Bug 1213888 (CVE-2023-34872)

Summary: VUL-0: CVE-2023-34872: poppler: remote denial-of-service in OutlineItem::open in Outline.cc
Product: [Novell Products] SUSE Security Incidents Reporter: Alexander Bergmann <abergmann>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: cathy.hu, peter.simons, pgajdos, security-team, stoyan.manolov
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/373836/
Whiteboard: CVSSv3.1:SUSE:CVE-2023-34872:5.3:(AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Alexander Bergmann 2023-08-02 06:52:52 UTC 
CVE-2023-34872

A vulnerability in Outline.cc for Poppler prior to 23.06.0 allows a remote
attacker to cause a Denial of Service (DoS) (crash) via a crafted PDF file in
OutlineItem::open.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-34872
https://bugzilla.redhat.com/show_bug.cgi?id=2227884
https://www.cve.org/CVERecord?id=CVE-2023-34872
https://gitlab.freedesktop.org/poppler/poppler/-/commit/591235c8b6c65a2eee88991b9ae73490fd9afdfe
https://gitlab.freedesktop.org/poppler/poppler/-/issues/1399
Comment 3 Petr Gajdos 2023-10-10 10:34:22 UTC 
BEFORE

TW/poppler

:/213888 # pdftohtml crash /dev/null
Page-1
Page-2
Page-3
Syntax Error (6095): Illegal character ')'
Syntax Error: End of file inside array
Syntax Error: End of file inside dictionary
Page-4
Syntax Error (5638): Unknown operator '<12>.08'
Syntax Error (5641): Too few (0) args to 'Tm' operator
Page-5
Internal Error: xref num 23 not found but needed, try to reconstruct<0a>
Syntax Error: Kid object (page 6) is wrong type (null)
Page-6
Page-7
Page-8
Page-9
Page-10
Page-11
Page-12
Page-13
:/213888 #
[could not reproduce]


15sp5,15sp4,15sp2/poppler:

:/213888 # pdftohtml crash /dev/null
Page-1
Page-2
Page-3
Syntax Error (6095): Illegal character ')'
Syntax Error: End of file inside array
Syntax Error: End of file inside dictionary
Page-4
Syntax Error (5638): Unknown operator '<12>.08'
Syntax Error (5641): Too few (0) args to 'Tm' operator
Page-5
Internal Error: xref num 23 not found but needed, try to reconstruct<0a>
Syntax Error: Kid object (page 6) is wrong type (null)
Page-6
Page-7
Page-8
Page-9
Page-10
Page-11
Page-12
Page-13
Internal Error (0): Call to Object where the object was type 10, not the expected type 7
Aborted (core dumped)
:/213888 #

15sp2,15,12sp2,12/poppler:

:/213888 # pdftohtml crash /dev/null
Page-1
Page-2
Page-3
Syntax Error (6095): Illegal character ')'
Syntax Error: End of file inside array
Syntax Error: End of file inside dictionary
Page-4
Syntax Error (5638): Unknown operator '<12>.08'
Syntax Error (5641): Too few (0) args to 'Tm' operator
Page-5
Internal Error: xref num 23 not found but needed, try to reconstruct<0a>
Syntax Error: Kid object (page 6) is wrong type (null)
Page-6
Page-7
Page-8
Page-9
Page-10
Page-11
Page-12
Page-13
:/213888 # 
[not reproducible]


PATCH

https://gitlab.freedesktop.org/poppler/poppler/-/commit/591235c8b6c65a2eee88991b9ae73490fd9afdfe

15sp2-/poppler the code is different, I would consider it not affected by this CVE


AFTER

15sp5,15sp4/poppler

:/213888 # pdftohtml crash /dev/null
Page-1
Page-2
Page-3
Syntax Error (6095): Illegal character ')'
Syntax Error: End of file inside array
Syntax Error: End of file inside dictionary
Page-4
Syntax Error (5638): Unknown operator '<12>.08'
Syntax Error (5641): Too few (0) args to 'Tm' operator
Page-5
Internal Error: xref num 23 not found but needed, try to reconstruct<0a>
Syntax Error: Kid object (page 6) is wrong type (null)
Page-6
Page-7
Page-8
Page-9
Page-10
Page-11
Page-12
Page-13
:/213888 #
Comment 4 Petr Gajdos 2023-10-10 10:34:46 UTC 
Will submit for 15sp5,15sp4/poppler.
Comment 5 Petr Gajdos 2023-10-17 12:10:57 UTC 
Packages submitted.

I believe all fixed.
Comment 8 Maintenance Automation 2023-10-31 12:30:40 UTC 
SUSE-SU-2023:4291-1: An update that solves one vulnerability can now be installed.

Category: security (moderate)
Bug References: 1213888
CVE References: CVE-2023-34872
Sources used:
SUSE Package Hub 15 15-SP5 (src): poppler-qt5-23.01.0-150500.3.5.1, poppler-23.01.0-150500.3.5.2
openSUSE Leap 15.5 (src): poppler-qt6-23.01.0-150500.3.5.1, poppler-qt5-23.01.0-150500.3.5.1, poppler-23.01.0-150500.3.5.2
Basesystem Module 15-SP5 (src): poppler-23.01.0-150500.3.5.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 9 Maintenance Automation 2023-11-03 16:30:03 UTC 
SUSE-SU-2023:4363-1: An update that solves two vulnerabilities can now be installed.

Category: security (moderate)
Bug References: 1213888, 1214726
CVE References: CVE-2022-37052, CVE-2023-34872
Sources used:
openSUSE Leap 15.4 (src): poppler-qt5-22.01.0-150400.3.16.1, poppler-22.01.0-150400.3.16.1, poppler-qt6-22.01.0-150400.3.16.1
Basesystem Module 15-SP4 (src): poppler-22.01.0-150400.3.16.1
SUSE Package Hub 15 15-SP4 (src): poppler-qt5-22.01.0-150400.3.16.1, poppler-22.01.0-150400.3.16.1
SUSE Linux Enterprise Workstation Extension 15 SP5 (src): poppler-22.01.0-150400.3.16.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.