poppler: CVE-2013-4473 CVE-2013-4474

Debian Bug report logs - #729064
poppler: CVE-2013-4473 CVE-2013-4474

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@inutil.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: poppler: CVE-2013-4473 CVE-2013-4474

Date: Fri, 08 Nov 2013 14:32:24 +0100

Package: poppler
Severity: important
Tags: security

Two security issues were found in the pdfseparate tool shipped by poppler-utils:

CVE-2013-4473: buffer overflow
http://cgit.freedesktop.org/poppler/poppler/diff/utils/pdfseparate.cc?id=b8682d868ddf7f741e93b

CVE-2013-4474: format string issue
http://cgit.freedesktop.org/poppler/poppler/commit/?id=61f79b8447c3ac8ab5a26e79e0c28053ffdccf75

Cheers,
        Moritz

Message #10 received at 729064@bugs.debian.org (full text, mbox, reply):

From: Michael Gilbert <mgilbert@debian.org>

To: 729064@bugs.debian.org

Subject: Re: [Secure-testing-team] Bug#729064: poppler: CVE-2013-4473 CVE-2013-4474

Date: Tue, 12 Nov 2013 23:47:21 -0500

[Message part 1 (text/plain, inline)]

control: tag -1 patch
control: tag -1 pending

On Fri, Nov 8, 2013 at 8:32 AM, Moritz Muehlenhoff wrote:
> Two security issues were found in the pdfseparate tool shipped by poppler-utils:

Hi, I've uploaded an nmu fixing these two issue to delayed/5.  Please
see attached patch.

Best wishes,
Mike

[poppler.patch (text/x-patch, attachment)]

Message #19 received at 729064@bugs.debian.org (full text, mbox, reply):

From: Pino Toscano <pino@debian.org>

To: Moritz Muehlenhoff <jmm@inutil.org>, 729064@bugs.debian.org

Subject: Re: Bug#729064: poppler: CVE-2013-4473 CVE-2013-4474

Date: Sun, 17 Nov 2013 19:30:17 +0100

[Message part 1 (text/plain, inline)]

Hi,

sorry for the late reply, relocating can take your time.

In data venerdì 8 novembre 2013 14:32:24, hai scritto:
> Two security issues were found in the pdfseparate tool shipped by
> poppler-utils:

Luckly both of them are "minor" issues, that can be triggered just 
running pdfseparate.

None of them affects oldstable, since pdfseparate does not exist in that 
old poppler.

> CVE-2013-4473: buffer overflow
> http://cgit.freedesktop.org/poppler/poppler/diff/utils/pdfseparate.cc?
> id=b8682d868ddf7f741e93b

This has been fixed upstream in 0.24.2.

> CVE-2013-4474: format string issue
> http://cgit.freedesktop.org/poppler/poppler/commit/?id=61f79b8447c3ac8
> ab5a26e79e0c28053ffdccf75

This has been fixed upstream in 0.24.3.

-- 
Pino Toscano

[signature.asc (application/pgp-signature, inline)]

Message #24 received at 729064@bugs.debian.org (full text, mbox, reply):

From: Pino Toscano <pino@debian.org>

To: Michael Gilbert <mgilbert@debian.org>, 729064@bugs.debian.org

Subject: Re: Bug#729064: [Secure-testing-team] Bug#729064: poppler: CVE-2013-4473 CVE-2013-4474

Date: Sun, 17 Nov 2013 19:31:22 +0100

[Message part 1 (text/plain, inline)]

Hi,

In data martedì 12 novembre 2013 23:47:21, hai scritto:
> On Fri, Nov 8, 2013 at 8:32 AM, Moritz Muehlenhoff wrote:
> > Two security issues were found in the pdfseparate tool shipped by 
> > poppler-utils:
> Hi, I've uploaded an nmu fixing these two issue to delayed/5.  Please
> see attached patch.

Unfortunately, one of your patches introduces the same issues it is
supposed to fix:

> +@@ -65,9 +66,37 @@
> +   if (firstPage == 0)
> +     firstPage = 1;
> +   if (firstPage != lastPage && strstr(destFileName, "%d") == NULL) {
> +-    error(-1, "'%s' must contain '%%d' if more than one page should be extracted", destFileName);
> ++    error(-1, "'%s' must contain '%d' if more than one page should be extracted", destFileName);
> +     return false;

error() in poppler < 0.19 takes a printf-like format, so changing from
%%d to %d will make printf expect an int, which is not passed as
argument (and thus a we run into a new format string issue).
For the same reason, also...

> ++  if (p != NULL) {
> ++    error(-1, "'%s' can only contain one '%d' pattern", destFileName);
> ++    free(auxDestFileName);
> ++    return false;
> ++  }

... this error() contains the same issue.

Oh, and btw:

> +poppler (0.18.4-8+nmu1) unstable; urgency=high

The NMU version is wrong, since it is not a native package; it should
have been 0.18.4-8.1 instead, as also DevRef §5.11.2 says (but I see
you spread this wrong versioning when NMUing, so hardly something you
will change...)

-- 
Pino Toscano

[signature.asc (application/pgp-signature, inline)]

Message #29 received at 729064-close@bugs.debian.org (full text, mbox, reply):

From: Pino Toscano <pino@debian.org>

To: 729064-close@bugs.debian.org

Subject: Bug#729064: fixed in poppler 0.18.4-9

Date: Sun, 17 Nov 2013 18:48:50 +0000

Source: poppler
Source-Version: 0.18.4-9

We believe that the bug you reported is fixed in the latest version of
poppler, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 729064@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Pino Toscano <pino@debian.org> (supplier of updated poppler package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sun, 17 Nov 2013 18:57:18 +0100
Source: poppler
Binary: libpoppler19 libpoppler-dev libpoppler-private-dev libpoppler-glib8 libpoppler-glib-dev gir1.2-poppler-0.18 libpoppler-qt4-3 libpoppler-qt4-dev libpoppler-cpp0 libpoppler-cpp-dev poppler-utils poppler-dbg
Architecture: source amd64
Version: 0.18.4-9
Distribution: unstable
Urgency: medium
Maintainer: Loic Minier <lool@dooz.org>
Changed-By: Pino Toscano <pino@debian.org>
Description: 
 gir1.2-poppler-0.18 - GObject introspection data for poppler-glib
 libpoppler-cpp-dev - PDF rendering library -- development files (CPP interface)
 libpoppler-cpp0 - PDF rendering library (CPP shared library)
 libpoppler-dev - PDF rendering library -- development files
 libpoppler-glib-dev - PDF rendering library -- development files (GLib interface)
 libpoppler-glib8 - PDF rendering library (GLib-based shared library)
 libpoppler-private-dev - PDF rendering library -- private development files
 libpoppler-qt4-3 - PDF rendering library (Qt 4 based shared library)
 libpoppler-qt4-dev - PDF rendering library -- development files (Qt 4 interface)
 libpoppler19 - PDF rendering library
 poppler-dbg - PDF rendering library -- debugging symbols
 poppler-utils - PDF utilities (based on Poppler)
Closes: 723124 729064
Changes: 
 poppler (0.18.4-9) unstable; urgency=medium
 .
   * Remove the custom RPATH handing on Hurd, since the issue does not affect
     the build anymore; remove the hurd-only chrpath build dependency.
   * Backport upstream commits b8682d868ddf7f741e93b791588af0932893f95c (patch
     upstream_pdfseparate-improve-the-path-building.patch)
     and 61f79b8447c3ac8ab5a26e79e0c28053ffdccf75 (patch
     upstream_Allow-only-one-d-in-the-filename.diff) to fix two string/format
     issues in pdfseparate, reported as CVE-2013-4473 and CVE-2013-4474.
     (Closes: #723124,  #729064)
   * Bump Standards-Version to 3.9.5, no changes required.
Checksums-Sha1: 
 893d48969e59eaad60ca4673f6c9d01488e59851 2371 poppler_0.18.4-9.dsc
 36710fda504f7b86e8823348e305222cde021ad8 24755 poppler_0.18.4-9.debian.tar.gz
 0ad4e4bbcfa3029710d84c526f95987b3dba86bf 921834 libpoppler19_0.18.4-9_amd64.deb
 ce14fdeadcc630e2a62e4d0da1af20ddd7804119 616074 libpoppler-dev_0.18.4-9_amd64.deb
 797008da14bfbe0c3527d513efef719131b9a8c7 147464 libpoppler-private-dev_0.18.4-9_amd64.deb
 6c0c23cda9284de56fe7eef36330eaa0df364516 84328 libpoppler-glib8_0.18.4-9_amd64.deb
 5d04546f4f09cc95b7ba4ea4214028afcc2c8c7e 162654 libpoppler-glib-dev_0.18.4-9_amd64.deb
 1afe400e93046ea55f956fa43202177897ab5863 25592 gir1.2-poppler-0.18_0.18.4-9_amd64.deb
 cec0cf8ff33d59bf5e02ccdfd48d983960c374e5 108544 libpoppler-qt4-3_0.18.4-9_amd64.deb
 fef27852c4afddcf5f72176993119eb129fcaa8f 131660 libpoppler-qt4-dev_0.18.4-9_amd64.deb
 156ae2acf24a879512cca3c3d71b69b03838f503 41304 libpoppler-cpp0_0.18.4-9_amd64.deb
 90e6727d1465939961e9696b1937765d810d4383 45638 libpoppler-cpp-dev_0.18.4-9_amd64.deb
 2fbc3fba8567716dc2b2b5d29bacb660502bd8af 118550 poppler-utils_0.18.4-9_amd64.deb
 9f7550069092de59a972544d1678c55ebe04bd45 4915830 poppler-dbg_0.18.4-9_amd64.deb
Checksums-Sha256: 
 e889950434f0587b88ec9a1b5c3a86cc7b4eff83fa19dd5260e704164a17a243 2371 poppler_0.18.4-9.dsc
 6ef5c4b8797ce16379abee72c2f994ae992b9facf906f59611923d6d60f84181 24755 poppler_0.18.4-9.debian.tar.gz
 1b133fc7f7789b6b68b4c7a82766460cb4f397dcb2a9bc9b9335b5a87160337a 921834 libpoppler19_0.18.4-9_amd64.deb
 81fe230509e5db0e22e42db73c2397c98cd550fb6f14ac75771fb169e169f157 616074 libpoppler-dev_0.18.4-9_amd64.deb
 adee80c572895f2787d0439cf6fe2ee7ccb236890c264ec950cc2885674acb83 147464 libpoppler-private-dev_0.18.4-9_amd64.deb
 31e32d3c3f9e56b7c9e85cbcb0269260b9d54ac8180b3fe3397bb7453c22f906 84328 libpoppler-glib8_0.18.4-9_amd64.deb
 52d89e349ee23484e1ea153e0797868fb7cfa1a3a3ffd4bb81ffd78a1a8be4a4 162654 libpoppler-glib-dev_0.18.4-9_amd64.deb
 bad79f5b3cf267e260e0d6eb72d964976ae6e5874797128657378720be3b4331 25592 gir1.2-poppler-0.18_0.18.4-9_amd64.deb
 e66ff484709ddf2dc900a9a98708fdd4ee6816a47250ef1e59cba87d477f7f65 108544 libpoppler-qt4-3_0.18.4-9_amd64.deb
 b63b7b7ed40046cdd0194743fd71629d6edd9007ea70dcb7b5c903bd055fa224 131660 libpoppler-qt4-dev_0.18.4-9_amd64.deb
 b7045c43ea1da6812fc4bbb26a74a502c1fbd766fa3326f9f143211dc3fe0c2c 41304 libpoppler-cpp0_0.18.4-9_amd64.deb
 4e8f0a5986d57681be15b82ddb7947f7c09c355ae6f51aef74d3f06849de21c7 45638 libpoppler-cpp-dev_0.18.4-9_amd64.deb
 2fcda708330b5f27483afbf6c74cf21dd8b6d79e6dd90d85d0d03d40307dba88 118550 poppler-utils_0.18.4-9_amd64.deb
 71ec69a2051c29bc948a4408061dd135ea6d58f95e8723cbad1a099bd585d811 4915830 poppler-dbg_0.18.4-9_amd64.deb
Files: 
 df831174ad401c4f9e70d638bba9fa11 2371 devel optional poppler_0.18.4-9.dsc
 1893d142cc22abbb2a8b592fddaff9ea 24755 devel optional poppler_0.18.4-9.debian.tar.gz
 c33856037a30faaa063ee9b3f0f5e243 921834 libs optional libpoppler19_0.18.4-9_amd64.deb
 f645ec4a64c1535c422d1833c793f507 616074 libdevel optional libpoppler-dev_0.18.4-9_amd64.deb
 57adb4b398390476dc09b5b58952d6a7 147464 libdevel optional libpoppler-private-dev_0.18.4-9_amd64.deb
 bb7f7ec3996d5b3acb4d2ef2873f7943 84328 libs optional libpoppler-glib8_0.18.4-9_amd64.deb
 6c364b3708f9ced6100f3dac3673a4d5 162654 libdevel optional libpoppler-glib-dev_0.18.4-9_amd64.deb
 bdceedb13260c11a56f67ec221680741 25592 introspection optional gir1.2-poppler-0.18_0.18.4-9_amd64.deb
 51315423380d160a354eab726843ef49 108544 libs optional libpoppler-qt4-3_0.18.4-9_amd64.deb
 bd454972e60ec09e44d5ea8655cf24da 131660 libdevel optional libpoppler-qt4-dev_0.18.4-9_amd64.deb
 fd9e1a302e1fa9562002dab4df2f24a9 41304 libs optional libpoppler-cpp0_0.18.4-9_amd64.deb
 62cee2d034e6d476dd61ed0e3e09c7dd 45638 libdevel optional libpoppler-cpp-dev_0.18.4-9_amd64.deb
 74f527a82b9d28bb694ce359b9ec9e4a 118550 utils optional poppler-utils_0.18.4-9_amd64.deb
 830a15a18a308e0512e3506191f197b1 4915830 debug extra poppler-dbg_0.18.4-9_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)

iD8DBQFSiQcHTNH2piB/L3oRAjEeAJ44dHeLXSOKq3VdLn4lWAJNQCnJYACdHU/W
BcVQnWK9Csp+v6nkCT9DIag=
=JXKx
-----END PGP SIGNATURE-----

Message #34 received at 729064@bugs.debian.org (full text, mbox, reply):

From: Michael Gilbert <mgilbert@debian.org>

To: 729064@bugs.debian.org

Subject: Re: Bug#729064: [Secure-testing-team] Bug#729064: poppler: CVE-2013-4473 CVE-2013-4474

Date: Sun, 17 Nov 2013 14:11:34 -0500

On Sun, Nov 17, 2013 at 1:31 PM, Pino Toscano wrote:
> Unfortunately, one of your patches introduces the same issues it is
> supposed to fix:
>
>> +@@ -65,9 +66,37 @@
>> +   if (firstPage == 0)
>> +     firstPage = 1;
>> +   if (firstPage != lastPage && strstr(destFileName, "%d") == NULL) {
>> +-    error(-1, "'%s' must contain '%%d' if more than one page should be extracted", destFileName);
>> ++    error(-1, "'%s' must contain '%d' if more than one page should be extracted", destFileName);
>> +     return false;
>
> error() in poppler < 0.19 takes a printf-like format, so changing from
> %%d to %d will make printf expect an int, which is not passed as
> argument (and thus a we run into a new format string issue).

Thanks for spotting and correcting that.

> Oh, and btw:
>
>> +poppler (0.18.4-8+nmu1) unstable; urgency=high
>
> The NMU version is wrong, since it is not a native package; it should
> have been 0.18.4-8.1 instead, as also DevRef §5.11.2 says (but I see
> you spread this wrong versioning when NMUing, so hardly something you
> will change...)

Remember developers reference is a set of guidelines.  The switch over
to +debXuY for stable uploads opened up more flexibility to use a
consistent versioning scheme for both native and non-native packages.

There was discussion on developers-reference about that over a year
ago that may be worth catching up on.

Best wishes,
Mike

Message #39 received at 729064@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@inutil.org>

To: 729064@bugs.debian.org

Subject: Re: Bug#729064: poppler: CVE-2013-4473 CVE-2013-4474

Date: Mon, 18 Nov 2013 08:46:52 +0100

On Sun, Nov 17, 2013 at 07:30:17PM +0100, Pino Toscano wrote:
> Hi,
> 
> sorry for the late reply, relocating can take your time.
> 
> In data venerdì 8 novembre 2013 14:32:24, hai scritto:
> > Two security issues were found in the pdfseparate tool shipped by
> > poppler-utils:
> 
> Luckly both of them are "minor" issues, that can be triggered just 
> running pdfseparate.

I agree, we can include them in a future DSA (or if you want to fix them
earlier in a Wheezy point release)

Cheers,
        Moritz

Message #44 received at 729064-submitter@bugs.debian.org (full text, mbox, reply):

From: Pino Toscano <pino@debian.org>

To: 729064-submitter@bugs.debian.org

Subject: Bug#729064 marked as pending

Date: Sat, 23 Nov 2013 22:50:52 +0000

tag 729064 pending
thanks

Hello,

Bug #729064 reported by you has been fixed in the Git repository. You can
see the changelog below, and you can check the diff of the fix at:

    http://git.debian.org/?p=pkg-freedesktop/poppler.git;a=commitdiff;h=03dc7c0

---
commit 03dc7c0c4ab7d792eecbd94234e1b46f2fbcf6c9
Author: Pino Toscano <pino@debian.org>
Date:   Sun Nov 17 18:52:09 2013 +0100

    fix CVE-2013-4473 and CVE-2013-4474 (#723124,  #729064)
    
    backport upstream commits b8682d868ddf7f741e93b791588af0932893f95c and
    61f79b8447c3ac8ab5a26e79e0c28053ffdccf75 to fix two string/format issues
    in pdfseparate

diff --git a/debian/changelog b/debian/changelog
index e23886b..bbb41f7 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -2,6 +2,12 @@ poppler (0.18.4-9) UNRELEASED; urgency=low
 
   * Remove the custom RPATH handing on Hurd, since the issue does not affect
     the build anymore; remove the hurd-only chrpath build dependency.
+  * Backport upstream commits b8682d868ddf7f741e93b791588af0932893f95c (patch
+    upstream_pdfseparate-improve-the-path-building.patch)
+    and 61f79b8447c3ac8ab5a26e79e0c28053ffdccf75 (patch
+    upstream_Allow-only-one-d-in-the-filename.diff) to fix two string/format
+    issues in pdfseparate, reported as CVE-2013-4473 and CVE-2013-4474.
+    (Closes: #723124,  #729064)
 
  -- Pino Toscano <pino@debian.org>  Sun, 17 Nov 2013 18:26:58 +0100
 

Send a report that this bug log contains spam.