Debian Bug report logs -
#702071
CVE-2013-1788, CVE-2013-1789 and CVE-2013-1790
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Sat, 2 Mar 2013 12:51:01 UTC
Severity: grave
Tags: confirmed, security
Found in version poppler/0.18.4-5
Fixed in versions poppler/0.18.4-6, poppler/0.20.5-3
Done: Pino Toscano <pino@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Loic Minier <lool@dooz.org>
:
Bug#702071
; Package poppler
.
(Sat, 02 Mar 2013 12:51:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
New Bug report received and forwarded. Copy sent to Loic Minier <lool@dooz.org>
.
(Sat, 02 Mar 2013 12:51:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: poppler
Severity: grave
Tags: security
Hi,
the following vulnerabilities were published for poppler.
CVE-2013-1788[0]:
invalid memory issues
CVE-2013-1789[1]:
crash in broken documents
CVE-2013-1790[2]:
uninitialized memory read
Patches are referenced in the Red Hat Bugzilla to the relevant commits.
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
Could you check which Debian package versions are affected? (not for all
issues, all patches might be relevant). At least for the unitialized
memory read issiue the code seems present in stable.
For further information see:
[0] http://security-tracker.debian.org/tracker/CVE-2013-1788
[1] http://security-tracker.debian.org/tracker/CVE-2013-1789
[2] http://security-tracker.debian.org/tracker/CVE-2013-1790
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org, Loic Minier <lool@dooz.org>
:
Bug#702071
; Package poppler
.
(Sat, 02 Mar 2013 18:03:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Pino Toscano <pino@debian.org>
:
Extra info received and forwarded to list. Copy sent to Loic Minier <lool@dooz.org>
.
(Sat, 02 Mar 2013 18:03:03 GMT) (full text, mbox, link).
Message #10 received at 702071@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi,
Alle sabato 2 marzo 2013, Salvatore Bonaccorso ha scritto:
> the following vulnerabilities were published for poppler.
>
> CVE-2013-1788[0]:
> invalid memory issues
>
> CVE-2013-1789[1]:
> crash in broken documents
>
> CVE-2013-1790[2]:
> uninitialized memory read
Ouch...
> Patches are referenced in the Red Hat Bugzilla to the relevant
> commits.
>
> If you fix the vulnerabilities please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
>
> Could you check which Debian package versions are affected? (not for
> all issues, all patches might be relevant). At least for the
> unitialized memory read issiue the code seems present in stable.
>
> For further information see:
>
> [0] http://security-tracker.debian.org/tracker/CVE-2013-1788
> [1] http://security-tracker.debian.org/tracker/CVE-2013-1789
> [2] http://security-tracker.debian.org/tracker/CVE-2013-1790
>
> Please adjust the affected versions in the BTS as needed.
Would it be possible to have all the test cases references by the CVEs?
(You can email them to me directly, of course.)
Some of the commits mentioned in the Red Hat bugs refer to code paths
not in any of the versions in Debian
stable/testing/unstable/experimental, so I need to check all the issues
one by one.
Thanks,
--
Pino Toscano
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Loic Minier <lool@dooz.org>
:
Bug#702071
; Package poppler
.
(Sat, 02 Mar 2013 18:12:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Extra info received and forwarded to list. Copy sent to Loic Minier <lool@dooz.org>
.
(Sat, 02 Mar 2013 18:12:06 GMT) (full text, mbox, link).
Message #15 received at 702071@bugs.debian.org (full text, mbox, reply):
Ciao Pino
Thanks for already working on it!
On Sat, Mar 02, 2013 at 06:58:31PM +0100, Pino Toscano wrote:
> Would it be possible to have all the test cases references by the CVEs?
> (You can email them to me directly, of course.)
> Some of the commits mentioned in the Red Hat bugs refer to code paths
> not in any of the versions in Debian
> stable/testing/unstable/experimental, so I need to check all the issues
> one by one.
Yes, as shortly discussed on IRC: I'm trying to get them and will
forward them to you as soon I have them.
Ciao,
Salvatore
Added tag(s) moreinfo.
Request was from Pino Toscano <pino@debian.org>
to control@bugs.debian.org
.
(Tue, 12 Mar 2013 22:54:05 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Loic Minier <lool@dooz.org>
:
Bug#702071
; Package poppler
.
(Mon, 18 Mar 2013 13:51:11 GMT) (full text, mbox, link).
Acknowledgement sent
to Pino Toscano <pino@debian.org>
:
Extra info received and forwarded to list. Copy sent to Loic Minier <lool@dooz.org>
.
(Mon, 18 Mar 2013 13:51:11 GMT) (full text, mbox, link).
Message #22 received at 702071@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
tag 702071 - moreinfo
tag 702071 + confirmed
found 702071 poppler/0.18.4-5
thanks
Hi,
thanks for the tests cases, Salvatore.
I've verified the issues, and the situation that I found for current
wheezy+sid (= 0.18.4-5) is the following:
Alle sabato 2 marzo 2013, Salvatore Bonaccorso ha scritto:
> CVE-2013-1788[0]:
> invalid memory issues
This applies, but not with all the reported documents.
> CVE-2013-1789[1]:
> crash in broken documents
This seems to not apply.
> CVE-2013-1790[2]:
> uninitialized memory read
This applies.
I will backport and test the appropriate fixes for this version of
poppler, and then upload.
Regarding stable, I will do the proper investigation (and eventually
backport fixes as needed) once sid is fixed and the fixed version has
successfully migrated to wheezy; this way I want to reduce the potential
issues. Is that okay for the security team?
--
Pino Toscano
[signature.asc (application/pgp-signature, inline)]
Removed tag(s) moreinfo.
Request was from Pino Toscano <pino@debian.org>
to control@bugs.debian.org
.
(Mon, 18 Mar 2013 13:51:14 GMT) (full text, mbox, link).
Added tag(s) confirmed.
Request was from Pino Toscano <pino@debian.org>
to control@bugs.debian.org
.
(Mon, 18 Mar 2013 13:51:14 GMT) (full text, mbox, link).
Marked as found in versions poppler/0.18.4-5.
Request was from Pino Toscano <pino@debian.org>
to control@bugs.debian.org
.
(Mon, 18 Mar 2013 13:51:15 GMT) (full text, mbox, link).
Added tag(s) pending.
Request was from Pino Toscano <pino@debian.org>
to control@bugs.debian.org
.
(Mon, 18 Mar 2013 15:45:12 GMT) (full text, mbox, link).
Message sent on
to Salvatore Bonaccorso <carnil@debian.org>
:
Bug#702071.
(Mon, 18 Mar 2013 15:45:15 GMT) (full text, mbox, link).
Message #33 received at 702071-submitter@bugs.debian.org (full text, mbox, reply):
tag 702071 pending
thanks
Hello,
Bug #702071 reported by you has been fixed in the Git repository. You can
see the changelog below, and you can check the diff of the fix at:
http://git.debian.org/?p=pkg-freedesktop/poppler.git;a=commitdiff;h=603219d
---
commit 603219def98146ffad58eb2f76835c623c292d69
Author: Pino Toscano <pino@debian.org>
Date: Mon Mar 18 16:32:19 2013 +0100
note that #702071 is fixed
diff --git a/debian/changelog b/debian/changelog
index a2a269f..5993f8c 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -9,6 +9,7 @@ poppler (0.18.4-6) UNRELEASED; urgency=low
CVE-2013-1788.
* Backport upstream commit b1026b5978c385328f2a15a2185c599a563edf91 to fix
CVE-2013-1790 (patch upstream_Initialize-refLine-totally.patch).
+ * With the changes above, this upload closes: #702071.
-- Pino Toscano <pino@debian.org> Mon, 18 Mar 2013 15:30:25 +0100
Information forwarded
to debian-bugs-dist@lists.debian.org, Loic Minier <lool@dooz.org>
:
Bug#702071
; Package poppler
.
(Mon, 18 Mar 2013 16:12:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Extra info received and forwarded to list. Copy sent to Loic Minier <lool@dooz.org>
.
(Mon, 18 Mar 2013 16:12:04 GMT) (full text, mbox, link).
Message #38 received at 702071@bugs.debian.org (full text, mbox, reply):
Hi Pino
On Mon, Mar 18, 2013 at 02:48:18PM +0100, Pino Toscano wrote:
> I've verified the issues, and the situation that I found for current
> wheezy+sid (= 0.18.4-5) is the following:
>
> Alle sabato 2 marzo 2013, Salvatore Bonaccorso ha scritto:
> > CVE-2013-1788[0]:
> > invalid memory issues
>
> This applies, but not with all the reported documents.
>
> > CVE-2013-1789[1]:
> > crash in broken documents
>
> This seems to not apply.
>
> > CVE-2013-1790[2]:
> > uninitialized memory read
>
> This applies.
>
> I will backport and test the appropriate fixes for this version of
> poppler, and then upload.
Thank you for checking these issues and for preparing the fixes.
> Regarding stable, I will do the proper investigation (and eventually
> backport fixes as needed) once sid is fixed and the fixed version has
> successfully migrated to wheezy; this way I want to reduce the potential
> issues. Is that okay for the security team?
Yes this sound good for me.
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org, Loic Minier <lool@dooz.org>
:
Bug#702071
; Package poppler
.
(Sat, 23 Mar 2013 16:33:09 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Extra info received and forwarded to list. Copy sent to Loic Minier <lool@dooz.org>
.
(Sat, 23 Mar 2013 16:33:09 GMT) (full text, mbox, link).
Message #43 received at 702071@bugs.debian.org (full text, mbox, reply):
Hi Pino
On Mon, Mar 18, 2013 at 05:10:00PM +0100, Salvatore Bonaccorso wrote:
> Hi Pino
>
> On Mon, Mar 18, 2013 at 02:48:18PM +0100, Pino Toscano wrote:
> > I've verified the issues, and the situation that I found for current
> > wheezy+sid (= 0.18.4-5) is the following:
> >
> > Alle sabato 2 marzo 2013, Salvatore Bonaccorso ha scritto:
> > > CVE-2013-1788[0]:
> > > invalid memory issues
> >
> > This applies, but not with all the reported documents.
> >
> > > CVE-2013-1789[1]:
> > > crash in broken documents
> >
> > This seems to not apply.
> >
> > > CVE-2013-1790[2]:
> > > uninitialized memory read
> >
> > This applies.
> >
> > I will backport and test the appropriate fixes for this version of
> > poppler, and then upload.
>
> Thank you for checking these issues and for preparing the fixes.
Did you had a chance already to test the resulting package? I'm asking
as the release gets nearer now.
Thank you for working on these issues,
Salvatore
Reply sent
to Pino Toscano <pino@debian.org>
:
You have taken responsibility.
(Mon, 25 Mar 2013 21:21:12 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Bug acknowledged by developer.
(Mon, 25 Mar 2013 21:21:12 GMT) (full text, mbox, link).
Message #48 received at 702071-close@bugs.debian.org (full text, mbox, reply):
Source: poppler
Source-Version: 0.18.4-6
We believe that the bug you reported is fixed in the latest version of
poppler, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 702071@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Pino Toscano <pino@debian.org> (supplier of updated poppler package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Mon, 25 Mar 2013 21:43:07 +0100
Source: poppler
Binary: libpoppler19 libpoppler-dev libpoppler-private-dev libpoppler-glib8 libpoppler-glib-dev gir1.2-poppler-0.18 libpoppler-qt4-3 libpoppler-qt4-dev libpoppler-cpp0 libpoppler-cpp-dev poppler-utils poppler-dbg
Architecture: source amd64
Version: 0.18.4-6
Distribution: unstable
Urgency: low
Maintainer: Loic Minier <lool@dooz.org>
Changed-By: Pino Toscano <pino@debian.org>
Description:
gir1.2-poppler-0.18 - GObject introspection data for poppler-glib
libpoppler-cpp-dev - PDF rendering library -- development files (CPP interface)
libpoppler-cpp0 - PDF rendering library (CPP shared library)
libpoppler-dev - PDF rendering library -- development files
libpoppler-glib-dev - PDF rendering library -- development files (GLib interface)
libpoppler-glib8 - PDF rendering library (GLib-based shared library)
libpoppler-private-dev - PDF rendering library -- private development files
libpoppler-qt4-3 - PDF rendering library (Qt 4 based shared library)
libpoppler-qt4-dev - PDF rendering library -- development files (Qt 4 interface)
libpoppler19 - PDF rendering library
poppler-dbg - PDF rendering library -- debugging symbols
poppler-utils - PDF utilities (based on Poppler)
Closes: 702071
Changes:
poppler (0.18.4-6) unstable; urgency=low
.
* Backport upstream commits 0388837f01bc467045164f9ddaff787000a8caaa (patch
upstream_Fix-another-invalid-memory-access-in-1091.pdf.asan.7.patch),
8b6dc55e530b2f5ede6b9dfb64aafdd1d5836492 (adapted patch
upstream_Fix-invalid-memory-access-in-1150.pdf.asan.8.69.patch), and
e14b6e9c13d35c9bd1e0c50906ace8e707816888 (adapted patch
upstream_Fix-invalid-memory-access-in-2030.pdf.asan.69.463.patch) to fix
CVE-2013-1788.
* Backport upstream commit b1026b5978c385328f2a15a2185c599a563edf91 to fix
CVE-2013-1790 (patch upstream_Initialize-refLine-totally.patch).
* With the changes above, this upload closes: #702071.
Checksums-Sha1:
c12bf43420675491afab8fa8b45d747a35a0bf04 2356 poppler_0.18.4-6.dsc
2cb490c8b377d07d84496b23b67ec0fdac85139f 21714 poppler_0.18.4-6.debian.tar.gz
27f0fe6d6b625eeb90823fd9f8d46e629cba7ee9 1109420 libpoppler19_0.18.4-6_amd64.deb
da90ec76c6b9dd43bd27a70754bc17fb39ef080b 917992 libpoppler-dev_0.18.4-6_amd64.deb
d45822f399ce83f226ea18f1d8177a2566185924 209208 libpoppler-private-dev_0.18.4-6_amd64.deb
caec5246e122bdb94fa32b7eaa891a42180646fd 106378 libpoppler-glib8_0.18.4-6_amd64.deb
2075ddeac827862fc7a088781b731eadd8169508 232490 libpoppler-glib-dev_0.18.4-6_amd64.deb
8f4ad2e1211119648c9164ea2b106e0b48a3f0d3 28896 gir1.2-poppler-0.18_0.18.4-6_amd64.deb
159cd089da7bc8a8d9bbd1bd9bf07eb4c220bf3f 140588 libpoppler-qt4-3_0.18.4-6_amd64.deb
06ae5922ff36f84df8db98c029ace8b7dbd92e6e 190632 libpoppler-qt4-dev_0.18.4-6_amd64.deb
b37af0c0a338caf973487e228c0907868ff1e3bd 47910 libpoppler-cpp0_0.18.4-6_amd64.deb
080fd89d0b1db3044e444aa8196668874a3e5293 56266 libpoppler-cpp-dev_0.18.4-6_amd64.deb
77fb9d39145c60421462a8fe8315d0adaa49a38c 162034 poppler-utils_0.18.4-6_amd64.deb
34ccd89c84907879d64701de2d779b6e821c1bff 5142400 poppler-dbg_0.18.4-6_amd64.deb
Checksums-Sha256:
ce309363bbe2f303f29dcc9cba68c749df8c66d13df4dc05e4241c029612fcdc 2356 poppler_0.18.4-6.dsc
98e391067b6f2fa224a4120f2e56fead858fcc21f2629fc7fbe6c2d988a839b1 21714 poppler_0.18.4-6.debian.tar.gz
4cc541c85df2aeb582367072bc9279fc20572727bc535ce7974b59d241120e31 1109420 libpoppler19_0.18.4-6_amd64.deb
18137b1d525990b9595d1e38271fa3c19562e75c05659066088b911b624649bf 917992 libpoppler-dev_0.18.4-6_amd64.deb
7d4f9ddf8feb102f22575aceee5d6377bf2fd252100c0e9ed730f2e27139b5ab 209208 libpoppler-private-dev_0.18.4-6_amd64.deb
b333b67b1a5ffc819c77c57ac8c65c92c60543deabbbbfa627249165849029c2 106378 libpoppler-glib8_0.18.4-6_amd64.deb
227e497272e4ffd3661168b5a119bb274c0fe8fde6828e699fe1235097a5475f 232490 libpoppler-glib-dev_0.18.4-6_amd64.deb
11d334549e17ea52f10413c6139ed926605c09f0821af6c44915f0432ca36658 28896 gir1.2-poppler-0.18_0.18.4-6_amd64.deb
75299b4d740541ac6bf1d87296a79d46da0b230cc245ad7c9b46b8f7d646645e 140588 libpoppler-qt4-3_0.18.4-6_amd64.deb
407c01cad2a10d64a5f1e83b39bf0a759e58f5e296197743d66c0723ffc44a8d 190632 libpoppler-qt4-dev_0.18.4-6_amd64.deb
3dfc606be0e3487e554a167aa1c52474cfd63134a421ef4fa14355fccbbb4cdf 47910 libpoppler-cpp0_0.18.4-6_amd64.deb
9556cb1166477c8ef6f161effad9d62e4771ba0061d0c247c262dae0e227db87 56266 libpoppler-cpp-dev_0.18.4-6_amd64.deb
38f2d13ccddac9e3d05abff7c5fab353d3fea550c8f39293850651e03c3f8be4 162034 poppler-utils_0.18.4-6_amd64.deb
1861e6f3f24f47a18392042e8458b75918fba7ac0b4aec7fbcd3f57ea39396c3 5142400 poppler-dbg_0.18.4-6_amd64.deb
Files:
4fdf2a89340d29f1c2a1a6ec56144171 2356 devel optional poppler_0.18.4-6.dsc
70cba07fb8a1ee835e2c67cfeaae459d 21714 devel optional poppler_0.18.4-6.debian.tar.gz
ac2a329440e594bf9225ad5ad071478c 1109420 libs optional libpoppler19_0.18.4-6_amd64.deb
a43097cfcaecdb0a186f9ef04298694b 917992 libdevel optional libpoppler-dev_0.18.4-6_amd64.deb
8d7e4106d80b3709723a3948be6b2469 209208 libdevel optional libpoppler-private-dev_0.18.4-6_amd64.deb
e182ba8b6530a20248d49d249a1e5224 106378 libs optional libpoppler-glib8_0.18.4-6_amd64.deb
f0d214b4d260b47ba3f4cd3188afd3d6 232490 libdevel optional libpoppler-glib-dev_0.18.4-6_amd64.deb
ab7b8dd97720fe46edd50c2abb9ac86e 28896 introspection optional gir1.2-poppler-0.18_0.18.4-6_amd64.deb
9fce7c910fd64432a4a502892d418604 140588 libs optional libpoppler-qt4-3_0.18.4-6_amd64.deb
9a9b6d0ffb95123d5e9bf30e4bc9b304 190632 libdevel optional libpoppler-qt4-dev_0.18.4-6_amd64.deb
a3396c97c962d9d6475ec73db2106485 47910 libs optional libpoppler-cpp0_0.18.4-6_amd64.deb
1c8766828a11fc3fef10d9f0c9bf28f4 56266 libdevel optional libpoppler-cpp-dev_0.18.4-6_amd64.deb
0f0254920f85b6190ba7b03f4d2a7d73 162034 utils optional poppler-utils_0.18.4-6_amd64.deb
a3ac0663323df13d07fba659f6a91348 5142400 debug extra poppler-dbg_0.18.4-6_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iD8DBQFRULnRTNH2piB/L3oRAuHrAJ9Ei8Rgo2L/XpYXBc7l+539iaotxACgghUr
wkZLgAnWT/YdgaZ4qUOk01c=
=TqXO
-----END PGP SIGNATURE-----
Marked as fixed in versions poppler/0.20.5-3.
Request was from Pino Toscano <pino@debian.org>
to control@bugs.debian.org
.
(Tue, 26 Mar 2013 00:21:15 GMT) (full text, mbox, link).
No longer marked as found in versions poppler/0.18.4-5.
Request was from Michael Gilbert <mgilbert@debian.org>
to control@bugs.debian.org
.
(Wed, 03 Apr 2013 01:54:04 GMT) (full text, mbox, link).
Marked as found in versions 0.12.4-1.
Request was from Michael Gilbert <mgilbert@debian.org>
to control@bugs.debian.org
.
(Wed, 03 Apr 2013 01:54:05 GMT) (full text, mbox, link).
Marked as found in versions poppler/0.18.4-5.
Request was from Pino Toscano <pino@debian.org>
to control@bugs.debian.org
.
(Wed, 03 Apr 2013 23:54:04 GMT) (full text, mbox, link).
No longer marked as found in versions 0.12.4-1.
Request was from Pino Toscano <pino@debian.org>
to control@bugs.debian.org
.
(Wed, 03 Apr 2013 23:54:05 GMT) (full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Thu, 02 May 2013 07:30:33 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 13:30:49 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.