Bug 1214256 (CVE-2020-36023)

Summary: VUL-0: CVE-2020-36023: poppler: Stack-Overflow in `FoFiType1C:cvtGlyph`
Product: [Novell Products] SUSE Security Incidents Reporter: Alexander Bergmann <abergmann>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: NEW --- QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: pgajdos, security-team
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/375159/
Whiteboard: CVSSv3.1:SUSE:CVE-2020-36023:6.5:(AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Alexander Bergmann 2023-08-14 12:52:33 UTC 
CVE-2020-36023

An issue was discovered in freedesktop poppler version 20.12.1, allows remote attackers to cause a denial of service (DoS) via crafted .pdf file to FoFiType1C::cvtGlyph function.

References:

https://gitlab.freedesktop.org/poppler/poppler/-/issues/1013

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-36023
https://bugzilla.redhat.com/show_bug.cgi?id=2231510
https://www.cve.org/CVERecord?id=CVE-2020-36023
https://gitlab.freedesktop.org/poppler/poppler/-/issues/1013
Comment 1 Petr Gajdos 2023-10-10 09:42:33 UTC 
BEFORE

15sp4,12/poppler

:/214256 # pdftops poc /dev/null
Syntax Error: Couldn't find trailer dictionary
Syntax Error: Invalid XRef entry 11
Internal Error: xref num 11 not found but needed, try to reconstruct<0a>
Syntax Error: Invalid XRef entry 11
Syntax Error: Unknown character collection 'Atex-Identity'
Syntax Error: Unknown character collection 'Atex-Identity'
Syntax Error: Unknown character collection 'Atex-Identity'
:/214256 #
[cannot reproduce, 12 have the same error output as 15sp4, no segfault]

15sp2,15,12sp2/poppler

:/214256 # pdftops poc /dev/null
Syntax Error: Couldn't find trailer dictionary
Syntax Error: Invalid XRef entry 11
Internal Error: xref num 11 not found but needed, try to reconstruct<0a>
Syntax Error: Invalid XRef entry 11
Syntax Error: Unknown character collection 'Atex-Identity'
Segmentation fault (core dumped)
:/214256 #


PATCH

https://gitlab.freedesktop.org/poppler/poppler/-/commit/238dc045beeeb1eb619f3fb6cb699ba36813222d

12/poppler needs the patch, considering affected


AFTER

15sp2,15,12sp2,12/poppler

:/214256 # pdftops poc /dev/null
Syntax Error: Couldn't find trailer dictionary
Syntax Error: Invalid XRef entry 11
Internal Error: xref num 11 not found but needed, try to reconstruct<0a>
Syntax Error: Invalid XRef entry 11
Syntax Error: Unknown character collection 'Atex-Identity'
Syntax Error: Unknown character collection 'Atex-Identity'
Syntax Error: Unknown character collection 'Atex-Identity'
:/214256 #
[fixed]
Comment 2 Petr Gajdos 2023-10-10 10:35:50 UTC 
Will submit for 15sp2,15,12sp2,12/poppler.
Comment 3 Petr Gajdos 2023-10-10 10:58:16 UTC 
The recursion is in FoFiType1C::cvtGlyph:

#0  FoFiType1C::getOp (this=this@entry=0x5555555d5790, pos=5000, pos@entry=4999, charstring=charstring@entry=true, 
    ok=ok@entry=0x7fffff7ff10f) at /usr/src/debug/poppler-0.79.0-0.x86_64/fofi/FoFiType1C.cc:2572
#1  0x00007ffff78eb2bb in FoFiType1C::cvtGlyph (this=this@entry=0x5555555d5790, offset=<optimized out>, nBytes=<optimized out>, 
    charBuf=charBuf@entry=0x5555555d50a0, subrIdx=<optimized out>, pDict=<optimized out>, top=<optimized out>)
    at /usr/src/debug/poppler-0.79.0-0.x86_64/fofi/FoFiType1C.cc:1221
#2  0x00007ffff78eb60c in FoFiType1C::cvtGlyph (this=this@entry=0x5555555d5790, offset=<optimized out>, nBytes=<optimized out>, 
    charBuf=charBuf@entry=0x5555555d50a0, subrIdx=<optimized out>, pDict=<optimized out>, top=<optimized out>)
    at /usr/src/debug/poppler-0.79.0-0.x86_64/fofi/FoFiType1C.cc:1598
#3  0x00007ffff78eb60c in FoFiType1C::cvtGlyph (this=this@entry=0x5555555d5790, offset=<optimized out>, nBytes=<optimized out>, 
    charBuf=charBuf@entry=0x5555555d50a0, subrIdx=<optimized out>, pDict=<optimized out>, top=<optimized out>)
    at /usr/src/debug/poppler-0.79.0-0.x86_64/fofi/FoFiType1C.cc:1598
#4  0x00007ffff78eb60c in FoFiType1C::cvtGlyph (this=this@entry=0x5555555d5790, offset=<optimized out>, nBytes=<optimized out>, 
    charBuf=charBuf@entry=0x5555555d50a0, subrIdx=<optimized out>, pDict=<optimized out>, top=<optimized out>)
    at /usr/src/debug/poppler-0.79.0-0.x86_64/fofi/FoFiType1C.cc:1598
#5  0x00007ffff78eb60c in FoFiType1C::cvtGlyph (this=this@entry=0x5555555d5790, offset=<optimized out>, nBytes=<optimized out>, 
    charBuf=charBuf@entry=0x5555555d50a0, subrIdx=<optimized out>, pDict=<optimized out>, top=<optimized out>)
    at /usr/src/debug/poppler-0.79.0-0.x86_64/fofi/FoFiType1C.cc:1598
#6  0x00007ffff78eb60c in FoFiType1C::cvtGlyph (this=this@entry=0x5555555d5790, offset=<optimized out>, nBytes=<optimized out>, 
    charBuf=charBuf@entry=0x5555555d50a0, subrIdx=<optimized out>, pDict=<optimized out>, top=<optimized out>)
    at /usr/src/debug/poppler-0.79.0-0.x86_64/fofi/FoFiType1C.cc:1598
#7  0x00007ffff78eb60c in FoFiType1C::cvtGlyph (this=this@entry=0x5555555d5790, offset=<optimized out>, nBytes=<optimized out>, 
    charBuf=charBuf@entry=0x5555555d50a0, subrIdx=<optimized out>, pDict=<optimized out>, top=<optimized out>)
    at /usr/src/debug/poppler-0.79.0-0.x86_64/fofi/FoFiType1C.cc:1598
#8  0x00007ffff78eb60c in FoFiType1C::cvtGlyph (this=this@entry=0x5555555d5790, offset=<optimized out>, nBytes=<optimized out>, 
    charBuf=charBuf@entry=0x5555555d50a0, subrIdx=<optimized out>, pDict=<optimized out>, top=<optimized out>)
    at /usr/src/debug/poppler-0.79.0-0.x86_64/fofi/FoFiType1C.cc:1598
#9  0x00007ffff78eb60c in FoFiType1C::cvtGlyph (this=this@entry=0x5555555d5790, offset=<optimized out>, nBytes=<optimized out>, 
    charBuf=charBuf@entry=0x5555555d50a0, subrIdx=<optimized out>, pDict=<optimized out>, top=<optimized out>)
Comment 4 Petr Gajdos 2023-10-17 12:11:10 UTC 
Packages submitted.

I believe all fixed.
Comment 6 Maintenance Automation 2023-10-24 16:30:08 UTC 
SUSE-SU-2023:4187-1: An update that solves four vulnerabilities can now be installed.

Category: security (moderate)
Bug References: 1112424, 1112428, 1140745, 1214256
CVE References: CVE-2018-18454, CVE-2018-18456, CVE-2019-13287, CVE-2020-36023
Sources used:
openSUSE Leap 15.4 (src): poppler-0.62.0-150000.4.28.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 10 Maintenance Automation 2023-11-03 16:30:06 UTC 
SUSE-SU-2023:4362-1: An update that solves nine vulnerabilities can now be installed.

Category: security (moderate)
Bug References: 1112424, 1112428, 1128114, 1129202, 1140745, 1143570, 1214256, 1214723, 1214726
CVE References: CVE-2018-18454, CVE-2018-18456, CVE-2019-13287, CVE-2019-14292, CVE-2019-9545, CVE-2019-9631, CVE-2020-36023, CVE-2022-37052, CVE-2022-48545
Sources used:
SUSE Linux Enterprise Software Development Kit 12 SP5 (src): poppler-qt-0.43.0-16.40.1, poppler-0.43.0-16.40.1
SUSE Linux Enterprise High Performance Computing 12 SP5 (src): poppler-qt-0.43.0-16.40.1, poppler-0.43.0-16.40.1
SUSE Linux Enterprise Server 12 SP5 (src): poppler-qt-0.43.0-16.40.1, poppler-0.43.0-16.40.1
SUSE Linux Enterprise Server for SAP Applications 12 SP5 (src): poppler-qt-0.43.0-16.40.1, poppler-0.43.0-16.40.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 11 Maintenance Automation 2023-11-24 12:30:21 UTC 
SUSE-SU-2023:4546-1: An update that solves six vulnerabilities can now be installed.

Category: security (moderate)
Bug References: 1128114, 1129202, 1143570, 1214256, 1214723, 1214726
CVE References: CVE-2019-14292, CVE-2019-9545, CVE-2019-9631, CVE-2020-36023, CVE-2022-37052, CVE-2022-48545
Sources used:
SUSE Linux Enterprise Software Development Kit 12 SP5 (src): poppler-0.24.4-14.41.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 12 Maintenance Automation 2023-11-24 20:30:16 UTC 
SUSE-SU-2023:4562-1: An update that solves three vulnerabilities can now be installed.

Category: security (moderate)
Bug References: 1128114, 1214256, 1214726
CVE References: CVE-2019-9545, CVE-2020-36023, CVE-2022-37052
Sources used:
Basesystem Module 15-SP5 (src): poppler-0.79.0-150200.3.26.1
SUSE Manager Proxy 4.2 (src): poppler-0.79.0-150200.3.26.1
SUSE Manager Retail Branch Server 4.2 (src): poppler-0.79.0-150200.3.26.1
SUSE Manager Server 4.2 (src): poppler-0.79.0-150200.3.26.1
openSUSE Leap 15.4 (src): poppler-0.79.0-150200.3.26.1
Basesystem Module 15-SP4 (src): poppler-0.79.0-150200.3.26.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.