Vulnerabilities > CVE-2019-9959 - Integer Overflow or Wraparound vulnerability in multiple products
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
NONE Integrity impact
NONE Availability impact
HIGH Summary
The JPXStream::init function in Poppler 0.78.0 and earlier doesn't check for negative values of stream length, leading to an Integer Overflow, thereby making it possible to allocate a large memory chunk on the heap, with a size controlled by an attacker, as demonstrated by pdftocairo.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Forced Integer Overflow This attack forces an integer variable to go out of range. The integer variable is often used as an offset such as size of memory allocation or similarly. The attacker would typically control the value of such variable and try to get it out of range. For instance the integer in question is incremented past the maximum possible value, it may wrap to become a very small, or negative number, therefore providing a very incorrect value which can lead to unexpected behavior. At worst the attacker can execute arbitrary code.
Nessus
NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2019-2713.NASL description From Red Hat Security Advisory 2019:2713 : An update for poppler is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Poppler is a Portable Document Format (PDF) rendering library, used by applications such as Evince. Security Fix(es) : * poppler: heap-based buffer over-read in XRef::getEntry in XRef.cc (CVE-2019-7310) * poppler: heap-based buffer overflow in function ImageStream::getLine() in Stream.cc (CVE-2019-9200) * poppler: heap-based buffer over-read in function PSOutputDev::checkPageSlice in PSOutputDev.cc (CVE-2019-10871) * poppler: heap-based buffer over-read in JPXStream::init in JPEG2000Stream.cc (CVE-2019-12293) * poppler: memory leak in GfxColorSpace::setDisplayProfile in GfxState.cc (CVE-2018-18897) * poppler: NULL pointer dereference in the XRef::getEntry in XRef.cc (CVE-2018-20481) * poppler: reachable Object::getString assertion in AnnotRichMedia class in Annot.c (CVE-2018-20551) * poppler: reachable Object::dictLookup assertion in FileSpec class in FileSpec.cc (CVE-2018-20650) * poppler: SIGABRT PDFDoc::setup class in PDFDoc.cc (CVE-2018-20662) * poppler: heap-based buffer over-read in function downsample_row_box_filter in CairoRescaleBox.cc (CVE-2019-9631) * poppler: stack consumption in function Dict::find() in Dict.cc (CVE-2019-9903) * poppler: integer overflow in JPXStream::init function leading to memory consumption (CVE-2019-9959) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. last seen 2020-06-01 modified 2020-06-02 plugin id 128846 published 2019-09-16 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/128846 title Oracle Linux 8 : poppler (ELSA-2019-2713) NASL family Misc. NASL id POPPLER_0_79.NASL description The version of Poppler installed on the remote host is 0.79. It is, therefore, affected by an integer overflow vulnerability. The JPXStream::init function in Poppler 0.78.0 and earlier doesn last seen 2020-06-01 modified 2020-06-02 plugin id 127052 published 2019-07-26 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/127052 title Poppler < 0.79 Integer Overflow Vulnerability NASL family Fedora Local Security Checks NASL id FEDORA_2019-8729E0EDF5.NASL description Security fix for CVE-2019-9959. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 127826 published 2019-08-13 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/127826 title Fedora 29 : poppler (2019-8729e0edf5) NASL family Fedora Local Security Checks NASL id FEDORA_2019-69EC14786B.NASL description Security fix for CVE-2019-9959. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 127825 published 2019-08-13 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/127825 title Fedora 30 : poppler (2019-69ec14786b) NASL family Huawei Local Security Checks NASL id EULEROS_SA-2019-2015.NASL description According to the version of the poppler packages installed, the EulerOS installation on the remote host is affected by the following vulnerability : - The JPXStream::init function in Poppler 0.78.0 and earlier doesn last seen 2020-05-08 modified 2019-09-24 plugin id 129208 published 2019-09-24 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/129208 title EulerOS 2.0 SP3 : poppler (EulerOS-SA-2019-2015) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2019-2713.NASL description An update for poppler is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Poppler is a Portable Document Format (PDF) rendering library, used by applications such as Evince. Security Fix(es) : * poppler: heap-based buffer over-read in XRef::getEntry in XRef.cc (CVE-2019-7310) * poppler: heap-based buffer overflow in function ImageStream::getLine() in Stream.cc (CVE-2019-9200) * poppler: heap-based buffer over-read in function PSOutputDev::checkPageSlice in PSOutputDev.cc (CVE-2019-10871) * poppler: heap-based buffer over-read in JPXStream::init in JPEG2000Stream.cc (CVE-2019-12293) * poppler: memory leak in GfxColorSpace::setDisplayProfile in GfxState.cc (CVE-2018-18897) * poppler: NULL pointer dereference in the XRef::getEntry in XRef.cc (CVE-2018-20481) * poppler: reachable Object::getString assertion in AnnotRichMedia class in Annot.c (CVE-2018-20551) * poppler: reachable Object::dictLookup assertion in FileSpec class in FileSpec.cc (CVE-2018-20650) * poppler: SIGABRT PDFDoc::setup class in PDFDoc.cc (CVE-2018-20662) * poppler: heap-based buffer over-read in function downsample_row_box_filter in CairoRescaleBox.cc (CVE-2019-9631) * poppler: stack consumption in function Dict::find() in Dict.cc (CVE-2019-9903) * poppler: integer overflow in JPXStream::init function leading to memory consumption (CVE-2019-9959) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. last seen 2020-06-01 modified 2020-06-02 plugin id 128850 published 2019-09-16 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/128850 title RHEL 8 : poppler (RHSA-2019:2713) NASL family Huawei Local Security Checks NASL id EULEROS_SA-2019-1827.NASL description According to the versions of the poppler packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - The JPXStream::init function in Poppler 0.78.0 and earlier doesn last seen 2020-05-03 modified 2019-08-27 plugin id 128196 published 2019-08-27 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/128196 title EulerOS 2.0 SP8 : poppler (EulerOS-SA-2019-1827) NASL family Huawei Local Security Checks NASL id EULEROS_SA-2019-2499.NASL description According to the versions of the poppler packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - poppler since version 0.17.3 has been vulnerable to NULL pointer dereference in pdfunite triggered by specially crafted documents.(CVE-2017-7511) - poppler through version 0.55.0 is vulnerable to an uncontrolled recursion in pdfunite resulting into potential denial-of-service.(CVE-2017-7515) - Poppler before 0.70.0 has a NULL pointer dereference in _poppler_attachment_new when called from poppler_annot_file_attachment_get_attachment.(CVE-2018- 19149) - In Poppler 0.54.0, a memory leak vulnerability was found in the function gmalloc in gmem.cc, which allows attackers to cause a denial of service via a crafted file.(CVE-2017-9406) - In Poppler 0.54.0, a memory leak vulnerability was found in the function Object::initArray in Object.cc, which allows attackers to cause a denial of service via a crafted file.(CVE-2017-9408) - The JPXStream::init function in Poppler 0.78.0 and earlier doesn last seen 2020-05-08 modified 2019-12-04 plugin id 131652 published 2019-12-04 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/131652 title EulerOS 2.0 SP2 : poppler (EulerOS-SA-2019-2499) NASL family Scientific Linux Local Security Checks NASL id SL_20200407_POPPLER_AND_EVINCE_ON_SL7_X.NASL description * poppler: integer overflow in Parser::makeStream in Parser.cc * poppler: heap-based buffer over-read in function PSOutputDev::checkPageSlice in PSOutputDev.cc * poppler: heap-based buffer over-read in JPXStream::init in JPEG2000Stream.cc * poppler: integer overflow in JPXStream::init function leading to memory consumption * evince: uninitialized memory use in function tiff_document_render() and tiff_document_get_thumbnail() last seen 2020-04-30 modified 2020-04-21 plugin id 135829 published 2020-04-21 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/135829 title Scientific Linux Security Update : poppler and evince on SL7.x x86_64 (20200407) NASL family Huawei Local Security Checks NASL id EULEROS_SA-2019-1986.NASL description According to the version of the poppler packages installed, the EulerOS installation on the remote host is affected by the following vulnerability : - The JPXStream::init function in Poppler 0.78.0 and earlier doesn last seen 2020-05-08 modified 2019-09-24 plugin id 129180 published 2019-09-24 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/129180 title EulerOS 2.0 SP5 : poppler (EulerOS-SA-2019-1986)
Redhat
| advisories |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| rpms |
|
References
- https://gitlab.freedesktop.org/poppler/poppler/blob/master/NEWS
- http://www.securityfocus.com/bid/109342
- https://access.redhat.com/errata/RHSA-2019:2713
- https://lists.debian.org/debian-lts-announce/2019/10/msg00024.html
- https://lists.debian.org/debian-lts-announce/2020/11/msg00014.html
- https://lists.debian.org/debian-lts-announce/2022/09/msg00030.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/A6NX2XPMMV7O52F4NBNCHGILGJXM3OJZ/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5ZOYOZTGU4RGZW4E63OZ7LW4SMPEWGBV/