a
couple of screenshots of the issue in a few minutes.

Best regards,
Chris

-- 
Chris Boot
bootc@debian.org

Message #10 received at 890826@bugs.debian.org (full text, mbox, reply):

From: Chris Boot <bootc@debian.org>

To: 890826@bugs.debian.org

Subject: Re: libpoppler46: [regression] Broken rendering of scan PDF from Xerox WorkCentre 5945

Date: Mon, 19 Feb 2018 13:31:17 +0000

[Message part 1 (text/plain, inline)]

Control: notfound -1 poppler/0.26.5-2+deb8u1
Control: found -1 poppler/0.26.5-2+deb8u3
Control: notfound -1 poppler/0.48.0-2+deb9u2

On 19/02/18 12:48, Chris Boot wrote:
> I will follow up this bug with a PDF that exhibits the problem and a
> couple of screenshots of the issue in a few minutes.

Attached:

- test document.pdf: a representative sample PDF document affected by
  this bug

- Screenshot1.png: the PDF rendered with a broken libpoppler46 through
  evince (the same thing happens with okular)

- Screenshot2.png: the same PDF rendered using ImageMagick for reference

Best regards,
Chris

-- 
Chris Boot
bootc@debian.org

GPG: 8467 53CB 1921 3142 C56D  C918 F5C8 3C05 D9CE EEEE

[test document.pdf (application/pdf, attachment)]

[Screenshot1.png (image/png, attachment)]

[Screenshot2.png (image/png, attachment)]

Message #17 received at 890826@bugs.debian.org (full text, mbox, reply):

From: "Poenicke, Andreas (TFP)" <andreas.poenicke@kit.edu>

To: 890826@bugs.debian.org

Subject: Patch fixing broken rendering

Date: Mon, 12 Mar 2018 16:44:00 +0100

[Message part 1 (text/plain, inline)]

Hi,

we encountered the same problem but with downloads of older publications 
which probably also are scans.

Having a closer look at the changes in 
	poppler/0.26.5-2+deb8u2

it seems the patch upstream_CVE-2017-9776.patch is incomplete. 
Probably just a line with "continue;" is missing. 

In our case the small attached patched fixed the problem.

Regards,
Andreas

[fix-upstream_CVE-2017-9776.patch (text/x-patch, attachment)]

Message #22 received at 890826@bugs.debian.org (full text, mbox, reply):

From: "Poenicke, Andreas (TFP)" <andreas.poenicke@kit.edu>

To: 890826@bugs.debian.org

Subject: poppler-0.26.5-3+deb8u3 still vulnerable to CVE-2017-9776?

Date: Tue, 13 Mar 2018 09:43:39 +0100

Hi again,

On Mon, 12 Mar 2018 16:44:00 +0100 "Poenicke, Andreas (TFP)" <andreas.poenicke@kit.edu> wrote:
> Hi,
> 
> we encountered the same problem but with downloads of older publications 
> which probably also are scans.
> 
> Having a closer look at the changes in 
> 	poppler/0.26.5-2+deb8u2
> 
> it seems the patch upstream_CVE-2017-9776.patch is incomplete. 
> Probably just a line with "continue;" is missing. 

if my analysis was correct, it means this bug is more severe than I thought
at first glance! In this case, instead of fixing CVE-2017-9776 by avoiding that 
the following code is executed by malformed documents ,and thus preventing an 
"Integer overflow leading to Heap buffer overflow", according to the patch 
upstream_CVE-2017-9776 the code is executed *only* for malformed documents! 

Rendering the patch ineffective and poppler-0.26.5-3+deb8u3 is probably still 
vulnerable to CVE-2017-9776!

Regards,
Andreas

Message #31 received at 890826-close@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: 890826-close@bugs.debian.org

Subject: Bug#890826: fixed in poppler 0.26.5-2+deb8u4

Date: Mon, 16 Apr 2018 18:32:43 +0000

Source: poppler
Source-Version: 0.26.5-2+deb8u4

We believe that the bug you reported is fixed in the latest version of
poppler, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 890826@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated poppler package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 12 Apr 2018 11:19:50 +0200
Source: poppler
Binary: libpoppler46 libpoppler-dev libpoppler-private-dev libpoppler-glib8 libpoppler-glib-dev libpoppler-glib-doc gir1.2-poppler-0.18 libpoppler-qt4-4 libpoppler-qt4-dev libpoppler-qt5-1 libpoppler-qt5-dev libpoppler-cpp0 libpoppler-cpp-dev poppler-utils poppler-dbg
Architecture: all source
Version: 0.26.5-2+deb8u4
Distribution: jessie-security
Urgency: high
Maintainer: Loic Minier <lool@dooz.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 890826
Description: 
 gir1.2-poppler-0.18 - GObject introspection data for poppler-glib
 libpoppler-cpp-dev - PDF rendering library -- development files (CPP interface)
 libpoppler-cpp0 - PDF rendering library (CPP shared library)
 libpoppler-dev - PDF rendering library -- development files
 libpoppler-glib-dev - PDF rendering library -- development files (GLib interface)
 libpoppler-glib-doc - PDF rendering library -- documentation for the GLib interface
 libpoppler-glib8 - PDF rendering library (GLib-based shared library)
 libpoppler-private-dev - PDF rendering library -- private development files
 libpoppler-qt4-4 - PDF rendering library (Qt 4 based shared library)
 libpoppler-qt4-dev - PDF rendering library -- development files (Qt 4 interface)
 libpoppler-qt5-1 - PDF rendering library (Qt 5 based shared library)
 libpoppler-qt5-dev - PDF rendering library -- development files (Qt 5 interface)
 libpoppler46 - PDF rendering library
 poppler-dbg - PDF rendering library -- debugging symbols
 poppler-utils - PDF utilities (based on Poppler)
Changes:
 poppler (0.26.5-2+deb8u4) jessie-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * Correct patch for CVE-2017-9776.
     Fixes "[regression] Broken rendering of scan PDF from Xerox WorkCentre
     5945". (Closes: #890826)
Checksums-Sha1: 
 d3ed190f5f62fe744d8e8221b7f451978cd38473 3529 poppler_0.26.5-2+deb8u4.dsc
 2d006c452ebe940881653bd623e01f186ad1c368 38200 poppler_0.26.5-2+deb8u4.debian.tar.xz
 c5dfd78340bec8008f749c09e549170ab5e7ec58 85392 libpoppler-glib-doc_0.26.5-2+deb8u4_all.deb
Checksums-Sha256: 
 ac46199a2f2ff41cacefc3de0aaf80994f3215bd9ed7ed14a31f026a43a82824 3529 poppler_0.26.5-2+deb8u4.dsc
 0763c7c9999196bfa8ece41965407e56d51ada324715f0b8800b91519ed67f04 38200 poppler_0.26.5-2+deb8u4.debian.tar.xz
 c73b684b63af22bff9edd0e86ea9d4bc089dafc1cc373920ed042299c20eb569 85392 libpoppler-glib-doc_0.26.5-2+deb8u4_all.deb
Files: 
 54805fa44f12ed48686e141b9d9363da 3529 devel optional poppler_0.26.5-2+deb8u4.dsc
 c019c5b0b44eda65554e1fbda2d6f07b 38200 devel optional poppler_0.26.5-2+deb8u4.debian.tar.xz
 74d3c45adf6581d0e8a2cd39e333d4cf 85392 doc optional libpoppler-glib-doc_0.26.5-2+deb8u4_all.deb

-----BEGIN PGP SIGNATURE-----

iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlrPOxlfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89EyI8P/jQYOigXYbZMxY6cUeqWQeZuu+hCNd/+
b5FYqC6f8h23bRTfv0pTCuyOwJ4cwRVqj84ER5AFxiz6hx0mG3UqLh6NXoVpmj54
nEdCsz6R04A2N2qapElC5FnYleK2toO5e5Uh8NM2qgMfAOJ3QdG+Znoty2zGZJNa
1880A6coL8uOKfKQBlA9DGlEtPiPxlaZIlK/QGekxTnk0X6JW1uvnsvZ1C2kHdGx
Vv3uzbT3TzPIKCANCnUAf2cMRVzB7ArgOyQ7LWsRDxLdsx0YkUo642gS6c2kPLcf
7EDGnyK1UiNLokYjCBeBikpvzmkNl/aSa4I3UmWO4IQKbEikOvsHnRLxKwWd7DVy
PNX1NrN3NA8kI5YdjptFlVVmRdiwh4qJGo3SHXtzuT8bZPKDd/t85CyN2Xu/l0tD
YH0f1etsLCRhWbV8k9t60N23Jd2Er2u1F8H9LphfjX5rS5L4DGulBF8BDtsJIfzS
di50QiioIuGhH+K5lpIFIAMx20q2/YKOrB/SdEqB+3u4x9N2jujZAZLXlFOZHRGf
TNHn5KpDhze2wKA4yyRIIMMar6TovH7Tkqbl3WTMQ6Iiz6QJfRseqsSz5c4HD8ik
JixsHs+VUubH+AxpM6auWirHBJ3WdbZl1HRhNOWNBo4JciAsMJ1pW6jmIJZEyj3C
qa4QGssJNdPD
=+hav
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.