CVE-2013-1788, CVE-2013-1789 and CVE-2013-1790

Debian Bug report logs - #702071
CVE-2013-1788, CVE-2013-1789 and CVE-2013-1790

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: submit@bugs.debian.org

Subject: CVE-2013-1788, CVE-2013-1789 and CVE-2013-1790

Date: Sat, 2 Mar 2013 13:48:21 +0100

Package: poppler
Severity: grave
Tags: security

Hi,

the following vulnerabilities were published for poppler.

CVE-2013-1788[0]:
invalid memory issues

CVE-2013-1789[1]:
crash in broken documents

CVE-2013-1790[2]:
uninitialized memory read

Patches are referenced in the Red Hat Bugzilla to the relevant commits.

If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

Could you check which Debian package versions are affected? (not for all
issues, all patches might be relevant). At least for the unitialized
memory read issiue the code seems present in stable.

For further information see:

[0] http://security-tracker.debian.org/tracker/CVE-2013-1788
[1] http://security-tracker.debian.org/tracker/CVE-2013-1789
[2] http://security-tracker.debian.org/tracker/CVE-2013-1790

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Message #10 received at 702071@bugs.debian.org (full text, mbox, reply):

From: Pino Toscano <pino@debian.org>

To: Salvatore Bonaccorso <carnil@debian.org>, 702071@bugs.debian.org

Subject: Re: Bug#702071: CVE-2013-1788, CVE-2013-1789 and CVE-2013-1790

Date: Sat, 2 Mar 2013 18:58:31 +0100

[Message part 1 (text/plain, inline)]

Hi,

Alle sabato 2 marzo 2013, Salvatore Bonaccorso ha scritto:
> the following vulnerabilities were published for poppler.
> 
> CVE-2013-1788[0]:
> invalid memory issues
> 
> CVE-2013-1789[1]:
> crash in broken documents
> 
> CVE-2013-1790[2]:
> uninitialized memory read

Ouch...

> Patches are referenced in the Red Hat Bugzilla to the relevant
> commits.
> 
> If you fix the vulnerabilities please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
> 
> Could you check which Debian package versions are affected? (not for
> all issues, all patches might be relevant). At least for the
> unitialized memory read issiue the code seems present in stable.
> 
> For further information see:
> 
> [0] http://security-tracker.debian.org/tracker/CVE-2013-1788
> [1] http://security-tracker.debian.org/tracker/CVE-2013-1789
> [2] http://security-tracker.debian.org/tracker/CVE-2013-1790
> 
> Please adjust the affected versions in the BTS as needed.

Would it be possible to have all the test cases references by the CVEs? 
(You can email them to me directly, of course.)
Some of the commits mentioned in the Red Hat bugs refer to code paths 
not in any of the versions in Debian 
stable/testing/unstable/experimental, so I need to check all the issues 
one by one.

Thanks,
-- 
Pino Toscano

[signature.asc (application/pgp-signature, inline)]

Message #15 received at 702071@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Pino Toscano <pino@debian.org>, 702071@bugs.debian.org

Subject: Re: Bug#702071: CVE-2013-1788, CVE-2013-1789 and CVE-2013-1790

Date: Sat, 2 Mar 2013 19:09:11 +0100

Ciao Pino

Thanks for already working on it!

On Sat, Mar 02, 2013 at 06:58:31PM +0100, Pino Toscano wrote:
> Would it be possible to have all the test cases references by the CVEs? 
> (You can email them to me directly, of course.)
> Some of the commits mentioned in the Red Hat bugs refer to code paths 
> not in any of the versions in Debian 
> stable/testing/unstable/experimental, so I need to check all the issues 
> one by one.

Yes, as shortly discussed on IRC: I'm trying to get them and will
forward them to you as soon I have them.

Ciao,
Salvatore

Message #22 received at 702071@bugs.debian.org (full text, mbox, reply):

From: Pino Toscano <pino@debian.org>

To: Salvatore Bonaccorso <carnil@debian.org>, 702071@bugs.debian.org

Subject: Re: Bug#702071: CVE-2013-1788, CVE-2013-1789 and CVE-2013-1790

Date: Mon, 18 Mar 2013 14:48:18 +0100

[Message part 1 (text/plain, inline)]

tag 702071 - moreinfo
tag 702071 + confirmed
found 702071 poppler/0.18.4-5
thanks

Hi,

thanks for the tests cases, Salvatore.

I've verified the issues, and the situation that I found for current 
wheezy+sid (= 0.18.4-5) is the following:

Alle sabato 2 marzo 2013, Salvatore Bonaccorso ha scritto:
> CVE-2013-1788[0]:
> invalid memory issues

This applies, but not with all the reported documents.

> CVE-2013-1789[1]:
> crash in broken documents

This seems to not apply.

> CVE-2013-1790[2]:
> uninitialized memory read

This applies.

I will backport and test the appropriate fixes for this version of 
poppler, and then upload.

Regarding stable, I will do the proper investigation (and eventually 
backport fixes as needed) once sid is fixed and the fixed version has 
successfully migrated to wheezy; this way I want to reduce the potential 
issues.  Is that okay for the security team?

-- 
Pino Toscano

[signature.asc (application/pgp-signature, inline)]

Message #33 received at 702071-submitter@bugs.debian.org (full text, mbox, reply):

From: Pino Toscano <pino@debian.org>

To: 702071-submitter@bugs.debian.org

Subject: Bug#702071 marked as pending

Date: Mon, 18 Mar 2013 15:43:11 +0000

tag 702071 pending
thanks

Hello,

Bug #702071 reported by you has been fixed in the Git repository. You can
see the changelog below, and you can check the diff of the fix at:

    http://git.debian.org/?p=pkg-freedesktop/poppler.git;a=commitdiff;h=603219d

---
commit 603219def98146ffad58eb2f76835c623c292d69
Author: Pino Toscano <pino@debian.org>
Date:   Mon Mar 18 16:32:19 2013 +0100

    note that #702071 is fixed

diff --git a/debian/changelog b/debian/changelog
index a2a269f..5993f8c 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -9,6 +9,7 @@ poppler (0.18.4-6) UNRELEASED; urgency=low
     CVE-2013-1788.
   * Backport upstream commit b1026b5978c385328f2a15a2185c599a563edf91 to fix
     CVE-2013-1790 (patch upstream_Initialize-refLine-totally.patch).
+  * With the changes above, this upload closes: #702071.
 
  -- Pino Toscano <pino@debian.org>  Mon, 18 Mar 2013 15:30:25 +0100
 

Message #38 received at 702071@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Pino Toscano <pino@debian.org>

Cc: 702071@bugs.debian.org, Debian Security Team <team@security.debian.org>

Subject: Re: Bug#702071: CVE-2013-1788, CVE-2013-1789 and CVE-2013-1790

Date: Mon, 18 Mar 2013 17:10:00 +0100

Hi Pino

On Mon, Mar 18, 2013 at 02:48:18PM +0100, Pino Toscano wrote:
> I've verified the issues, and the situation that I found for current 
> wheezy+sid (= 0.18.4-5) is the following:
> 
> Alle sabato 2 marzo 2013, Salvatore Bonaccorso ha scritto:
> > CVE-2013-1788[0]:
> > invalid memory issues
> 
> This applies, but not with all the reported documents.
> 
> > CVE-2013-1789[1]:
> > crash in broken documents
> 
> This seems to not apply.
> 
> > CVE-2013-1790[2]:
> > uninitialized memory read
> 
> This applies.
> 
> I will backport and test the appropriate fixes for this version of 
> poppler, and then upload.

Thank you for checking these issues and for preparing the fixes.

> Regarding stable, I will do the proper investigation (and eventually 
> backport fixes as needed) once sid is fixed and the fixed version has 
> successfully migrated to wheezy; this way I want to reduce the potential 
> issues.  Is that okay for the security team?

Yes this sound good for me.

Regards,
Salvatore

Message #43 received at 702071@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Pino Toscano <pino@debian.org>, 702071@bugs.debian.org

Cc: Debian Security Team <team@security.debian.org>

Subject: Re: Bug#702071: CVE-2013-1788, CVE-2013-1789 and CVE-2013-1790

Date: Sat, 23 Mar 2013 17:28:24 +0100

Hi Pino

On Mon, Mar 18, 2013 at 05:10:00PM +0100, Salvatore Bonaccorso wrote:
> Hi Pino
> 
> On Mon, Mar 18, 2013 at 02:48:18PM +0100, Pino Toscano wrote:
> > I've verified the issues, and the situation that I found for current 
> > wheezy+sid (= 0.18.4-5) is the following:
> > 
> > Alle sabato 2 marzo 2013, Salvatore Bonaccorso ha scritto:
> > > CVE-2013-1788[0]:
> > > invalid memory issues
> > 
> > This applies, but not with all the reported documents.
> > 
> > > CVE-2013-1789[1]:
> > > crash in broken documents
> > 
> > This seems to not apply.
> > 
> > > CVE-2013-1790[2]:
> > > uninitialized memory read
> > 
> > This applies.
> > 
> > I will backport and test the appropriate fixes for this version of 
> > poppler, and then upload.
> 
> Thank you for checking these issues and for preparing the fixes.

Did you had a chance already to test the resulting package? I'm asking
as the release gets nearer now.

Thank you for working on these issues,

Salvatore

Message #48 received at 702071-close@bugs.debian.org (full text, mbox, reply):

From: Pino Toscano <pino@debian.org>

To: 702071-close@bugs.debian.org

Subject: Bug#702071: fixed in poppler 0.18.4-6

Date: Mon, 25 Mar 2013 21:17:55 +0000

Source: poppler
Source-Version: 0.18.4-6

We believe that the bug you reported is fixed in the latest version of
poppler, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 702071@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Pino Toscano <pino@debian.org> (supplier of updated poppler package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Mon, 25 Mar 2013 21:43:07 +0100
Source: poppler
Binary: libpoppler19 libpoppler-dev libpoppler-private-dev libpoppler-glib8 libpoppler-glib-dev gir1.2-poppler-0.18 libpoppler-qt4-3 libpoppler-qt4-dev libpoppler-cpp0 libpoppler-cpp-dev poppler-utils poppler-dbg
Architecture: source amd64
Version: 0.18.4-6
Distribution: unstable
Urgency: low
Maintainer: Loic Minier <lool@dooz.org>
Changed-By: Pino Toscano <pino@debian.org>
Description: 
 gir1.2-poppler-0.18 - GObject introspection data for poppler-glib
 libpoppler-cpp-dev - PDF rendering library -- development files (CPP interface)
 libpoppler-cpp0 - PDF rendering library (CPP shared library)
 libpoppler-dev - PDF rendering library -- development files
 libpoppler-glib-dev - PDF rendering library -- development files (GLib interface)
 libpoppler-glib8 - PDF rendering library (GLib-based shared library)
 libpoppler-private-dev - PDF rendering library -- private development files
 libpoppler-qt4-3 - PDF rendering library (Qt 4 based shared library)
 libpoppler-qt4-dev - PDF rendering library -- development files (Qt 4 interface)
 libpoppler19 - PDF rendering library
 poppler-dbg - PDF rendering library -- debugging symbols
 poppler-utils - PDF utilities (based on Poppler)
Closes: 702071
Changes: 
 poppler (0.18.4-6) unstable; urgency=low
 .
   * Backport upstream commits 0388837f01bc467045164f9ddaff787000a8caaa (patch
     upstream_Fix-another-invalid-memory-access-in-1091.pdf.asan.7.patch),
     8b6dc55e530b2f5ede6b9dfb64aafdd1d5836492 (adapted patch
     upstream_Fix-invalid-memory-access-in-1150.pdf.asan.8.69.patch), and
     e14b6e9c13d35c9bd1e0c50906ace8e707816888 (adapted patch
     upstream_Fix-invalid-memory-access-in-2030.pdf.asan.69.463.patch) to fix
     CVE-2013-1788.
   * Backport upstream commit b1026b5978c385328f2a15a2185c599a563edf91 to fix
     CVE-2013-1790 (patch upstream_Initialize-refLine-totally.patch).
   * With the changes above, this upload closes: #702071.
Checksums-Sha1: 
 c12bf43420675491afab8fa8b45d747a35a0bf04 2356 poppler_0.18.4-6.dsc
 2cb490c8b377d07d84496b23b67ec0fdac85139f 21714 poppler_0.18.4-6.debian.tar.gz
 27f0fe6d6b625eeb90823fd9f8d46e629cba7ee9 1109420 libpoppler19_0.18.4-6_amd64.deb
 da90ec76c6b9dd43bd27a70754bc17fb39ef080b 917992 libpoppler-dev_0.18.4-6_amd64.deb
 d45822f399ce83f226ea18f1d8177a2566185924 209208 libpoppler-private-dev_0.18.4-6_amd64.deb
 caec5246e122bdb94fa32b7eaa891a42180646fd 106378 libpoppler-glib8_0.18.4-6_amd64.deb
 2075ddeac827862fc7a088781b731eadd8169508 232490 libpoppler-glib-dev_0.18.4-6_amd64.deb
 8f4ad2e1211119648c9164ea2b106e0b48a3f0d3 28896 gir1.2-poppler-0.18_0.18.4-6_amd64.deb
 159cd089da7bc8a8d9bbd1bd9bf07eb4c220bf3f 140588 libpoppler-qt4-3_0.18.4-6_amd64.deb
 06ae5922ff36f84df8db98c029ace8b7dbd92e6e 190632 libpoppler-qt4-dev_0.18.4-6_amd64.deb
 b37af0c0a338caf973487e228c0907868ff1e3bd 47910 libpoppler-cpp0_0.18.4-6_amd64.deb
 080fd89d0b1db3044e444aa8196668874a3e5293 56266 libpoppler-cpp-dev_0.18.4-6_amd64.deb
 77fb9d39145c60421462a8fe8315d0adaa49a38c 162034 poppler-utils_0.18.4-6_amd64.deb
 34ccd89c84907879d64701de2d779b6e821c1bff 5142400 poppler-dbg_0.18.4-6_amd64.deb
Checksums-Sha256: 
 ce309363bbe2f303f29dcc9cba68c749df8c66d13df4dc05e4241c029612fcdc 2356 poppler_0.18.4-6.dsc
 98e391067b6f2fa224a4120f2e56fead858fcc21f2629fc7fbe6c2d988a839b1 21714 poppler_0.18.4-6.debian.tar.gz
 4cc541c85df2aeb582367072bc9279fc20572727bc535ce7974b59d241120e31 1109420 libpoppler19_0.18.4-6_amd64.deb
 18137b1d525990b9595d1e38271fa3c19562e75c05659066088b911b624649bf 917992 libpoppler-dev_0.18.4-6_amd64.deb
 7d4f9ddf8feb102f22575aceee5d6377bf2fd252100c0e9ed730f2e27139b5ab 209208 libpoppler-private-dev_0.18.4-6_amd64.deb
 b333b67b1a5ffc819c77c57ac8c65c92c60543deabbbbfa627249165849029c2 106378 libpoppler-glib8_0.18.4-6_amd64.deb
 227e497272e4ffd3661168b5a119bb274c0fe8fde6828e699fe1235097a5475f 232490 libpoppler-glib-dev_0.18.4-6_amd64.deb
 11d334549e17ea52f10413c6139ed926605c09f0821af6c44915f0432ca36658 28896 gir1.2-poppler-0.18_0.18.4-6_amd64.deb
 75299b4d740541ac6bf1d87296a79d46da0b230cc245ad7c9b46b8f7d646645e 140588 libpoppler-qt4-3_0.18.4-6_amd64.deb
 407c01cad2a10d64a5f1e83b39bf0a759e58f5e296197743d66c0723ffc44a8d 190632 libpoppler-qt4-dev_0.18.4-6_amd64.deb
 3dfc606be0e3487e554a167aa1c52474cfd63134a421ef4fa14355fccbbb4cdf 47910 libpoppler-cpp0_0.18.4-6_amd64.deb
 9556cb1166477c8ef6f161effad9d62e4771ba0061d0c247c262dae0e227db87 56266 libpoppler-cpp-dev_0.18.4-6_amd64.deb
 38f2d13ccddac9e3d05abff7c5fab353d3fea550c8f39293850651e03c3f8be4 162034 poppler-utils_0.18.4-6_amd64.deb
 1861e6f3f24f47a18392042e8458b75918fba7ac0b4aec7fbcd3f57ea39396c3 5142400 poppler-dbg_0.18.4-6_amd64.deb
Files: 
 4fdf2a89340d29f1c2a1a6ec56144171 2356 devel optional poppler_0.18.4-6.dsc
 70cba07fb8a1ee835e2c67cfeaae459d 21714 devel optional poppler_0.18.4-6.debian.tar.gz
 ac2a329440e594bf9225ad5ad071478c 1109420 libs optional libpoppler19_0.18.4-6_amd64.deb
 a43097cfcaecdb0a186f9ef04298694b 917992 libdevel optional libpoppler-dev_0.18.4-6_amd64.deb
 8d7e4106d80b3709723a3948be6b2469 209208 libdevel optional libpoppler-private-dev_0.18.4-6_amd64.deb
 e182ba8b6530a20248d49d249a1e5224 106378 libs optional libpoppler-glib8_0.18.4-6_amd64.deb
 f0d214b4d260b47ba3f4cd3188afd3d6 232490 libdevel optional libpoppler-glib-dev_0.18.4-6_amd64.deb
 ab7b8dd97720fe46edd50c2abb9ac86e 28896 introspection optional gir1.2-poppler-0.18_0.18.4-6_amd64.deb
 9fce7c910fd64432a4a502892d418604 140588 libs optional libpoppler-qt4-3_0.18.4-6_amd64.deb
 9a9b6d0ffb95123d5e9bf30e4bc9b304 190632 libdevel optional libpoppler-qt4-dev_0.18.4-6_amd64.deb
 a3396c97c962d9d6475ec73db2106485 47910 libs optional libpoppler-cpp0_0.18.4-6_amd64.deb
 1c8766828a11fc3fef10d9f0c9bf28f4 56266 libdevel optional libpoppler-cpp-dev_0.18.4-6_amd64.deb
 0f0254920f85b6190ba7b03f4d2a7d73 162034 utils optional poppler-utils_0.18.4-6_amd64.deb
 a3ac0663323df13d07fba659f6a91348 5142400 debug extra poppler-dbg_0.18.4-6_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iD8DBQFRULnRTNH2piB/L3oRAuHrAJ9Ei8Rgo2L/XpYXBc7l+539iaotxACgghUr
wkZLgAnWT/YdgaZ4qUOk01c=
=TqXO
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.