Bugzilla – Bug 1214256
VUL-0: CVE-2020-36023: poppler: Stack-Overflow in `FoFiType1C:cvtGlyph`
Last modified: 2023-11-24 20:30:16 UTC
CVE-2020-36023 An issue was discovered in freedesktop poppler version 20.12.1, allows remote attackers to cause a denial of service (DoS) via crafted .pdf file to FoFiType1C::cvtGlyph function. References: https://gitlab.freedesktop.org/poppler/poppler/-/issues/1013 References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-36023 https://bugzilla.redhat.com/show_bug.cgi?id=2231510 https://www.cve.org/CVERecord?id=CVE-2020-36023 https://gitlab.freedesktop.org/poppler/poppler/-/issues/1013
BEFORE 15sp4,12/poppler :/214256 # pdftops poc /dev/null Syntax Error: Couldn't find trailer dictionary Syntax Error: Invalid XRef entry 11 Internal Error: xref num 11 not found but needed, try to reconstruct<0a> Syntax Error: Invalid XRef entry 11 Syntax Error: Unknown character collection 'Atex-Identity' Syntax Error: Unknown character collection 'Atex-Identity' Syntax Error: Unknown character collection 'Atex-Identity' :/214256 # [cannot reproduce, 12 have the same error output as 15sp4, no segfault] 15sp2,15,12sp2/poppler :/214256 # pdftops poc /dev/null Syntax Error: Couldn't find trailer dictionary Syntax Error: Invalid XRef entry 11 Internal Error: xref num 11 not found but needed, try to reconstruct<0a> Syntax Error: Invalid XRef entry 11 Syntax Error: Unknown character collection 'Atex-Identity' Segmentation fault (core dumped) :/214256 # PATCH https://gitlab.freedesktop.org/poppler/poppler/-/commit/238dc045beeeb1eb619f3fb6cb699ba36813222d 12/poppler needs the patch, considering affected AFTER 15sp2,15,12sp2,12/poppler :/214256 # pdftops poc /dev/null Syntax Error: Couldn't find trailer dictionary Syntax Error: Invalid XRef entry 11 Internal Error: xref num 11 not found but needed, try to reconstruct<0a> Syntax Error: Invalid XRef entry 11 Syntax Error: Unknown character collection 'Atex-Identity' Syntax Error: Unknown character collection 'Atex-Identity' Syntax Error: Unknown character collection 'Atex-Identity' :/214256 # [fixed]
Will submit for 15sp2,15,12sp2,12/poppler.
The recursion is in FoFiType1C::cvtGlyph: #0 FoFiType1C::getOp (this=this@entry=0x5555555d5790, pos=5000, pos@entry=4999, charstring=charstring@entry=true, ok=ok@entry=0x7fffff7ff10f) at /usr/src/debug/poppler-0.79.0-0.x86_64/fofi/FoFiType1C.cc:2572 #1 0x00007ffff78eb2bb in FoFiType1C::cvtGlyph (this=this@entry=0x5555555d5790, offset=<optimized out>, nBytes=<optimized out>, charBuf=charBuf@entry=0x5555555d50a0, subrIdx=<optimized out>, pDict=<optimized out>, top=<optimized out>) at /usr/src/debug/poppler-0.79.0-0.x86_64/fofi/FoFiType1C.cc:1221 #2 0x00007ffff78eb60c in FoFiType1C::cvtGlyph (this=this@entry=0x5555555d5790, offset=<optimized out>, nBytes=<optimized out>, charBuf=charBuf@entry=0x5555555d50a0, subrIdx=<optimized out>, pDict=<optimized out>, top=<optimized out>) at /usr/src/debug/poppler-0.79.0-0.x86_64/fofi/FoFiType1C.cc:1598 #3 0x00007ffff78eb60c in FoFiType1C::cvtGlyph (this=this@entry=0x5555555d5790, offset=<optimized out>, nBytes=<optimized out>, charBuf=charBuf@entry=0x5555555d50a0, subrIdx=<optimized out>, pDict=<optimized out>, top=<optimized out>) at /usr/src/debug/poppler-0.79.0-0.x86_64/fofi/FoFiType1C.cc:1598 #4 0x00007ffff78eb60c in FoFiType1C::cvtGlyph (this=this@entry=0x5555555d5790, offset=<optimized out>, nBytes=<optimized out>, charBuf=charBuf@entry=0x5555555d50a0, subrIdx=<optimized out>, pDict=<optimized out>, top=<optimized out>) at /usr/src/debug/poppler-0.79.0-0.x86_64/fofi/FoFiType1C.cc:1598 #5 0x00007ffff78eb60c in FoFiType1C::cvtGlyph (this=this@entry=0x5555555d5790, offset=<optimized out>, nBytes=<optimized out>, charBuf=charBuf@entry=0x5555555d50a0, subrIdx=<optimized out>, pDict=<optimized out>, top=<optimized out>) at /usr/src/debug/poppler-0.79.0-0.x86_64/fofi/FoFiType1C.cc:1598 #6 0x00007ffff78eb60c in FoFiType1C::cvtGlyph (this=this@entry=0x5555555d5790, offset=<optimized out>, nBytes=<optimized out>, charBuf=charBuf@entry=0x5555555d50a0, subrIdx=<optimized out>, pDict=<optimized out>, top=<optimized out>) at /usr/src/debug/poppler-0.79.0-0.x86_64/fofi/FoFiType1C.cc:1598 #7 0x00007ffff78eb60c in FoFiType1C::cvtGlyph (this=this@entry=0x5555555d5790, offset=<optimized out>, nBytes=<optimized out>, charBuf=charBuf@entry=0x5555555d50a0, subrIdx=<optimized out>, pDict=<optimized out>, top=<optimized out>) at /usr/src/debug/poppler-0.79.0-0.x86_64/fofi/FoFiType1C.cc:1598 #8 0x00007ffff78eb60c in FoFiType1C::cvtGlyph (this=this@entry=0x5555555d5790, offset=<optimized out>, nBytes=<optimized out>, charBuf=charBuf@entry=0x5555555d50a0, subrIdx=<optimized out>, pDict=<optimized out>, top=<optimized out>) at /usr/src/debug/poppler-0.79.0-0.x86_64/fofi/FoFiType1C.cc:1598 #9 0x00007ffff78eb60c in FoFiType1C::cvtGlyph (this=this@entry=0x5555555d5790, offset=<optimized out>, nBytes=<optimized out>, charBuf=charBuf@entry=0x5555555d50a0, subrIdx=<optimized out>, pDict=<optimized out>, top=<optimized out>)
Packages submitted. I believe all fixed.
SUSE-SU-2023:4187-1: An update that solves four vulnerabilities can now be installed. Category: security (moderate) Bug References: 1112424, 1112428, 1140745, 1214256 CVE References: CVE-2018-18454, CVE-2018-18456, CVE-2019-13287, CVE-2020-36023 Sources used: openSUSE Leap 15.4 (src): poppler-0.62.0-150000.4.28.2 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:4362-1: An update that solves nine vulnerabilities can now be installed. Category: security (moderate) Bug References: 1112424, 1112428, 1128114, 1129202, 1140745, 1143570, 1214256, 1214723, 1214726 CVE References: CVE-2018-18454, CVE-2018-18456, CVE-2019-13287, CVE-2019-14292, CVE-2019-9545, CVE-2019-9631, CVE-2020-36023, CVE-2022-37052, CVE-2022-48545 Sources used: SUSE Linux Enterprise Software Development Kit 12 SP5 (src): poppler-qt-0.43.0-16.40.1, poppler-0.43.0-16.40.1 SUSE Linux Enterprise High Performance Computing 12 SP5 (src): poppler-qt-0.43.0-16.40.1, poppler-0.43.0-16.40.1 SUSE Linux Enterprise Server 12 SP5 (src): poppler-qt-0.43.0-16.40.1, poppler-0.43.0-16.40.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5 (src): poppler-qt-0.43.0-16.40.1, poppler-0.43.0-16.40.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:4546-1: An update that solves six vulnerabilities can now be installed. Category: security (moderate) Bug References: 1128114, 1129202, 1143570, 1214256, 1214723, 1214726 CVE References: CVE-2019-14292, CVE-2019-9545, CVE-2019-9631, CVE-2020-36023, CVE-2022-37052, CVE-2022-48545 Sources used: SUSE Linux Enterprise Software Development Kit 12 SP5 (src): poppler-0.24.4-14.41.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:4562-1: An update that solves three vulnerabilities can now be installed. Category: security (moderate) Bug References: 1128114, 1214256, 1214726 CVE References: CVE-2019-9545, CVE-2020-36023, CVE-2022-37052 Sources used: Basesystem Module 15-SP5 (src): poppler-0.79.0-150200.3.26.1 SUSE Manager Proxy 4.2 (src): poppler-0.79.0-150200.3.26.1 SUSE Manager Retail Branch Server 4.2 (src): poppler-0.79.0-150200.3.26.1 SUSE Manager Server 4.2 (src): poppler-0.79.0-150200.3.26.1 openSUSE Leap 15.4 (src): poppler-0.79.0-150200.3.26.1 Basesystem Module 15-SP4 (src): poppler-0.79.0-150200.3.26.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.