Bug 1226916 (CVE-2024-6239)

Summary:	VUL-0: CVE-2024-6239: poppler,poppler-qt: crash when using pdfinfo with -dests parameter on malformed input files
Product:	[Novell Products] SUSE Security Incidents	Reporter:	SMASH SMASH <smash_bz>
Component:	Incidents	Assignee:	Security Team bot <security-team>
Status:	NEW ---	QA Contact:	Security Team bot <security-team>
Severity:	Normal
Priority:	P3 - Medium	CC:	camila.matos
Version:	unspecified
Target Milestone:	---
Hardware:	Other
OS:	Other
URL:	https://smash.suse.de/issue/411703/
Whiteboard:	CVSSv3.1:SUSE:CVE-2024-6239:3.3:(AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)
Found By:	Security Response Team	Services Priority:
Business Priority:		Blocker:	---
Marketing QA Status:	---	IT Deployment:	---

Description SMASH SMASH 2024-06-24 16:58:58 UTC

A flaw was found in the Poppler's Pdfinfo utility. This issue occurs when using -dests parameter with pdfinfo utility. By using certain malformed input files, an attacker could cause the utility to crash, leading to a denial of service.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-6239
https://bugzilla.redhat.com/show_bug.cgi?id=2293594
https://www.cve.org/CVERecord?id=CVE-2024-6239
https://access.redhat.com/security/cve/CVE-2024-6239

Comment 1 Camila Camargo de Matos 2024-06-24 17:01:16 UTC

The -dests parameter, which allows the triggering of the vulnerability, was introduced in poppler with the changes from commit a8d670b5 [0]. This means only versions 0.58 and later of poppler seem to be affected by this issue.

[0] https://gitlab.freedesktop.org/poppler/poppler/-/commit/a8d670b59b0301040e716f3a11a78fce1177337d

Comment 3 Petr Gajdos 2024-06-25 07:31:18 UTC

Upstream issue:
https://gitlab.freedesktop.org/poppler/poppler/-/issues/1489

Fixing commit:
https://gitlab.freedesktop.org/poppler/poppler/-/commit/0554731052d1a97745cb179ab0d45620589dd9c4

Comment 4 Petr Gajdos 2024-06-25 09:16:58 UTC

Managed to reproduce with 24.06.1 and verified it is fixed with commit referenced below.

BEFORE

$ pdfinfo -dests poc.pdf
Syntax Warning: May not be a PDF file (continuing anyway)
Syntax Error (29): Dictionary key must be a name object
[..]
   1 [ XYZ    0  375 null      ] "Page.2"
Syntax Error (98): Dictionary key must be a name object
Syntax Error (102): Dictionary key must be a name object
Syntax Error (105): Dictionary key must be a name object
Syntax Error (109): Dictionary key must be a name object
Segmentation fault (core dumped)
$

PATCH

https://gitlab.freedesktop.org/poppler/poppler/-/commit/0554731052d1a97745cb179ab0d45620589dd9c4

AFTER

$ pdfinfo -dests poc.pdf
Syntax Warning: May not be a PDF file (continuing anyway)
Syntax Error (29): Dictionary key must be a name object
[..]
   2 [ XYZ    0  375 null      ] "Page.2"
$

Comment 5 Petr Gajdos 2024-06-25 09:22:34 UTC

Devel project submit request:
https://build.opensuse.org/request/show/1183129

Comment 6 Petr Gajdos 2024-06-26 11:50:48 UTC

Submitted for alp,15sp6,15sp5,15sp4,15sp2.

slfo remains as I am waiting for devel project acceptance as I would like to use this opportunity to version update poppler there.

Comment 9 Petr Gajdos 2024-07-04 07:46:14 UTC

(In reply to Petr Gajdos from comment #6)
> slfo remains as I am waiting for devel project acceptance as I would like to
> use this opportunity to version update poppler there.

New poppler breaks some packages, therefore submitting just the patch: 
https://build.suse.de/request/show/337272

Comment 10 Petr Gajdos 2024-07-04 07:46:53 UTC

I believe all submitted.

Comment 11 Maintenance Automation 2024-07-08 16:30:12 UTC

SUSE-SU-2024:2334-1: An update that solves one vulnerability can now be installed.

Category: security (low)
Bug References: 1226916
CVE References: CVE-2024-6239
Maintenance Incident: [SUSE:Maintenance:34490](https://smelt.suse.de/incident/34490/)
Sources used:
Basesystem Module 15-SP5 (src):
 poppler-0.79.0-150200.3.32.1
Basesystem Module 15-SP6 (src):
 poppler-0.79.0-150200.3.32.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 12 Maintenance Automation 2024-07-08 16:30:14 UTC

SUSE-SU-2024:2333-1: An update that solves one vulnerability can now be installed.

Category: security (low)
Bug References: 1226916
CVE References: CVE-2024-6239
Maintenance Incident: [SUSE:Maintenance:34489](https://smelt.suse.de/incident/34489/)
Sources used:
openSUSE Leap 15.4 (src):
 poppler-qt5-22.01.0-150400.3.22.1, poppler-qt6-22.01.0-150400.3.22.1, poppler-22.01.0-150400.3.22.1
SUSE Linux Enterprise Workstation Extension 15 SP5 (src):
 poppler-22.01.0-150400.3.22.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 13 Maintenance Automation 2024-07-08 16:30:16 UTC

SUSE-SU-2024:2332-1: An update that solves one vulnerability can now be installed.

Category: security (low)
Bug References: 1226916
CVE References: CVE-2024-6239
Maintenance Incident: [SUSE:Maintenance:34488](https://smelt.suse.de/incident/34488/)
Sources used:
Basesystem Module 15-SP5 (src):
 poppler-23.01.0-150500.3.11.1
SUSE Package Hub 15 15-SP5 (src):
 poppler-23.01.0-150500.3.11.1, poppler-qt5-23.01.0-150500.3.11.1
openSUSE Leap 15.5 (src):
 poppler-23.01.0-150500.3.11.1, poppler-qt6-23.01.0-150500.3.11.1, poppler-qt5-23.01.0-150500.3.11.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.