Bug 1202692 - (CVE-2022-38784) VUL-0: CVE-2022-38784: poppler: integer overflow
(CVE-2022-38784)
VUL-0: CVE-2022-38784: poppler: integer overflow
Status: IN_PROGRESS
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Peter Simons
Security Team bot
https://smash.suse.de/issue/340397/
CVSSv3.1:SUSE:CVE-2022-38171:7.8:(AV:...
:
Depends on:
Blocks: 1204094
  Show dependency treegraph
 
Reported: 2022-08-24 11:41 UTC by Hu
Modified: 2022-12-02 18:33 UTC (History)
6 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
Prove of Concent for the vulnerability (73.07 KB, application/pdf)
2022-12-02 17:33 UTC, Peter Simons
Details

Note You need to log in before you can comment on or make changes to this bug.
Comment 1 Hu 2022-08-24 11:43:17 UTC
Relevant link: https://gist.github.com/zmanion/b2ed0d1a0cec163ecd07d5e3d9740dc6

Affected:
- SUSE:SLE-11-SP1:Update/poppler      0.12.3
- SUSE:SLE-12-SP2:Update/poppler      0.43.0
- SUSE:SLE-12:Update/poppler          0.24.4
- SUSE:SLE-15-SP2:Update/poppler      0.79.0
- SUSE:SLE-15-SP4:Update/poppler      22.01.0
- SUSE:SLE-15:Update/poppler          0.62.0
- openSUSE:Factory/poppler            22.08.0
Comment 2 Hu 2022-08-24 11:43:50 UTC
File is in poppler/JBIG2Stream.cc
Comment 3 Thomas Leroy 2022-10-10 10:02:14 UTC
(In reply to Hu from comment #1)
> Relevant link:
> https://gist.github.com/zmanion/b2ed0d1a0cec163ecd07d5e3d9740dc6
> 
> Affected:
> - SUSE:SLE-11-SP1:Update/poppler      0.12.3
> - SUSE:SLE-12-SP2:Update/poppler      0.43.0
> - SUSE:SLE-12:Update/poppler          0.24.4
> - SUSE:SLE-15-SP2:Update/poppler      0.79.0
> - SUSE:SLE-15-SP4:Update/poppler      22.01.0
> - SUSE:SLE-15:Update/poppler          0.62.0
> - openSUSE:Factory/poppler            22.08.0

Crash confirmed. 
The following snippet in poppler/JBIG2Stream.cc should fix the issue:

@@ -2042,7 +2057,14 @@
   for (i = 0; i < nRefSegs; ++i) {
     if ((seg = findSegment(refSegs[i]))) {
       if (seg->getType() == jbig2SegSymbolDict) {
-	numSyms += ((JBIG2SymbolDict *)seg)->getSize();
+	Guint segSize = ((JBIG2SymbolDict *)seg)->getSize();
+	if (segSize > INT_MAX || numSyms > INT_MAX - segSize) {
+	  error(errSyntaxError, getPos(),
+		"Too many symbols in JBIG2 text region");
+	  delete codeTables;
+	  return;
+	}
+	numSyms += segSize;
       } else if (seg->getType() == jbig2SegCodeTable) {
 	codeTables->append(seg);
       }
Comment 7 Peter Simons 2022-12-02 17:33:14 UTC
Created attachment 863281 [details]
Prove of Concent for the vulnerability

Found originally at https://github.com/jeffssh/CVE-2021-30860.
Comment 8 Peter Simons 2022-12-02 18:33:53 UTC
- openSUSE:Factory has been fixed by updating to poppler 22.11.0.

- SLE-15-SP4 has the upstream patch applied in home:psimons:branches:OBS_Maintained:poppler/poppler.SUSE_SLE-15-SP4_Update.

- SLE-15-SP2 has a substantally re-written patch applied in home:psimons:branches:OBS_Maintained:poppler/poppler.SUSE_SLE-15-SP4_Update.

- SLE-15 has a substantally re-written patch applied in home:psimons:branches:OBS_Maintained:poppler/poppler.SUSE_SLE-15_Update.

- We cannot apply the patch in SLE-12-SP2, SLE-11-SP1, or SLE-12, because the versions of GNU C++ we have in these codestreams are too old to compile the template functions used by the fix (which was designed assuming that C++11 is available).

I'll submit the updated packages ASAP. I was just want to add a few more more fixes to the submission.