diff -Nru poppler-0.41.0/debian/changelog poppler-0.41.0/debian/changelog --- poppler-0.41.0/debian/changelog 2018-08-27 17:03:00.000000000 +0000 +++ poppler-0.41.0/debian/changelog 2018-11-30 17:07:46.000000000 +0000 @@ -1,3 +1,31 @@ +poppler (0.41.0-0ubuntu1.9) xenial-security; urgency=medium + + * SECURITY UPDATE: Denial of service + - debian/patches/CVE-2018-19149.patch: "check whether + and embedded file is actually present in the PDF and + show warning in that case" in glib/poppler-attachment.cc, + glib/poppler-document.cc. + - CVE-2018-19149 + [ Marc Deslauriers ] + * SECURITY UPDATE: infinite recursion via crafted file + - debian/patches/CVE-2018-16646.patch: avoid cycles in PDF parsing in + poppler/Parser.cc, poppler/XRef.h. + - CVE-2018-16646 + * SECURITY UPDATE: denial of service via reachable abort + - debian/patches/CVE-2018-19058.patch: check for stream before calling + stream methods when saving an embedded file in poppler/FileSpec.cc. + - CVE-2018-19058 + * SECURITY UPDATE: denial of service via out-of-bounds read + - debian/patches/CVE-2018-19059.patch: check for valid embedded file + before trying to save it in utils/pdfdetach.cc. + - CVE-2018-19059 + * SECURITY UPDATE: denial of service via NULL pointer dereference + - debian/patches/CVE-2018-19060.patch: check for valid file name of + embedded file in utils/pdfdetach.cc. + - CVE-2018-19060 + + -- Leonidas S. Barbosa Fri, 30 Nov 2018 14:07:17 -0300 + poppler (0.41.0-0ubuntu1.8) xenial-security; urgency=medium * SECURITY UPDATE: Out of bounds read diff -Nru poppler-0.41.0/debian/patches/CVE-2018-16646.patch poppler-0.41.0/debian/patches/CVE-2018-16646.patch --- poppler-0.41.0/debian/patches/CVE-2018-16646.patch 1970-01-01 00:00:00.000000000 +0000 +++ poppler-0.41.0/debian/patches/CVE-2018-16646.patch 2018-11-30 15:13:43.000000000 +0000 @@ -0,0 +1,53 @@ +From 3d35d209c19c1d3b09b794a0c863ba5de44a9c0a Mon Sep 17 00:00:00 2001 +From: Marek Kasik +Date: Mon, 29 Oct 2018 17:44:47 +0100 +Subject: [PATCH] Avoid cycles in PDF parsing + +Mark objects being processed in Parser::makeStream() as being processed +and check the mark when entering this method to avoid processing +of the same object recursively. +diff --git a/poppler/Parser.cc b/poppler/Parser.cc +index ce98660..5f7a8d0 100644 +--- a/poppler/Parser.cc ++++ b/poppler/Parser.cc +@@ -202,7 +202,18 @@ Stream *Parser::makeStream(Object *dict, Guchar *fileKey, + Stream *str; + Goffset length; + Goffset pos, endPos; ++ XRefEntry *entry; + ++ if (xref && (entry = xref->getEntry(objNum, false))) { ++ if (!entry->getFlag(XRefEntry::Parsing) || ++ (objNum == 0 && objGen == 0)) { ++ entry->setFlag(XRefEntry::Parsing, true); ++ } else { ++ error(errSyntaxError, getPos(), ++ "Object '{0:d} {1:d} obj' is being already parsed", objNum, objGen); ++ return NULL; ++ } ++ } + // get stream start position + lexer->skipToNextLine(); + if (!(str = lexer->getStream())) { +@@ -281,6 +292,9 @@ Stream *Parser::makeStream(Object *dict, Guchar *fileKey, + // get filters + str = str->addFilters(dict, recursion); + ++ if (entry) ++ entry->setFlag(XRefEntry::Parsing, false); ++ + return str; + } + +diff --git a/poppler/XRef.h b/poppler/XRef.h +index 70065d8..326f465 100644 +--- a/poppler/XRef.h ++++ b/poppler/XRef.h +@@ -69,6 +69,7 @@ struct XRefEntry { + enum Flag { + // Regular flags + Updated, // Entry was modified ++ Parsing, // Entry is currently being parsed + + // Special flags -- available only after xref->scanSpecialFlags() is run + Unencrypted, // Entry is stored in unencrypted form (meaningless in unencrypted documents) diff -Nru poppler-0.41.0/debian/patches/CVE-2018-19058.patch poppler-0.41.0/debian/patches/CVE-2018-19058.patch --- poppler-0.41.0/debian/patches/CVE-2018-19058.patch 1970-01-01 00:00:00.000000000 +0000 +++ poppler-0.41.0/debian/patches/CVE-2018-19058.patch 2018-11-30 15:14:18.000000000 +0000 @@ -0,0 +1,21 @@ +From 6912e06d9ab19ba28991b5cab3319d61d856bd6d Mon Sep 17 00:00:00 2001 +From: Adam Reichold +Date: Tue, 6 Nov 2018 09:00:02 +0100 +Subject: [PATCH] Check for stream before calling stream methods when saving an + embedded file. + +Closes #659 +diff --git a/poppler/FileSpec.cc b/poppler/FileSpec.cc +index bac1eae..3b3076b 100644 +--- a/poppler/FileSpec.cc ++++ b/poppler/FileSpec.cc +@@ -96,6 +96,9 @@ GBool EmbFile::save(const char *path) { + GBool EmbFile::save2(FILE *f) { + int c; + ++ if (unlikely(!m_objStr.isStream())) ++ return false; ++ + m_objStr.streamReset(); + while ((c = m_objStr.streamGetChar()) != EOF) { + fputc(c, f); diff -Nru poppler-0.41.0/debian/patches/CVE-2018-19059.patch poppler-0.41.0/debian/patches/CVE-2018-19059.patch --- poppler-0.41.0/debian/patches/CVE-2018-19059.patch 1970-01-01 00:00:00.000000000 +0000 +++ poppler-0.41.0/debian/patches/CVE-2018-19059.patch 2018-11-30 15:37:27.000000000 +0000 @@ -0,0 +1,39 @@ +From 77a30e94d96220d7e22dff5b3f0a7f296f01b118 Mon Sep 17 00:00:00 2001 +From: Adam Reichold +Date: Tue, 6 Nov 2018 09:13:41 +0100 +Subject: [PATCH] pdfdetach: Check for valid embedded file before trying to + save it. + +Closes #661 +diff --git a/utils/pdfdetach.cc b/utils/pdfdetach.cc +index 5bbdc1e..ad9657a 100644 +--- a/utils/pdfdetach.cc ++++ b/utils/pdfdetach.cc +@@ -247,7 +247,12 @@ int main(int argc, char *argv[]) { + } + *p = '\0'; + +- if (!fileSpec->getEmbeddedFile()->save(path)) { ++ EmbFile *embFile = fileSpec->getEmbeddedFile(); ++ if (!embFile || !embFile->isOk()) { ++ exitCode = 3; ++ goto err2; ++ } ++ if (!embFile->save(path)) { + error(errIO, -1, "Error saving embedded file as '{0:s}'", p); + exitCode = 2; + goto err2; +@@ -292,7 +297,12 @@ int main(int argc, char *argv[]) { + p = path; + } + +- if (!fileSpec->getEmbeddedFile()->save(p)) { ++ EmbFile *embFile = fileSpec->getEmbeddedFile(); ++ if (!embFile || !embFile->isOk()) { ++ exitCode = 3; ++ goto err2; ++ } ++ if (!embFile->save(p)) { + error(errIO, -1, "Error saving embedded file as '{0:s}'", p); + exitCode = 2; + goto err2; diff -Nru poppler-0.41.0/debian/patches/CVE-2018-19060.patch poppler-0.41.0/debian/patches/CVE-2018-19060.patch --- poppler-0.41.0/debian/patches/CVE-2018-19060.patch 1970-01-01 00:00:00.000000000 +0000 +++ poppler-0.41.0/debian/patches/CVE-2018-19060.patch 2018-11-30 17:06:43.000000000 +0000 @@ -0,0 +1,74 @@ +From d2f5d424ba8752f9a9e9dad410546ec1b46caa0a Mon Sep 17 00:00:00 2001 +From: Adam Reichold +Date: Tue, 6 Nov 2018 09:08:06 +0100 +Subject: [PATCH] pdfdetach: Check for valid file name of embedded file before + using it to determine save path. + +Closes #660 +diff --git a/utils/pdfdetach.cc b/utils/pdfdetach.cc +index ad9657a..ca26777 100644 +--- a/utils/pdfdetach.cc ++++ b/utils/pdfdetach.cc +@@ -187,14 +187,18 @@ int main(int argc, char *argv[]) { + fileSpec = static_cast(embeddedFiles->get(i)); + printf("%d: ", i+1); + s1 = fileSpec->getFileName(); +- if ((s1->getChar(0) & 0xff) == 0xfe && (s1->getChar(1) & 0xff) == 0xff) { ++ if (!s1) { ++ exitCode = 3; ++ goto err2; ++ } ++ if (s1->hasUnicodeMarker()) { + isUnicode = gTrue; + j = 2; + } else { + isUnicode = gFalse; + j = 0; + } +- while (j < fileSpec->getFileName()->getLength()) { ++ while (j < s1->getLength()) { + if (isUnicode) { + u = ((s1->getChar(j) & 0xff) << 8) | (s1->getChar(j+1) & 0xff); + j += 2; +@@ -224,14 +228,18 @@ int main(int argc, char *argv[]) { + p = path; + } + s1 = fileSpec->getFileName(); +- if ((s1->getChar(0) & 0xff) == 0xfe && (s1->getChar(1) & 0xff) == 0xff) { ++ if (!s1) { ++ exitCode = 3; ++ goto err2; ++ } ++ if (s1->hasUnicodeMarker()) { + isUnicode = gTrue; + j = 2; + } else { + isUnicode = gFalse; + j = 0; + } +- while (j < fileSpec->getFileName()->getLength()) { ++ while (j < s1->getLength()) { + if (isUnicode) { + u = ((s1->getChar(j) & 0xff) << 8) | (s1->getChar(j+1) & 0xff); + j += 2; +@@ -272,14 +280,18 @@ int main(int argc, char *argv[]) { + } else { + p = path; + s1 = fileSpec->getFileName(); +- if ((s1->getChar(0) & 0xff) == 0xfe && (s1->getChar(1) & 0xff) == 0xff) { ++ if (!s1) { ++ exitCode = 3; ++ goto err2; ++ } ++ if (s1->hasUnicodeMarker()) { + isUnicode = gTrue; + j = 2; + } else { + isUnicode = gFalse; + j = 0; + } +- while (j < fileSpec->getFileName()->getLength()) { ++ while (j < s1->getLength()) { + if (isUnicode) { + u = ((s1->getChar(j) & 0xff) << 8) | (s1->getChar(j+1) & 0xff); + j += 2; diff -Nru poppler-0.41.0/debian/patches/CVE-2018-19149.patch poppler-0.41.0/debian/patches/CVE-2018-19149.patch --- poppler-0.41.0/debian/patches/CVE-2018-19149.patch 1970-01-01 00:00:00.000000000 +0000 +++ poppler-0.41.0/debian/patches/CVE-2018-19149.patch 2018-11-30 17:06:59.000000000 +0000 @@ -0,0 +1,80 @@ +From f162ecdea0dda5dbbdb45503c1d55d9afaa41d44 Mon Sep 17 00:00:00 2001 +From: Marek Kasik +Date: Fri, 20 Apr 2018 11:38:13 +0200 +Subject: [PATCH] Fix crash on missing embedded file + +Check whether an embedded file is actually present in the PDF +and show warning in that case. + +https://bugs.freedesktop.org/show_bug.cgi?id=106137 +https://gitlab.freedesktop.org/poppler/poppler/issues/236 +diff --git a/glib/poppler-attachment.cc b/glib/poppler-attachment.cc +index 874bffb..bea06f5 100644 +--- a/glib/poppler-attachment.cc ++++ b/glib/poppler-attachment.cc +@@ -117,18 +117,27 @@ _poppler_attachment_new (FileSpec *emb_file) + attachment->description = _poppler_goo_string_to_utf8 (emb_file->getDescription ()); + + embFile = emb_file->getEmbeddedFile(); +- attachment->size = embFile->size (); +- +- if (embFile->createDate ()) +- _poppler_convert_pdf_date_to_gtime (embFile->createDate (), (time_t *)&attachment->ctime); +- if (embFile->modDate ()) +- _poppler_convert_pdf_date_to_gtime (embFile->modDate (), (time_t *)&attachment->mtime); +- +- if (embFile->checksum () && embFile->checksum ()->getLength () > 0) +- attachment->checksum = g_string_new_len (embFile->checksum ()->getCString (), +- embFile->checksum ()->getLength ()); +- priv->obj_stream = new Object(); +- priv->obj_stream->initStream(embFile->stream()); ++ if (embFile != NULL && embFile->streamObject()->isStream()) ++ { ++ attachment->size = embFile->size (); ++ ++ if (embFile->createDate ()) ++ _poppler_convert_pdf_date_to_gtime (embFile->createDate (), (time_t *)&attachment->ctime); ++ if (embFile->modDate ()) ++ _poppler_convert_pdf_date_to_gtime (embFile->modDate (), (time_t *)&attachment->mtime); ++ ++ ++ if (embFile->checksum () && embFile->checksum ()->getLength () > 0) ++ attachment->checksum = g_string_new_len (embFile->checksum ()->getCString (), ++ embFile->checksum ()->getLength ()); ++ priv->obj_stream = new Object(); ++ priv->obj_stream->initStream(embFile->stream()); ++ } ++ else ++ { ++ g_warning ("Missing stream object for embedded file"); ++ g_clear_object (&attachment); ++ } + // Copy the stream + embFile->stream()->incRef(); + +diff --git a/glib/poppler-document.cc b/glib/poppler-document.cc +index 61d92e8..bd87f17 100644 +--- a/glib/poppler-document.cc ++++ b/glib/poppler-document.cc +@@ -667,7 +667,8 @@ poppler_document_get_attachments (PopplerDocument *document) + attachment = _poppler_attachment_new (emb_file); + delete emb_file; + +- retval = g_list_prepend (retval, attachment); ++ if (attachment != NULL) ++ retval = g_list_prepend (retval, attachment); + } + return g_list_reverse (retval); + } +diff --git a/poppler/FileSpec.h b/poppler/FileSpec.h +index 9f2f6fc..f97ed01 100644 +--- a/poppler/FileSpec.h ++++ b/poppler/FileSpec.h +@@ -31,6 +31,7 @@ public: + GooString *createDate() { return m_createDate; } + GooString *checksum() { return m_checksum; } + GooString *mimeType() { return m_mimetype; } ++ Object *streamObject() { return &m_objStr; } + Stream *stream() { return isOk() ? m_objStr.getStream() : NULL; } + GBool isOk() { return m_objStr.isStream(); } + GBool save(const char *path); diff -Nru poppler-0.41.0/debian/patches/series poppler-0.41.0/debian/patches/series --- poppler-0.41.0/debian/patches/series 2018-08-27 18:56:26.000000000 +0000 +++ poppler-0.41.0/debian/patches/series 2018-11-30 17:06:59.000000000 +0000 @@ -23,3 +23,8 @@ CVE-2017-14976.patch CVE-2017-18267.patch CVE-2018-13988.patch +CVE-2018-16646.patch +CVE-2018-19058.patch +CVE-2018-19059.patch +CVE-2018-19060.patch +CVE-2018-19149.patch