Debian Bug report logs -
#722705
poppler: CVE-2010-5110: Incorrect error handling in libjpeg implementation
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, etiennehelluy@gmail.com, Loic Minier <lool@dooz.org>:
Bug#722705; Package libpoppler5.
(Fri, 13 Sep 2013 14:24:06 GMT) (full text, mbox, link).
Acknowledgement sent
to etienne helluy <etiennehelluy@gmail.com>:
New Bug report received and forwarded. Copy sent to etiennehelluy@gmail.com, Loic Minier <lool@dooz.org>.
(Fri, 13 Sep 2013 14:24:06 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: libpoppler5
Version: 0.12.4-1.2+squeeze3
Severity: important
In DCTStream.cc::init(), when initializing a jpeg stream, a custom error_exit
handler is set.
According to libjpeg's documentation, this handler should not return to the
caller.
(cf.
http://www.opensource.apple.com/source/tcl/tcl-87/tcl_ext/tkimg/tkimg/libjpeg/libjpeg.doc
; "Error Handling")
The custom handler (exitErrorHandler) does return to the caller.
This induces several vulnerabilities in jpeg handling, and at least one of
these can be exploited to run arbitrary code (for example in evince, when it's
not compiled as PIE, as in debian 6)
-- System Information:
Debian Release: 6.0.7
APT prefers oldstable-updates
APT policy: (500, 'oldstable-updates'), (500, 'oldstable'), (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.36.4 (SMP w/2 CPU cores)
Locale: LANG=fr_FR.utf8, LC_CTYPE=fr_FR.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages libpoppler5 depends on:
ii libc6 2.11.3-4 Embedded GNU C Library: Shared lib
ii libfontconfig1 2.8.0-2.1 generic font configuration library
ii libfreetype6 2.4.2-2.1+squeeze4 FreeType 2 font engine, shared lib
ii libgcc1 1:4.4.5-8 GCC support library
ii libjpeg62 6b1-1 The Independent JPEG Group's JPEG
ii liblcms1 1.18.dfsg-1.2+b3 Color management library
ii libopenjpeg2 1.3+dfsg-4+squeeze1 JPEG 2000 image compression/decomp
ii libpng12-0 1.2.44-1+squeeze4 PNG library - runtime
ii libstdc++6 4.4.5-8 The GNU Standard C++ Library v3
ii libxml2 2.7.8.dfsg-2+squeeze7 GNOME XML library
libpoppler5 recommends no packages.
libpoppler5 suggests no packages.
-- no debconf information
Information forwarded
to debian-bugs-dist@lists.debian.org, Loic Minier <lool@dooz.org>:
Bug#722705; Package libpoppler5.
(Mon, 16 Sep 2013 17:15:05 GMT) (full text, mbox, link).
Acknowledgement sent
to 722705@bugs.debian.org:
Extra info received and forwarded to list. Copy sent to Loic Minier <lool@dooz.org>.
(Mon, 16 Sep 2013 17:15:05 GMT) (full text, mbox, link).
Message #10 received at 722705@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
forwarded 722705 https://bugs.freedesktop.org/show_bug.cgi?id=26280
fixed 722705 poppler/0.16.3-1
thanks
Hi,
In data venerdì 13 settembre 2013 16:23:11, hai scritto:
> Package: libpoppler5
> Version: 0.12.4-1.2+squeeze3
> Severity: important
>
> In DCTStream.cc::init(), when initializing a jpeg stream, a custom
> error_exit handler is set.
> According to libjpeg's documentation, this handler should not return
> to the caller.
> (cf.
> http://www.opensource.apple.com/source/tcl/tcl-87/tcl_ext/tkimg/tkimg/
> libjpeg/libjpeg.doc ; "Error Handling")
> The custom handler (exitErrorHandler) does return to the caller.
This is true, and it has been fixed upstream with the rework of the
error handling with:
- fc071d8 [1] (poppler 0.13.3+) -- that is the main change
- 301352e [2] (0.17.0+, backported to 0.16.1 as 7bcf4e1 [3])
- 42c1b1c [4] (0.17.2+)
- 70e6af4 [5] (0.23.0+)
Most of those are part of 0.18.4 as shipped in stable, which seems safe
([5] does not seem critical enough).
Regarding oldstable: yes, the problem is there, but applying the patches
needed (even if just [1], which is the core of the "refactoring")
basically breaks the ABI (DCTStream changes size, so may cause troubles
to applications linking directly to the private libpoppler), and this is
basically a no-go for oldstable.
[1] fc071d800cb4329a3ccf898d7bf16b4db7323ad8
[2] 301352e5585d4ab6e7b609b4ab79b4d8b8656092
[3] 7bcf4e1f050c16e7a72ca633589602b252ab46cc
[4] 42c1b1c4af6b07f488d1b2b02a4700f19b0ab0ef
[5] 70e6af4739d2eea58e6f3200a8c9467597a12ae5
> This induces several vulnerabilities in jpeg handling, and at least
> one of these can be exploited to run arbitrary code (for example in
> evince, when it's not compiled as PIE, as in debian 6)
Do you have any pointers to CVEs related to this issue, or possible
exploits because of this mishandling?
Thanks,
--
Pino Toscano
[signature.asc (application/pgp-signature, inline)]
Marked as fixed in versions poppler/0.16.3-1.
Request was from Pino Toscano <pino@debian.org>
to control@bugs.debian.org.
(Mon, 16 Sep 2013 17:15:16 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Loic Minier <lool@dooz.org>:
Bug#722705; Package libpoppler5.
(Mon, 16 Sep 2013 21:27:09 GMT) (full text, mbox, link).
Acknowledgement sent
to etienne <etiennehelluy@gmail.com>:
Extra info received and forwarded to list. Copy sent to Loic Minier <lool@dooz.org>.
(Mon, 16 Sep 2013 21:27:09 GMT) (full text, mbox, link).
Message #19 received at 722705@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
On 16/09/2013 19:12, Pino Toscano wrote:
> forwarded 722705 https://bugs.freedesktop.org/show_bug.cgi?id=26280
> fixed 722705 poppler/0.16.3-1
> thanks
>
> Hi,
>
> In data venerdì 13 settembre 2013 16:23:11, hai scritto:
>
>> Package: libpoppler5
>> Version: 0.12.4-1.2+squeeze3
>> Severity: important
>>
>> In DCTStream.cc::init(), when initializing a jpeg stream, a custom
>> error_exit handler is set.
>> According to libjpeg's documentation, this handler should not return
>> to the caller.
>> (cf.
>> http://www.opensource.apple.com/source/tcl/tcl-87/tcl_ext/tkimg/tkimg/
>> libjpeg/libjpeg.doc ; "Error Handling")
>> The custom handler (exitErrorHandler) does return to the caller.
>>
> This is true, and it has been fixed upstream with the rework of the
> error handling with:
> - fc071d8 [1] (poppler 0.13.3+) -- that is the main change
> - 301352e [2] (0.17.0+, backported to 0.16.1 as 7bcf4e1 [3])
> - 42c1b1c [4] (0.17.2+)
> - 70e6af4 [5] (0.23.0+)
>
> Most of those are part of 0.18.4 as shipped in stable, which seems safe
> ([5] does not seem critical enough).
>
> Regarding oldstable: yes, the problem is there, but applying the patches
> needed (even if just [1], which is the core of the "refactoring")
> basically breaks the ABI (DCTStream changes size, so may cause troubles
> to applications linking directly to the private libpoppler), and this is
> basically a no-go for oldstable.
>
> [1] fc071d800cb4329a3ccf898d7bf16b4db7323ad8
> [2] 301352e5585d4ab6e7b609b4ab79b4d8b8656092
> [3] 7bcf4e1f050c16e7a72ca633589602b252ab46cc
> [4] 42c1b1c4af6b07f488d1b2b02a4700f19b0ab0ef
> [5] 70e6af4739d2eea58e6f3200a8c9467597a12ae5
>
>
>> This induces several vulnerabilities in jpeg handling, and at least
>> one of these can be exploited to run arbitrary code (for example in
>> evince, when it's not compiled as PIE, as in debian 6)
>>
> Do you have any pointers to CVEs related to this issue, or possible
> exploits because of this mishandling?
>
> Thanks,
>
Hi,
It seems that there have been no CVE about this patch. Though the bug is
exploitable in oldstable. The patch should be applied.
Thanks,
[0xC5F0C4E7.asc (application/pgp-keys, attachment)]
[0xC5F0C4E7.asc (application/pgp-keys, attachment)]
Added tag(s) security.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Wed, 18 Sep 2013 05:24:04 GMT) (full text, mbox, link).
Added tag(s) fixed-upstream.
Request was from bts-link-upstream@lists.alioth.debian.org
to control@bugs.debian.org.
(Mon, 23 Sep 2013 17:48:15 GMT) (full text, mbox, link).
Changed Bug title to 'poppler: CVE-2010-5110: Incorrect error handling in libjpeg implementation' from 'libpoppler5: Incorrect error handling in libjpeg implementation'
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Wed, 16 Oct 2013 06:03:04 GMT) (full text, mbox, link).
Marked as found in versions poppler/0.12.4-1.
Request was from Michael Gilbert <mgilbert@debian.org>
to control@bugs.debian.org.
(Thu, 12 Dec 2013 03:09:11 GMT) (full text, mbox, link).
No longer marked as found in versions poppler/0.12.4-1.2+squeeze3.
Request was from Michael Gilbert <mgilbert@debian.org>
to control@bugs.debian.org.
(Thu, 12 Dec 2013 03:09:11 GMT) (full text, mbox, link).
Reply sent
to Raphael Geissert <geissert@debian.org>:
You have taken responsibility.
(Thu, 31 Jul 2014 11:06:06 GMT) (full text, mbox, link).
Notification sent
to etienne helluy <etiennehelluy@gmail.com>:
Bug acknowledged by developer.
(Thu, 31 Jul 2014 11:06:06 GMT) (full text, mbox, link).
Message #34 received at 722705-close@bugs.debian.org (full text, mbox, reply):
Source: poppler
Source-Version: 0.12.4-1.2+squeeze4
We believe that the bug you reported is fixed in the latest version of
poppler, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 722705@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Raphael Geissert <geissert@debian.org> (supplier of updated poppler package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Wed, 30 Jul 2014 16:51:36 +0200
Source: poppler
Binary: libpoppler5 libpoppler-dev libpoppler-glib4 libpoppler-glib-dev libpoppler-qt2 libpoppler-qt-dev libpoppler-qt4-3 libpoppler-qt4-dev poppler-utils poppler-dbg
Architecture: source amd64
Version: 0.12.4-1.2+squeeze4
Distribution: squeeze-lts
Urgency: low
Maintainer: Loic Minier <lool@dooz.org>
Changed-By: Raphael Geissert <geissert@debian.org>
Description:
libpoppler-dev - PDF rendering library -- development files
libpoppler-glib-dev - PDF rendering library -- development files (GLib interface)
libpoppler-glib4 - PDF rendering library (GLib-based shared library)
libpoppler-qt-dev - PDF rendering library -- development files (Qt 3 interface)
libpoppler-qt2 - PDF rendering library (Qt 3 based shared library)
libpoppler-qt4-3 - PDF rendering library (Qt 4 based shared library)
libpoppler-qt4-dev - PDF rendering library -- development files (Qt 4 interface)
libpoppler5 - PDF rendering library
poppler-dbg - PDF rendering library - detached debugging symbols
poppler-utils - PDF utilitites (based on libpoppler)
Closes: 722705
Changes:
poppler (0.12.4-1.2+squeeze4) squeeze-lts; urgency=low
.
* Abort after processing libjpeg errors rather than returning the
execution to it. (Closes: #722705)
Checksums-Sha1:
a57b0e947608d7d43110bd64ae502fa3f4df5ce7 1678 poppler_0.12.4-1.2+squeeze4.dsc
b42cb08f5e22c586ebda0ae67e04e21088595e4c 26200 poppler_0.12.4-1.2+squeeze4.diff.gz
efb9799430f5a13bde7ab97d5c8e614ea68d9e89 955642 libpoppler5_0.12.4-1.2+squeeze4_amd64.deb
ff5e4fb8a0f6b3fb02165e4dab058b654d971390 1265948 libpoppler-dev_0.12.4-1.2+squeeze4_amd64.deb
ddf810955f92ed05be2b748196dd088b6e80ddc6 302178 libpoppler-glib4_0.12.4-1.2+squeeze4_amd64.deb
f3d3484e687e2cbc369fda300e98e9c80ce12b19 378304 libpoppler-glib-dev_0.12.4-1.2+squeeze4_amd64.deb
3388ed508cfa6409511e4f4e4df38272f6d26886 252598 libpoppler-qt2_0.12.4-1.2+squeeze4_amd64.deb
f79d4804e0170652e90a7c23eba499950da964fb 260274 libpoppler-qt-dev_0.12.4-1.2+squeeze4_amd64.deb
abf616acc7d299aa8e2343be695b30fb4d14be92 400208 libpoppler-qt4-3_0.12.4-1.2+squeeze4_amd64.deb
a21ffca8b66c537499f0fa07f42d63ae037309c6 456704 libpoppler-qt4-dev_0.12.4-1.2+squeeze4_amd64.deb
2e882a3c3c853494e489deda3076030cfde42c14 310530 poppler-utils_0.12.4-1.2+squeeze4_amd64.deb
38432492c2ff79efcab2d4af3f77917f3443bd75 3585642 poppler-dbg_0.12.4-1.2+squeeze4_amd64.deb
Checksums-Sha256:
e96e30710c4db91c161a36491c8757c472ac65be7243797e0fee65fba17d27d4 1678 poppler_0.12.4-1.2+squeeze4.dsc
fea2666be74c9d6c09040d8ace1fe4467c7f4261781065865c2c299b92691b2d 26200 poppler_0.12.4-1.2+squeeze4.diff.gz
8e97f6fde3929e2d493ebb0c5f634908e371f2eee8d0a370a448faaafcf2af56 955642 libpoppler5_0.12.4-1.2+squeeze4_amd64.deb
7844cb1177d000d7f5754c99e190e49d4a198f596dadfbad6e0f5eb29b7bb0da 1265948 libpoppler-dev_0.12.4-1.2+squeeze4_amd64.deb
4d8a022306c298976953d99d618a79d142cc752bba0ffe091bb6906bd8de2b51 302178 libpoppler-glib4_0.12.4-1.2+squeeze4_amd64.deb
bde4a6b515e0bce4d5cfda318956a0ae5e311a5ba16647afcaed8423a8a26565 378304 libpoppler-glib-dev_0.12.4-1.2+squeeze4_amd64.deb
ebb4590cc3b3e102784e584048a9e1c244789fa21f9193491e6219e3c76440fa 252598 libpoppler-qt2_0.12.4-1.2+squeeze4_amd64.deb
a1d6a91516192efdc6f420e7de9ac5f9ba3ca8e07e2ce1ca96b75c8fe3ae8075 260274 libpoppler-qt-dev_0.12.4-1.2+squeeze4_amd64.deb
df50b74da1d76af359395ca3918bbdb420215101d1b990a665bf0a8fc0898940 400208 libpoppler-qt4-3_0.12.4-1.2+squeeze4_amd64.deb
de97ee8c540b2b5fafa6beb2e320551525c79307106d8866e4216e0cddb15550 456704 libpoppler-qt4-dev_0.12.4-1.2+squeeze4_amd64.deb
f7b92f2b7eec994e08e76e3cdabda023baca425f9c04c4b3d00968f8e87a9003 310530 poppler-utils_0.12.4-1.2+squeeze4_amd64.deb
0579539ed065858d364ec2b71ecb0bfb179787c41bd3e2eab3bb6113090cc302 3585642 poppler-dbg_0.12.4-1.2+squeeze4_amd64.deb
Files:
240a034bc6878325076a000aed520372 1678 devel optional poppler_0.12.4-1.2+squeeze4.dsc
48f77d82460bb18e5905218df28c7097 26200 devel optional poppler_0.12.4-1.2+squeeze4.diff.gz
3c170030ef7bdebe55db4c2843e3ad32 955642 libs optional libpoppler5_0.12.4-1.2+squeeze4_amd64.deb
e0daae34bbea1ee8d32ed3597103f59c 1265948 libdevel optional libpoppler-dev_0.12.4-1.2+squeeze4_amd64.deb
67997bf9dd161bccfce9614934bfd0b8 302178 libs optional libpoppler-glib4_0.12.4-1.2+squeeze4_amd64.deb
dc897ec7e0f436de62d371d115cecf3c 378304 libdevel optional libpoppler-glib-dev_0.12.4-1.2+squeeze4_amd64.deb
8052300bc52d898329b4a4fca7a3b2bb 252598 libs optional libpoppler-qt2_0.12.4-1.2+squeeze4_amd64.deb
5faa621b5a08fbe8a0acd0d15c6f34bf 260274 libdevel optional libpoppler-qt-dev_0.12.4-1.2+squeeze4_amd64.deb
601f18e30a8239133cffb25c1b8bd870 400208 libs optional libpoppler-qt4-3_0.12.4-1.2+squeeze4_amd64.deb
0723540211f24d7e52e9365941f2b8db 456704 libdevel optional libpoppler-qt4-dev_0.12.4-1.2+squeeze4_amd64.deb
e0e7b1ae46aa1bd5b874ae40b3818ad9 310530 utils optional poppler-utils_0.12.4-1.2+squeeze4_amd64.deb
fa055faba08804a7851293b9106cb837 3585642 debug extra poppler-dbg_0.12.4-1.2+squeeze4_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iEYEARECAAYFAlPaHoIACgkQYy49rUbZzlo6FwCgg1HenQ/UJ1PjnH5C04cn7Wwm
MwcAoJqzkmCYxgH4FR+qM0iPnCrdrcGM
=r1z7
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Fri, 29 Aug 2014 07:25:51 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 18:03:10 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon