Bug 1143950 (CVE-2019-14494)

Summary: VUL-0: CVE-2019-14494: poppler: divide-by-zero error in the function SplashOutputDev:tilingPatternFill at SplashOutputDev.cc.
Product: [Novell Products] SUSE Security Incidents Reporter: Alexandros Toptsoglou <atoptsoglou>
Component: IncidentsAssignee: Peter Simons <peter.simons>
Status: NEW --- QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: david.anes, smash_bz
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/238723/
Whiteboard: CVSSv3:SUSE:CVE-2019-14494:5.3:(AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L) maint:planned:update
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Attachments: POC

Description Alexandros Toptsoglou 2019-08-02 08:37:08 UTC 
CVE-2019-14494

An issue was discovered in Poppler through 0.78.0. There is a divide-by-zero
error in the function SplashOutputDev::tilingPatternFill at SplashOutputDev.cc.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-14494
http://www.cvedetails.com/cve/CVE-2019-14494/
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14494
https://gitlab.freedesktop.org/poppler/poppler/merge_requests/317
https://gitlab.freedesktop.org/poppler/poppler/issues/802
Comment 1 Alexandros Toptsoglou 2019-08-02 08:41:30 UTC 
Reproduced successfully the issue with the attached POC in SLE15, SLE12-SP2 and SLE12. In the older codestreams the POC did not work and the code review suggests that the specific function does not exists. 

To run the reproducer simply run: 

valgrind pdftoppm -cropbox -gray $POC

OUTPUT

==18836== 
==18836== Process terminating with default action of signal 8 (SIGFPE): dumping core
==18836==  Integer divide by zero at address 0x10033465FB
==18836==    at 0x4FFC0E2: SplashOutputDev::tilingPatternFill(GfxState*, Gfx*, Catalog*, Object*, double*, int, int, Dict*, double*, double*, int, int, int, int, double, double) (SplashOutputDev.cc:4627)
==18836==    by 0x4F67813: Gfx::doTilingPatternFill(GfxTilingPattern*, bool, bool, bool) (Gfx.cc:2214)
==18836==    by 0x4F67B87: Gfx::opStroke(Object*, int) (Gfx.cc:1778)
==18836==    by 0x4F623DE: Gfx::go(bool) (Gfx.cc:737)
==18836==    by 0x4F6282A: Gfx::display(Object*, bool) (Gfx.cc:699)
==18836==    by 0x4F62C41: Gfx::drawForm(Object*, Dict*, double*, double*, bool, bool, GfxColorSpace*, bool, bool, bool, Function*, GfxColor*) (Gfx.cc:4837)
==18836==    by 0x4F654D3: Gfx::doForm(Object*) (Gfx.cc:4760)
==18836==    by 0x4F6A07F: Gfx::opXObject(Object*, int) (Gfx.cc:4178)
==18836==    by 0x4F623DE: Gfx::go(bool) (Gfx.cc:737)
==18836==    by 0x4F6282A: Gfx::display(Object*, bool) (Gfx.cc:699)
==18836==    by 0x4FAE390: Page::displaySlice(OutputDev*, double, double, int, bool, bool, int, int, int, int, bool, bool (*)(void*), void*, bool (*)(Annot*, void*), void*, bool) (Page.cc:560)
==18836==    by 0x10AE27: savePageSlice (pdftoppm.cc:276)
==18836==    by 0x10AE27: main (pdftoppm.cc:600)
���������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������==18836== 
==18836== HEAP SUMMARY:
==18836==     in use at exit: 5,074,754 bytes in 8,107 blocks
==18836==   total heap usage: 129,832 allocs, 121,725 frees, 35,995,149 bytes allocated
Comment 2 Alexandros Toptsoglou 2019-08-02 08:42:06 UTC 
Created attachment 812564 [details]
POC
Comment 4 Swamp Workflow Management 2021-12-01 20:30:24 UTC 
SUSE-SU-2021:3854-1: An update that fixes 21 vulnerabilities is now available.

Category: security (important)
Bug References: 1092945,1102531,1107597,1114966,1115185,1115186,1115187,1115626,1120495,1120496,1120939,1120956,1124150,1127329,1129202,1130229,1131696,1131722,1142465,1143950,1179163
CVE References: CVE-2017-18267,CVE-2018-13988,CVE-2018-16646,CVE-2018-18897,CVE-2018-19058,CVE-2018-19059,CVE-2018-19060,CVE-2018-19149,CVE-2018-20481,CVE-2018-20551,CVE-2018-20650,CVE-2018-20662,CVE-2019-10871,CVE-2019-10872,CVE-2019-14494,CVE-2019-7310,CVE-2019-9200,CVE-2019-9631,CVE-2019-9903,CVE-2019-9959,CVE-2020-27778
JIRA References: 
Sources used:
SUSE Linux Enterprise Workstation Extension 15-SP2 (src):    poppler-0.62.0-4.6.1
SUSE Linux Enterprise Server for SAP 15-SP1 (src):    poppler-0.62.0-4.6.1
SUSE Linux Enterprise Server for SAP 15 (src):    poppler-0.62.0-4.6.1
SUSE Linux Enterprise Server 15-SP1-LTSS (src):    poppler-0.62.0-4.6.1
SUSE Linux Enterprise Server 15-SP1-BCL (src):    poppler-0.62.0-4.6.1
SUSE Linux Enterprise Server 15-LTSS (src):    poppler-0.62.0-4.6.1
SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (src):    poppler-0.62.0-4.6.1
SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (src):    poppler-0.62.0-4.6.1
SUSE Linux Enterprise High Performance Computing 15-LTSS (src):    poppler-0.62.0-4.6.1
SUSE Linux Enterprise High Performance Computing 15-ESPOS (src):    poppler-0.62.0-4.6.1
SUSE Enterprise Storage 6 (src):    poppler-0.62.0-4.6.1
SUSE CaaS Platform 4.0 (src):    poppler-0.62.0-4.6.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 5 Swamp Workflow Management 2021-12-01 21:14:20 UTC 
openSUSE-SU-2021:3854-1: An update that fixes 21 vulnerabilities is now available.

Category: security (important)
Bug References: 1092945,1102531,1107597,1114966,1115185,1115186,1115187,1115626,1120495,1120496,1120939,1120956,1124150,1127329,1129202,1130229,1131696,1131722,1142465,1143950,1179163
CVE References: CVE-2017-18267,CVE-2018-13988,CVE-2018-16646,CVE-2018-18897,CVE-2018-19058,CVE-2018-19059,CVE-2018-19060,CVE-2018-19149,CVE-2018-20481,CVE-2018-20551,CVE-2018-20650,CVE-2018-20662,CVE-2019-10871,CVE-2019-10872,CVE-2019-14494,CVE-2019-7310,CVE-2019-9200,CVE-2019-9631,CVE-2019-9903,CVE-2019-9959,CVE-2020-27778
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    poppler-0.62.0-4.6.1
Comment 7 Swamp Workflow Management 2022-05-18 19:19:32 UTC 
SUSE-SU-2022:1723-1: An update that fixes 8 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1124150,1129202,1130229,1131696,1131722,1142465,1143950,1179163
CVE References: CVE-2019-10871,CVE-2019-10872,CVE-2019-14494,CVE-2019-7310,CVE-2019-9631,CVE-2019-9903,CVE-2019-9959,CVE-2020-27778
JIRA References: 
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    poppler-0.43.0-16.19.3, poppler-qt-0.43.0-16.19.3
SUSE Linux Enterprise Server 12-SP5 (src):    poppler-0.43.0-16.19.3, poppler-qt-0.43.0-16.19.3

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 8 Swamp Workflow Management 2022-05-18 19:22:49 UTC 
SUSE-SU-2022:1724-1: An update that fixes 7 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1124150,1129202,1131696,1131722,1142465,1143950,1179163
CVE References: CVE-2019-10871,CVE-2019-10872,CVE-2019-14494,CVE-2019-7310,CVE-2019-9631,CVE-2019-9959,CVE-2020-27778
JIRA References: 
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    poppler-0.24.4-14.20.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.