Bug 1143950 – VUL-0: CVE-2019-14494: poppler: divide-by-zero error in the function SplashOutputDev:tilingPatternFill at SplashOutputDev.cc.

Bug 1143950 - (CVE-2019-14494) VUL-0: CVE-2019-14494: poppler: divide-by-zero error in the function SplashOutputDev:tilingPatternFill at SplashOutputDev.cc.

(CVE-2019-14494)
Summary:	VUL-0: CVE-2019-14494: poppler: divide-by-zero error in the function SplashOu...

Status:	NEW

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assigned To:	Peter Simons
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/238723/
Whiteboard:	CVSSv3:SUSE:CVE-2019-14494:5.3:(AV:L...
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2019-08-02 08:37 UTC by Alexandros Toptsoglou
Modified:	2022-05-18 19:22 UTC (History)
CC List:	2 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
POC (101.66 KB, application/pdf) 2019-08-02 08:42 UTC, Alexandros Toptsoglou	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Alexandros Toptsoglou 2019-08-02 08:37:08 UTC

CVE-2019-14494

An issue was discovered in Poppler through 0.78.0. There is a divide-by-zero
error in the function SplashOutputDev::tilingPatternFill at SplashOutputDev.cc.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-14494
http://www.cvedetails.com/cve/CVE-2019-14494/
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14494
https://gitlab.freedesktop.org/poppler/poppler/merge_requests/317
https://gitlab.freedesktop.org/poppler/poppler/issues/802

Comment 1 Alexandros Toptsoglou 2019-08-02 08:41:30 UTC

Reproduced successfully the issue with the attached POC in SLE15, SLE12-SP2 and SLE12. In the older codestreams the POC did not work and the code review suggests that the specific function does not exists. 

To run the reproducer simply run: 

valgrind pdftoppm -cropbox -gray $POC

OUTPUT

==18836== 
==18836== Process terminating with default action of signal 8 (SIGFPE): dumping core
==18836==  Integer divide by zero at address 0x10033465FB
==18836==    at 0x4FFC0E2: SplashOutputDev::tilingPatternFill(GfxState*, Gfx*, Catalog*, Object*, double*, int, int, Dict*, double*, double*, int, int, int, int, double, double) (SplashOutputDev.cc:4627)
==18836==    by 0x4F67813: Gfx::doTilingPatternFill(GfxTilingPattern*, bool, bool, bool) (Gfx.cc:2214)
==18836==    by 0x4F67B87: Gfx::opStroke(Object*, int) (Gfx.cc:1778)
==18836==    by 0x4F623DE: Gfx::go(bool) (Gfx.cc:737)
==18836==    by 0x4F6282A: Gfx::display(Object*, bool) (Gfx.cc:699)
==18836==    by 0x4F62C41: Gfx::drawForm(Object*, Dict*, double*, double*, bool, bool, GfxColorSpace*, bool, bool, bool, Function*, GfxColor*) (Gfx.cc:4837)
==18836==    by 0x4F654D3: Gfx::doForm(Object*) (Gfx.cc:4760)
==18836==    by 0x4F6A07F: Gfx::opXObject(Object*, int) (Gfx.cc:4178)
==18836==    by 0x4F623DE: Gfx::go(bool) (Gfx.cc:737)
==18836==    by 0x4F6282A: Gfx::display(Object*, bool) (Gfx.cc:699)
==18836==    by 0x4FAE390: Page::displaySlice(OutputDev*, double, double, int, bool, bool, int, int, int, int, bool, bool (*)(void*), void*, bool (*)(Annot*, void*), void*, bool) (Page.cc:560)
==18836==    by 0x10AE27: savePageSlice (pdftoppm.cc:276)
==18836==    by 0x10AE27: main (pdftoppm.cc:600)
���������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������==18836== 
==18836== HEAP SUMMARY:
==18836==     in use at exit: 5,074,754 bytes in 8,107 blocks
==18836==   total heap usage: 129,832 allocs, 121,725 frees, 35,995,149 bytes allocated

Comment 2 Alexandros Toptsoglou 2019-08-02 08:42:06 UTC

Created attachment 812564 [details]
POC

Comment 4 Swamp Workflow Management 2021-12-01 20:30:24 UTC

SUSE-SU-2021:3854-1: An update that fixes 21 vulnerabilities is now available.

Category: security (important)
Bug References: 1092945,1102531,1107597,1114966,1115185,1115186,1115187,1115626,1120495,1120496,1120939,1120956,1124150,1127329,1129202,1130229,1131696,1131722,1142465,1143950,1179163
CVE References: CVE-2017-18267,CVE-2018-13988,CVE-2018-16646,CVE-2018-18897,CVE-2018-19058,CVE-2018-19059,CVE-2018-19060,CVE-2018-19149,CVE-2018-20481,CVE-2018-20551,CVE-2018-20650,CVE-2018-20662,CVE-2019-10871,CVE-2019-10872,CVE-2019-14494,CVE-2019-7310,CVE-2019-9200,CVE-2019-9631,CVE-2019-9903,CVE-2019-9959,CVE-2020-27778
JIRA References: 
Sources used:
SUSE Linux Enterprise Workstation Extension 15-SP2 (src):    poppler-0.62.0-4.6.1
SUSE Linux Enterprise Server for SAP 15-SP1 (src):    poppler-0.62.0-4.6.1
SUSE Linux Enterprise Server for SAP 15 (src):    poppler-0.62.0-4.6.1
SUSE Linux Enterprise Server 15-SP1-LTSS (src):    poppler-0.62.0-4.6.1
SUSE Linux Enterprise Server 15-SP1-BCL (src):    poppler-0.62.0-4.6.1
SUSE Linux Enterprise Server 15-LTSS (src):    poppler-0.62.0-4.6.1
SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (src):    poppler-0.62.0-4.6.1
SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (src):    poppler-0.62.0-4.6.1
SUSE Linux Enterprise High Performance Computing 15-LTSS (src):    poppler-0.62.0-4.6.1
SUSE Linux Enterprise High Performance Computing 15-ESPOS (src):    poppler-0.62.0-4.6.1
SUSE Enterprise Storage 6 (src):    poppler-0.62.0-4.6.1
SUSE CaaS Platform 4.0 (src):    poppler-0.62.0-4.6.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 5 Swamp Workflow Management 2021-12-01 21:14:20 UTC

openSUSE-SU-2021:3854-1: An update that fixes 21 vulnerabilities is now available.

Category: security (important)
Bug References: 1092945,1102531,1107597,1114966,1115185,1115186,1115187,1115626,1120495,1120496,1120939,1120956,1124150,1127329,1129202,1130229,1131696,1131722,1142465,1143950,1179163
CVE References: CVE-2017-18267,CVE-2018-13988,CVE-2018-16646,CVE-2018-18897,CVE-2018-19058,CVE-2018-19059,CVE-2018-19060,CVE-2018-19149,CVE-2018-20481,CVE-2018-20551,CVE-2018-20650,CVE-2018-20662,CVE-2019-10871,CVE-2019-10872,CVE-2019-14494,CVE-2019-7310,CVE-2019-9200,CVE-2019-9631,CVE-2019-9903,CVE-2019-9959,CVE-2020-27778
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    poppler-0.62.0-4.6.1

Comment 7 Swamp Workflow Management 2022-05-18 19:19:32 UTC

SUSE-SU-2022:1723-1: An update that fixes 8 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1124150,1129202,1130229,1131696,1131722,1142465,1143950,1179163
CVE References: CVE-2019-10871,CVE-2019-10872,CVE-2019-14494,CVE-2019-7310,CVE-2019-9631,CVE-2019-9903,CVE-2019-9959,CVE-2020-27778
JIRA References: 
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    poppler-0.43.0-16.19.3, poppler-qt-0.43.0-16.19.3
SUSE Linux Enterprise Server 12-SP5 (src):    poppler-0.43.0-16.19.3, poppler-qt-0.43.0-16.19.3

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 8 Swamp Workflow Management 2022-05-18 19:22:49 UTC

SUSE-SU-2022:1724-1: An update that fixes 7 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1124150,1129202,1131696,1131722,1142465,1143950,1179163
CVE References: CVE-2019-10871,CVE-2019-10872,CVE-2019-14494,CVE-2019-7310,CVE-2019-9631,CVE-2019-9959,CVE-2020-27778
JIRA References: 
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    poppler-0.24.4-14.20.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.