Bugzilla – Bug 1128100
VUL-1: CVE-2019-9543: poppler: denial of service via recursive function call in JBIG2Stream:readGenericBitmap() located in JBIG2Stream.cc
Last modified: 2024-02-28 12:44:57 UTC
CVE-2019-9543 An issue was discovered in Poppler 0.74.0. A recursive function call, in JBIG2Stream::readGenericBitmap() located in JBIG2Stream.cc, can be triggered by sending a crafted pdf file to (for example) the pdfseparate binary. It allows an attacker to cause Denial of Service (Segmentation fault) or possibly have unspecified other impact. This is related to JArithmeticDecoder::decodeBit. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-9543 http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-9543.html https://gitlab.freedesktop.org/poppler/poppler/issues/730 https://research.loginsoft.com/bugs/recursive-function-call-in-function-jbig2streamreadgenericbitmap-poppler-0-74-0/
Created attachment 799076 [details] QA Reproducer $ pdfseparate -f 1 -l 2 URL7_POC res.pdf [..] Syntax Error (2348): Missing 'endstream' or incorrect stream length [command hangs]
judging by the reproducer these codestreams are affected: - SUSE:SLE-12:Update - SUSE:SLE-12-SP2:Update - SUSE:SLE-15:Update
Upstream have not fixed the issue sofar: " Albert Astals Cid @aacid ยท 3 years ago Owner Well the JBIG2Stream code is not really easy to understand (i don't think i actually do), but on the other hand it's quite self contained so it should be possible for an "outside developer" to get a fix for this, "all" that is needed is find out the "this is wrong, bail out" condition instead of processing a veeeeeeeeeeeeery long loop " The issue is still present in TW/poppler.
There's possibly another testcase in bsc#1214622 working on 12sp2/poppler.
Reassigning to current poppler maintainer.