Re: poppler / CVE-2019-9959

To: debian-lts@lists.debian.org
Subject: Re: poppler / CVE-2019-9959
From: Brian May <bam@debian.org>
Date: Wed, 16 Oct 2019 17:43:15 +1100
Message-id: <[🔎] 87lftl2nss.fsf@silverfish.pri>
In-reply-to: <[🔎] 87o8yi33pd.fsf@silverfish.pri>
References: <[🔎] 87tv8a35li.fsf@silverfish.pri> <[🔎] 87o8yi33pd.fsf@silverfish.pri>

Brian May <bam@debian.org> writes:

> It appears if I can work out how to define SPLASH_CMYK for the build,
> then I can fix CVE-2019-10871 too. So I will investigate this
> possibility.

Updated patch.

diff -Nru poppler-0.26.5/debian/changelog poppler-0.26.5/debian/changelog
--- poppler-0.26.5/debian/changelog	2019-09-27 03:13:02.000000000 +1000
+++ poppler-0.26.5/debian/changelog	2019-10-14 17:24:52.000000000 +1100
@@ -1,3 +1,17 @@
+poppler (0.26.5-2+deb8u12) jessie-security; urgency=high
+
+  * Non-maintainer upload by the LTS Team.
+  * CVE-2019-9959
+    JPXStream::init function doesn't check for negative values of
+    stream length, leading to an Integer Overflow, leading to large
+    memory request causing DOS.
+  * CVE-2019-10871
+    Fix heap-based buffer over-read in the function
+    PSOutputDev::checkPageSlice at PSOutputDev.cc by defining
+    SPLASH_CMYK in builds.
+
+ -- Brian May <bam@debian.org>  Mon, 14 Oct 2019 17:24:52 +1100
+
 poppler (0.26.5-2+deb8u11) jessie-security; urgency=medium
 
   * Non-maintainer upload by the LTS Team. 
diff -Nru poppler-0.26.5/debian/patches/CVE-2019-9959.patch poppler-0.26.5/debian/patches/CVE-2019-9959.patch
--- poppler-0.26.5/debian/patches/CVE-2019-9959.patch	1970-01-01 10:00:00.000000000 +1000
+++ poppler-0.26.5/debian/patches/CVE-2019-9959.patch	2019-10-14 17:19:03.000000000 +1100
@@ -0,0 +1,21 @@
+From 68ef84e5968a4249c2162b839ca6d7975048a557 Mon Sep 17 00:00:00 2001
+From: Albert Astals Cid <aacid@kde.org>
+Date: Mon, 15 Jul 2019 23:24:22 +0200
+Subject: [PATCH] JPXStream::init: ignore dict Length if clearly broken
+
+Fixes issue #805
+---
+ poppler/JPEG2000Stream.cc | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/poppler/JPEG2000Stream.cc
++++ b/poppler/JPEG2000Stream.cc
+@@ -72,7 +72,7 @@
+   if (getDict()) getDict()->lookup("Length", &oLen);
+ 
+   int bufSize = BUFFER_INITIAL_SIZE;
+-  if (oLen.isInt()) bufSize = oLen.getInt();
++  if (oLen.isInt() && oLen.getInt() > 0) bufSize = oLen.getInt();
+   oLen.free();
+ 
+   
diff -Nru poppler-0.26.5/debian/patches/series poppler-0.26.5/debian/patches/series
--- poppler-0.26.5/debian/patches/series	2019-09-27 03:13:02.000000000 +1000
+++ poppler-0.26.5/debian/patches/series	2019-10-14 17:17:34.000000000 +1100
@@ -40,3 +40,4 @@
 CVE-2018-21009.patch
 CVE-2019-12493.patch
 CVE-2018-20650.patch
+CVE-2019-9959.patch
diff -Nru poppler-0.26.5/debian/rules poppler-0.26.5/debian/rules
--- poppler-0.26.5/debian/rules	2019-03-09 05:09:06.000000000 +1100
+++ poppler-0.26.5/debian/rules	2019-10-14 17:24:52.000000000 +1100
@@ -19,6 +19,9 @@
 # enable all the hardening options
 export DEB_BUILD_MAINT_OPTIONS = hardening=+all
 
+export DEB_CFLAGS_APPEND = -DSPLASH_CMYK
+export DEB_CXXFLAGS_APPEND = -DSPLASH_CMYK
+
 # DEB_* variables
 DEB_HOST_MULTIARCH ?= $(shell dpkg-architecture -qDEB_HOST_MULTIARCH)
 

-- 
Brian May <bam@debian.org>

Reply to:

References:
- poppler / CVE-2019-9959
  - From: Brian May <bam@debian.org>
- Re: poppler / CVE-2019-9959
  - From: Brian May <bam@debian.org>

Prev by Date: Backports for CVE-2019-14287 for sudo (was: Re: Ubuntu ESM access)
Next by Date: Re: Ubuntu ESM access
Previous by thread: Re: poppler / CVE-2019-9959
Next by thread: Re: poppler / CVE-2019-9959
Index(es):
- Date
- Thread