Bug 457869

Summary: CVE-2008-2950 affects all versions of poppler prior to 0.8.5
Product: [Fedora] Fedora Reporter: Vasile Gaburici <gaburici>
Component: popplerAssignee: Kristian Høgsberg <krh>
Status: CLOSED NEXTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: medium    
Version: 9CC: jnovy, leonard-rh-bugzilla, thoger
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2950
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-09-11 13:07:26 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Description Vasile Gaburici 2008-08-05 00:40:40 EDT
Maybe now we can get a decent version of poppler in Fedora 9...
Comment 1 Tomas Hoger 2008-08-05 03:25:26 EDT
https://admin.fedoraproject.org/updates/F9/pending/poppler-0.8.1-2.fc9

Feel free to test...


(Btw, it does not affect all versions, problem was only introduced in 0.5.x or 0.6.x ;).
Comment 2 Vasile Gaburici 2008-08-05 03:45:55 EDT
(In reply to comment #1)
> https://admin.fedoraproject.org/updates/F9/pending/poppler-0.8.1-2.fc9
> 
> Feel free to test...
> 
> 
> (Btw, it does not affect all versions, problem was only introduced in 0.5.x or
> 0.6.x ;).

Not much point in getting just some of the 0.8.5 "new features".

Core:
 * Fix crash on PDF that define a page thumbnail but it's not a Stream
 * Fix crash when Annots object is not of the desired type
 * Fix crash when obtaining fonts in PDF where XObjects link themselves in loops
 * Fix crash on documents with an IRT object
 * Saving should work much better now
 * Plug some memory leaks in Annotation handling

Utils:
 * pdftohtml: Don't crash on documents that specify an invalid named dest for a link
Comment 3 Tomas Hoger 2008-08-05 04:21:37 EDT
Vasile, primary purpose of the update request mentioned in comment #1 was to address CVE-2008-2950, exactly what you have complained about in this bug report.

I also decided to include fixes for the crasher bugs encountered by Fedora users (one of them seem to have been reported by you).  As I'm not package (co-)owner, I'm not going to do larger changes, like move to newer upstream version, for no good reason.

(In reply to comment #2)
> Not much point in getting just some of the 0.8.5 "new features".

My aim was to include fixes important bugs users really faced and reported, along with security fix.
Comment 4 Vasile Gaburici 2008-08-05 05:06:25 EDT
(In reply to comment #3)
> Vasile, primary purpose of the update request mentioned in comment #1 was to
> address CVE-2008-2950, exactly what you have complained about in this bug
> report.
> 
> I also decided to include fixes for the crasher bugs encountered by Fedora
> users (one of them seem to have been reported by you).  As I'm not package
> (co-)owner, I'm not going to do larger changes, like move to newer upstream
> version, for no good reason.
> 
> (In reply to comment #2)
> > Not much point in getting just some of the 0.8.5 "new features".
> 
> My aim was to include fixes important bugs users really faced and reported,
> along with security fix.

I wasn't complaining to you; it was a general rant against the state of poppler in the vane hope that the package owner would read it ;)
Comment 5 Vasile Gaburici 2008-08-05 14:15:21 EDT
For whatever it's worth: http://www.cs.umd.edu/~gaburici/poppler-0.8.5-0.1.fc9.src.rpm
Comment 6 Fedora Update System 2008-08-07 19:50:31 EDT
poppler-0.8.1-2.fc9 has been pushed to the Fedora 9 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update poppler'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F9/FEDORA-2008-7012
Comment 7 Leonard den Ottolander 2008-09-03 03:42:13 EDT
This bug report should be propagated to RHEL 5 too.
Comment 8 Tomas Hoger 2008-09-03 03:53:27 EDT
(In reply to comment #7)
> This bug report should be propagated to RHEL 5 too.

Can you possibly clarify this?  What exactly should be propagated to RHEL5?  CVE-2008-2950 did not affect poppler version in RHEL5 (see bug #454277).

Please file separate bug against Red Hat Enterprise Linux product for the issues you are experiencing with RHEL version of poppler.  Thank you!
Comment 9 Leonard den Ottolander 2008-09-03 05:51:36 EDT
There is no rationalization for the conclusion in bug #454277#c5, and I would say that statement is wrong. All versions of poppler < 0.8.5 (at least for the 0.8.x series) are affected as you can see in http://www.ocert.org/advisories/ocert-2008-007.html .

If you compare the code for Page.cc in poppler-0.8.0:

Page::Page(XRef *xrefA, int numA, Dict *pageDict, PageAttrs *attrsA, Form *form) {
  Object tmp;
	
  ok = gTrue;
  xref = xrefA;

you can see the initialization of pageWidgets to NULL is also missing there. Also see the comments in http://www.milw0rm.com/exploits/6032 .
Comment 10 Tomas Hoger 2008-09-03 06:23:16 EDT
I did read oCERT-2008-007 before.  And I'm still convinced that the statement is correct.

Problem occurs when pageWidgets is freed in Page::~Page.  As you can easily check, that does not happen in poppler version before 0.6 (or so), including 0.5.4 as shipped in Red Hat Enterprise Linux 5.  pageWidgets only occur in poppler sources in 0.6.x and later.
Comment 11 Leonard den Ottolander 2008-09-03 06:54:33 EDT
Excuse my reference to poppler-0.8.0 which is of course a modification I worked on last week trying to get Inkscape to work. Since the start of the constructors Page::Page() for versions 0.5.4 & 0.8.4 look very similar I drew the conclusion that the RHEL 5 version *might* be vulnerable too. Checking the wrong version (0.8.0) today made me draw an incorrect conclusion. Sorry for the mixup. I checked the destructor and see that you are right.
Comment 12 Tomas Hoger 2008-09-03 07:01:04 EDT
No problem.

Please make sure to file bugs against Red Hat Enterprise Linux product, or, in case of security issue, contact Security Response Team directly via mail:

  http://www.redhat.com/security/team/contact/

if you have doubts whether some issue is fixed or not, to make sure it's not missed accidentally.
Comment 13 Fedora Update System 2008-09-11 13:07:10 EDT
poppler-0.8.1-2.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.