Bug 1223375 (CVE-2024-4141) - VUL-0: CVE-2024-4141: poppler, xpdf: Out-of-bounds array write
Summary: VUL-0: CVE-2024-4141: poppler, xpdf: Out-of-bounds array write
Status: NEW
Alias: CVE-2024-4141
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Minor
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/403102/
Whiteboard: CVSSv3.1:SUSE:CVE-2024-4141:2.9:(AV:L...
Keywords:
Depends on:
Blocks:
 
Reported: 2024-04-25 07:59 UTC by SMASH SMASH
Modified: 2024-06-11 12:31 UTC (History)
3 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description SMASH SMASH 2024-04-25 07:59:27 UTC 
Out-of-bounds array write in Xpdf 4.05 and earlier, triggered by an invalid character code in a Type 1 font. The root problem was a bounds check that was being optimized away by modern compilers.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-4141
https://www.cve.org/CVERecord?id=CVE-2024-4141
https://www.xpdfreader.com/security-bug/CVE-2024-4141.html
https://bugzilla.redhat.com/show_bug.cgi?id=2277030
Comment 1 Petr Gajdos 2024-05-02 09:40:41 UTC 
(In reply to SMASH SMASH from comment #0)
> Out-of-bounds array write in Xpdf 4.05 and earlier, triggered by an invalid
> character code in a Type 1 font. The root problem was a bounds check that
> was being optimized away by modern compilers.
> 
> https://www.xpdfreader.com/security-bug/CVE-2024-4141.html

"This will be fixed in Xpdf 4.06."

4.06 is not out, yet. Tried to find something here: https://forum.xpdfreader.com/ but no luck.
Comment 2 Petr Gajdos 2024-05-23 07:57:18 UTC 
Asked xpdf@xpdfreader.com whether they can share the fix.
Comment 3 Petr Gajdos 2024-05-28 07:15:27 UTC 
4.06 is still not out. I got the fix from Derek:

diff --git a/FoFiType1.cc b/FoFiType1.cc
index 87278e7..66b1932 100644
--- a/FoFiType1.cc
+++ b/FoFiType1.cc
@@ -193,7 +193,8 @@ void FoFiType1::parse() {
   char *line, *line1, *p, *p2;
   char buf[256];
   char c;
-  int n, code, base, i, j;
+  unsigned int code;
+  int n, base, i, j;
   GBool gotMatrix, startsWithDup, endsWithDup;

   gotMatrix = gFalse;
@@ -262,7 +263,7 @@ void FoFiType1::parse() {
            }
            ++p;
            for (p2 = p; *p2 && *p2 != ' ' && *p2 != '\t'; ++p2) ;
-           if (code >= 0 && code < 256) {
+           if (code < 256) {
              c = *p2;
              *p2 = '\0';
              gfree(encoding[code]);

Base on that, I would say 15sp5/poppler and later are affected and 15sp6,TW/poppler not affected, what do you think? I have asked Derek whether we can publish the fix and let other distros know.
Comment 4 Petr Gajdos 2024-05-28 07:58:59 UTC 
Obviously:

(In reply to Petr Gajdos from comment #3)
> Base on that, I would say 15sp5/poppler and later are affected and
> 15sp6,TW/poppler not affected, what do you think? I have asked Derek whether
> we can publish the fix and let other distros know.

Based on that, I would say 15sp5/poppler and older ...
Comment 6 Petr Gajdos 2024-05-29 10:25:27 UTC 
SUSE:SLFO:Main/poppler and SUSE:ALP:Source:Standard:1.0/poppler unaffected.
Comment 7 Petr Gajdos 2024-05-29 11:37:13 UTC 
Submitted for: 15sp5, 15sp4, 15sp2, 15, 12sp2 and 12.

I believe all fixed.
Comment 11 Maintenance Automation 2024-06-03 16:30:43 UTC 
SUSE-SU-2024:1901-1: An update that solves one vulnerability can now be installed.

Category: security (low)
Bug References: 1223375
CVE References: CVE-2024-4141
Maintenance Incident: [SUSE:Maintenance:34111](https://smelt.suse.de/incident/34111/)
Sources used:
SUSE Linux Enterprise Software Development Kit 12 SP5 (src):
 poppler-0.24.4-14.47.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 12 Maintenance Automation 2024-06-03 16:30:45 UTC 
SUSE-SU-2024:1900-1: An update that solves one vulnerability can now be installed.

Category: security (low)
Bug References: 1223375
CVE References: CVE-2024-4141
Maintenance Incident: [SUSE:Maintenance:34103](https://smelt.suse.de/incident/34103/)
Sources used:
openSUSE Leap 15.4 (src):
 poppler-qt6-22.01.0-150400.3.19.1, poppler-22.01.0-150400.3.19.1, poppler-qt5-22.01.0-150400.3.19.1
SUSE Linux Enterprise Workstation Extension 15 SP5 (src):
 poppler-22.01.0-150400.3.19.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 13 Maintenance Automation 2024-06-03 16:30:47 UTC 
SUSE-SU-2024:1899-1: An update that solves one vulnerability can now be installed.

Category: security (low)
Bug References: 1223375
CVE References: CVE-2024-4141
Maintenance Incident: [SUSE:Maintenance:34110](https://smelt.suse.de/incident/34110/)
Sources used:
SUSE Linux Enterprise Software Development Kit 12 SP5 (src):
 poppler-qt-0.43.0-16.46.1, poppler-0.43.0-16.46.1
SUSE Linux Enterprise High Performance Computing 12 SP5 (src):
 poppler-qt-0.43.0-16.46.1, poppler-0.43.0-16.46.1
SUSE Linux Enterprise Server 12 SP5 (src):
 poppler-qt-0.43.0-16.46.1, poppler-0.43.0-16.46.1
SUSE Linux Enterprise Server for SAP Applications 12 SP5 (src):
 poppler-qt-0.43.0-16.46.1, poppler-0.43.0-16.46.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 14 Petr Gajdos 2024-06-04 18:39:41 UTC 
Reassigning again.
Comment 15 Maintenance Automation 2024-06-10 20:30:11 UTC 
SUSE-SU-2024:1967-1: An update that solves one vulnerability can now be installed.

Category: security (low)
Bug References: 1223375
CVE References: CVE-2024-4141
Maintenance Incident: [SUSE:Maintenance:34104](https://smelt.suse.de/incident/34104/)
Sources used:
Basesystem Module 15-SP5 (src):
 poppler-0.79.0-150200.3.29.1
Basesystem Module 15-SP6 (src):
 poppler-0.79.0-150200.3.29.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 16 Maintenance Automation 2024-06-11 12:31:08 UTC 
SUSE-SU-2024:1980-1: An update that solves one vulnerability can now be installed.

Category: security (low)
Bug References: 1223375
CVE References: CVE-2024-4141
Maintenance Incident: [SUSE:Maintenance:34138](https://smelt.suse.de/incident/34138/)
Sources used:
openSUSE Leap 15.5 (src):
 poppler-23.01.0-150500.3.8.1, poppler-qt5-23.01.0-150500.3.8.1, poppler-qt6-23.01.0-150500.3.8.1
Basesystem Module 15-SP5 (src):
 poppler-23.01.0-150500.3.8.1
SUSE Package Hub 15 15-SP5 (src):
 poppler-23.01.0-150500.3.8.1, poppler-qt5-23.01.0-150500.3.8.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.