Bug 224448 - poppler appears to be hit by CVE-2007-0104
poppler appears to be hit by CVE-2007-0104
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: poppler (Show other bugs)
9
All Linux
medium Severity high
: ---
: ---
Assigned To: Kristian Høgsberg
http://cve.mitre.org/cgi-bin/cvename....
bzcl34nup
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-01-25 14:13 EST by Michal Jaegermann
Modified: 2008-08-01 06:06 EDT (History)
3 users (show)

See Also:
Fixed In Version: poppler-0.5.9
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-08-01 06:06:06 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
patch for CVE-2007-0104 as applied to poppler (2.50 KB, patch)
2007-01-25 14:13 EST, Michal Jaegermann
no flags Details | Diff

  None (edit)
Description Michal Jaegermann 2007-01-25 14:13:03 EST
Description of problem:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0104 says
about xpdf:

"The Adobe PDF specification 1.3, as implemented by xpdf 3.0.1
patch 2, kpdf in KDE before 3.5.5, and other products, allows
remote attackers to have an unknown impact, possibly
including denial of service (infinite loop), arbitrary code
execution, or memory corruption, via a PDF file with a (1)
crafted catalog dictionary or (2) a crafted Pages attribute
that references an invalid page tree node."

poppler is using the same code.  Attached is a patch adopted from
ftp://ftp.kde.org/pub/kde/security_patches/post-3.2.3-kdegraphics-CAN-2005-3193.diff

Version-Release number of selected component (if applicable):
poppler-0.5.4-5.fc6

Additional info:
The same problem likely affects also other distributions and
possibly xpdf (in Extras), tetex and maybe others.

Hardly unknown. Apart of quoted CVE see http://lwn.net/Articles/218335/,
http://lwn.net/Articles/218336/, http://lwn.net/Articles/218337/ and
other related.
Comment 1 Michal Jaegermann 2007-01-25 14:13:03 EST
Created attachment 146598 [details]
patch for CVE-2007-0104 as applied to poppler
Comment 2 Bug Zapper 2008-04-04 01:44:39 EDT
Fedora apologizes that these issues have not been resolved yet. We're
sorry it's taken so long for your bug to be properly triaged and acted
on. We appreciate the time you took to report this issue and want to
make sure no important bugs slip through the cracks.

If you're currently running a version of Fedora Core between 1 and 6,
please note that Fedora no longer maintains these releases. We strongly
encourage you to upgrade to a current Fedora release. In order to
refocus our efforts as a project we are flagging all of the open bugs
for releases which are no longer maintained and closing them.
http://fedoraproject.org/wiki/LifeCycle/EOL

If this bug is still open against Fedora Core 1 through 6, thirty days
from now, it will be closed 'WONTFIX'. If you can reporduce this bug in
the latest Fedora version, please change to the respective version. If
you are unable to do this, please add a comment to this bug requesting
the change.

Thanks for your help, and we apologize again that we haven't handled
these issues to this point.

The process we are following is outlined here:
http://fedoraproject.org/wiki/BugZappers/F9CleanUp

We will be following the process here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping to ensure this
doesn't happen again.

And if you'd like to join the bug triage team to help make things
better, check out http://fedoraproject.org/wiki/BugZappers
Comment 3 Michal Jaegermann 2008-04-04 12:32:00 EDT
I do not see in the current poppler changelog neither CVE-2007-0104
nor this bug number explicitely mentioned (there are later CVEs
fixed though).  Leaving that for a bug owner.
Comment 4 Jon Stanley 2008-04-04 20:41:26 EDT
This is against FC6, which will never be updated.  Is this still currently an
issue, or is that which you don't know?
Comment 5 Michal Jaegermann 2008-04-05 01:04:17 EDT
I just do not know.  I would have to dig through a package code
and I hoped that a package owner will know an answer right away
(or if this is even applicable to the current poppler version).
Comment 6 Michal Jaegermann 2008-04-05 01:14:20 EDT
(Eh?  Something ate half of my comment.  Again.)
I just do not know.  I would have to dig through a package code
and I hoped that a package owner will know an answer right away
(or if this is even applicable to the current poppler version).

Changelog for poppler-0.5.4-8.fc7 (the same code base) lists explicitely
  CVE-2007-3387 (#248194), CVE-2007-4352 (#345101),
  CVE-2007-5392 (#345111), CVE-2007-5393 (#345121)
but for poppler-0.6.2-1.fc8 not even that.
Comment 7 Bug Zapper 2008-05-13 22:34:12 EDT
Changing version to '9' as part of upcoming Fedora 9 GA.
More information and reason for this action is here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Comment 8 Tomas Hoger 2008-07-31 04:42:09 EDT
Michal, do you still believe this issue affects current versions of poppler as
shipped in Fedora?  Recent versions of xpdf and poppler seem to detect loops in
page trees, so if you try to open MOAB-06-01-2007.pdf, you should get following
error:

  Error: Loop in Pages tree

instead of crash due to a stack memory exhaustion caused by a deep recursion.

This check was added to poppler sources via sync with xpdf code base in the
following commit:

http://cgit.freedesktop.org/poppler/poppler/diff/poppler/Catalog.cc?id=bf7e0e980bf29994021cb1228f89f582adddf284

As you can see, it actually deprecates / removes previous check that used a
fixed recursion limit.  Loops should no longer be a problem.

(I guess it may still be possible to create deep-enough tree that would cause
stack memory exhaustion, but again, crash seems to be the only impact.  If you
are concerned, it's probably better to report it directly to upstream BZ.)

Ok to close this bug?
Comment 9 Michal Jaegermann 2008-07-31 12:31:01 EDT
"do you still believe this issue affects current versions of poppler".
It looks to me that notes in comment #8 show that this bug is
indeed fixed and it should be closed.  It still not clear from the
above, nor from changelog, to which versions this may apply but I will
leave that to "owners".
Comment 10 Tomas Hoger 2008-08-01 06:06:06 EDT
Looking at the versions we had in Fedora, problem was present in 0.5.4.  Loop
detection is included in 0.5.9.  Current stable Fedora versions are based on
0.6.2 (F-8) and 0.8.1 (F-9), hence include the fix.

Btw:

(In reply to comment #6)
> Changelog for poppler-0.5.4-8.fc7 (the same code base) lists explicitely
>   CVE-2007-3387 (#248194), CVE-2007-4352 (#345101),
>   CVE-2007-5392 (#345111), CVE-2007-5393 (#345121)
> but for poppler-0.6.2-1.fc8 not even that.

IIRC, poppler was re-based to fixed upstream version in F-8 without fixes for
those being mentioned in the RPM changelog.

Note You need to log in before you can comment on or make changes to this bug.