Bugzilla – Bug 1215422
VUL-0: CVE-2020-23804: poppler: uncontrolled recursion in pdfinfo and pdftops
Last modified: 2024-02-22 14:55:35 UTC
CVE-2020-23804 Uncontrolled Recursion in pdfinfo, and pdftops in poppler 0.89.0 allows remote attackers to cause a denial of service via crafted input. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-23804 https://bugzilla.redhat.com/show_bug.cgi?id=2234526 https://www.cve.org/CVERecord?id=CVE-2020-23804 https://gitlab.freedesktop.org/poppler/poppler/-/issues/936
BEFORE TW,15sp4/poppler $ valgrind -q pdfinfo xref.pdf Syntax Error: File has more than 4096 XRefStm, aborting Syntax Error: Couldn't find trailer dictionary Syntax Error: File has more than 4096 XRefStm, aborting Syntax Error: Couldn't find trailer dictionary Syntax Error: Couldn't read xref table $ [already fixed] 15sp2,15,12sp2,12/poppler :/215422 # pdfinfo xref.pdf Segmentation fault (core dumped) :/215422 # PATCH https://gitlab.freedesktop.org/poppler/poppler/-/commit/ec8a43c8df29fdd6f1228276160898ccd9401c92 AFTER 15sp2,15,12sp2,12/poppler :/215422 # pdfinfo xref.pdf Syntax Error: File has more than 4096 XRefStm, aborting Syntax Error: Couldn't find trailer dictionary Syntax Error: File has more than 4096 XRefStm, aborting Syntax Error: Couldn't find trailer dictionary Syntax Error: Couldn't read xref table :/215422 #
Submitted for 15sp2,15,12sp2,12/poppler. I believe all fixed.
15sp5/poppler: alrady in upstream tarball, fixed
SUSE-SU-2023:3983-1: An update that solves five vulnerabilities can now be installed. Category: security (important) Bug References: 1214257, 1214618, 1214621, 1214622, 1215422 CVE References: CVE-2020-23804, CVE-2020-36024, CVE-2022-37050, CVE-2022-37051, CVE-2022-38349 Sources used: openSUSE Leap 15.4 (src): poppler-0.62.0-150000.4.25.2 SUSE Linux Enterprise High Performance Computing 15 SP1 LTSS 15-SP1 (src): poppler-0.62.0-150000.4.25.2 SUSE Linux Enterprise Server 15 SP1 LTSS 15-SP1 (src): poppler-0.62.0-150000.4.25.2 SUSE Linux Enterprise Server for SAP Applications 15 SP1 (src): poppler-0.62.0-150000.4.25.2 SUSE CaaS Platform 4.0 (src): poppler-0.62.0-150000.4.25.2 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:3982-1: An update that solves five vulnerabilities can now be installed. Category: security (important) Bug References: 1214257, 1214618, 1214621, 1214622, 1215422 CVE References: CVE-2020-23804, CVE-2020-36024, CVE-2022-37050, CVE-2022-37051, CVE-2022-38349 Sources used: SUSE Linux Enterprise Software Development Kit 12 SP5 (src): poppler-qt-0.43.0-16.35.2, poppler-0.43.0-16.35.2 SUSE Linux Enterprise High Performance Computing 12 SP5 (src): poppler-qt-0.43.0-16.35.2, poppler-0.43.0-16.35.2 SUSE Linux Enterprise Server 12 SP5 (src): poppler-qt-0.43.0-16.35.2, poppler-0.43.0-16.35.2 SUSE Linux Enterprise Server for SAP Applications 12 SP5 (src): poppler-qt-0.43.0-16.35.2, poppler-0.43.0-16.35.2 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:3981-1: An update that solves four vulnerabilities can now be installed. Category: security (important) Bug References: 1214257, 1214618, 1214622, 1215422 CVE References: CVE-2020-23804, CVE-2020-36024, CVE-2022-37050, CVE-2022-38349 Sources used: SUSE Linux Enterprise Software Development Kit 12 SP5 (src): poppler-0.24.4-14.36.2 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:3998-1: An update that solves five vulnerabilities can now be installed. Category: security (important) Bug References: 1214257, 1214618, 1214621, 1214622, 1215422 CVE References: CVE-2020-23804, CVE-2020-36024, CVE-2022-37050, CVE-2022-37051, CVE-2022-38349 Sources used: SUSE Manager Server 4.2 (src): poppler-0.79.0-150200.3.21.2 SUSE Enterprise Storage 7.1 (src): poppler-0.79.0-150200.3.21.2 openSUSE Leap 15.4 (src): poppler-0.79.0-150200.3.21.2 Basesystem Module 15-SP4 (src): poppler-0.79.0-150200.3.21.2 Basesystem Module 15-SP5 (src): poppler-0.79.0-150200.3.21.2 SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (src): poppler-0.79.0-150200.3.21.2 SUSE Linux Enterprise High Performance Computing ESPOS 15 SP3 (src): poppler-0.79.0-150200.3.21.2 SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src): poppler-0.79.0-150200.3.21.2 SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (src): poppler-0.79.0-150200.3.21.2 SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src): poppler-0.79.0-150200.3.21.2 SUSE Linux Enterprise Server for SAP Applications 15 SP2 (src): poppler-0.79.0-150200.3.21.2 SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src): poppler-0.79.0-150200.3.21.2 SUSE Manager Proxy 4.2 (src): poppler-0.79.0-150200.3.21.2 SUSE Manager Retail Branch Server 4.2 (src): poppler-0.79.0-150200.3.21.2 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Done, closing.