poppler 0.10.5-1ubuntu2.4 regression since -1ubuntu2.2

Bug #457985 reported by Gard Spreemann
12
This bug affects 2 people
Affects Status Importance Assigned to Milestone
Poppler
Unknown
High
poppler (Ubuntu)
Fix Released
Undecided
Marc Deslauriers

Bug Description

After the poppler 0.10.5-1ubuntu2.4 security update on 20 Oct 2009 (USN-850-1), Okular segfaults on certain PDF files. If poppler is rebuilt without the three patches introduced by the security update (30_security_CVE-2009-3605.patch, 31_security_CVE-2009-360x.patch and 32_security_CVE-2009-3607.patch) correct behaviour is restored, pointing to one of these patches as having introduced the regression.

I have not tested the Karmic version, but I will if I can find the time. The mentioned patches were not introduced to Karmic, though, as it uses a different upstream version, so I suspect it does not suffer from the same problem.

By the way: Should this be marked as a security bug to notify the right people, since a security-related patch introduced the bug?

Ubuntu version: Jaunty

Revision history for this message
Gard Spreemann (gspreemann) wrote :

Two things I forgot:
- Evince behaves correctly both with and without the poppler patch. Are there perhaps Qt-specific parts of the patches?
- If I can find the time, I'll try to reproduce the crash with a different PDF file. The current one is my master thesis, which I'd rather not share with the world in its current state.

Revision history for this message
Gard Spreemann (gspreemann) wrote :

Update: OK, using pdftk I extracted a single page that is enough to crash Okular when the poppler security patch is applied. See attachment.

Revision history for this message
Gard Spreemann (gspreemann) wrote :

Update: OK, using pdftk I extracted a single page that is enough to crash Okular when the poppler security patch is applied. See attachment.

Revision history for this message
Gard Spreemann (gspreemann) wrote :

Sorry for attaching twice. Launchpad gave me an error the first time.

Changed in poppler (Ubuntu):
assignee: nobody → Marc Deslauriers (mdeslaur)
Revision history for this message
Gard Spreemann (gspreemann) wrote :

If more testing material is desired, I came across the PDF file [1], which also crashes Okular when poppler is patched as above. Evince is again unaffected. Again, if the poppler patches are reverted, Okular behaves correctly.

[1] http://katmat.math.uni-bremen.de/acc/acc.pdf (warning: 4 MB)

Revision history for this message
Nuno Sucena Almeida (slug-debian) wrote :
Download full text (7.4 KiB)

I can confirm that after upgrading poppler (kubuntu 9.04) I get a crash with the file from http://katmat.math.uni-bremen.de/acc/acc.pdf but also a crash that seems different (related to dbus?) with a file from http://www.ihsa.org/initiatives/sportsMedicine/files/gatorade/Swimming-Breakfast_and_Recovery_Strategies.pdf

backtrace for the second case:
$ gdb --args okular Swimming-Breakfast_and_Recovery_Strategies.pdf
GNU gdb 6.8-debian
Copyright (C) 2008 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu"...
(no debugging symbols found)
(gdb) r
Starting program: /usr/bin/okular Swimming-Breakfast_and_Recovery_Strategies.pdf
[Thread debugging using libthread_db enabled]
[New Thread 0x7fc59dff4750 (LWP 16515)]
[New Thread 0x7fc58f7c5950 (LWP 16526)]
[Thread 0x7fc58f7c5950 (LWP 16526) exited]
[New Thread 0x7fc58f7c5950 (LWP 16527)]
[Thread 0x7fc58f7c5950 (LWP 16527) exited]
[New Thread 0x7fc58f7c5950 (LWP 16528)]
Bogus memory allocation size

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7fc58f7c5950 (LWP 16528)]
0x00007fc59c2acf7b in QDBusAdaptorConnector::relaySlot (this=0x1faf4f0, argv=0x7fc58f7c4370) at qdbusabstractadaptor.cpp:268
268 qdbusabstractadaptor.cpp: No such file or directory.
        in qdbusabstractadaptor.cpp
Current language: auto; currently c++
(gdb) bt
#0 0x00007fc59c2acf7b in QDBusAdaptorConnector::relaySlot (this=0x1faf4f0, argv=0x7fc58f7c4370) at qdbusabstractadaptor.cpp:268
#1 0x00007fc59c2ad7b5 in QDBusAdaptorConnector::qt_metacall (this=0x1faf4f0, _c=QMetaObject::InvokeMetaMethod, _id=0, _a=0x7fc58f7c4370)
    at qdbusabstractadaptor.cpp:364
#2 0x00007fc59bf8aea2 in QMetaObject::activate (sender=0x1fa3810, from_signal_index=<value optimized out>, to_signal_index=1,
    argv=0x7fc58f7c4370) at kernel/qobject.cpp:3113
#3 0x00007fc59bf8b344 in QObject::destroyed (this=0x1faf4f0, _t1=0x1fa3810) at .moc/release-shared/moc_qobject.cpp:143
#4 0x00007fc59bf8c1fe in ~QObject (this=0x1fa3810) at kernel/qobject.cpp:757
#5 0x00007fc59d8e3763 in ~KBookmarkManagerAdaptor (this=0x1faf4f0)
    at /build/buildd/kde4libs-4.3.2/kio/bookmarks/kbookmarkmanageradaptor_p.h:28
#6 0x00007fc59bf83ec1 in QObjectPrivate::deleteChildren (this=0x1f95620) at kernel/qobject.cpp:1847
#7 0x00007fc59bf8c4d7 in ~QObject (this=0x1fa3750) at kernel/qobject.cpp:836
#8 0x00007fc59d8deadc in ~KBookmarkManager (this=0x1fa3750) at /build/buildd/kde4libs-4.3.2/kio/bookmarks/kbookmarkmanager.cc:295
#9 0x00007fc59d8ddc6e in destroy () at /usr/include/qt4/QtCore/qalgorithms.h:350
#10 0x00007fc59a76c6ed in *__GI_exit (status=1) at exit.c:75
#11 0x00007fc58fb206ca in gmallocn () from /usr/lib/libpoppler.so.4
#12 0x00007fc58fb3e48a in SplashFTFont::makeGlyph () from /usr/lib/libpoppler.so.4
#13 0x00007fc58fb3f9d5 in SplashFont::getGlyph () from /usr/lib/libpoppler.so.4
#14 0x00007fc58fb34660 in Splash::fillChar () from /usr/lib/libpoppler.so.4
#15 0x000...

Read more...

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Thanks for the pdfs. I'm looking into this now.

Changed in poppler (Ubuntu):
status: New → Confirmed
Revision history for this message
Gard Spreemann (gspreemann) wrote :

Nuno: With the poppler patches removed, Okular behaves correctly with your PDF as well, so I don't think the problem is unrelated.

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

I've located the regression. I'm missing the following commit in my security backports:

http://cgit.freedesktop.org/poppler/poppler/commit/?id=5d328282da4713356fbe4283bd992ac2fc9010a2

I'm preparing updated packages to fix the issue now. They will be published once QA has been performed.

Thanks for reporting this issue!

Revision history for this message
Nuno Sucena Almeida (slug-debian) wrote :

Marc: I downloaded the package source ( apt-get source libpoppler4 ), then applied the patch from the git repository by creating a simple file inside debian/patches. After compiling ( dpkg-buildpackage -rfakeroot -uc -b ) and installing all the created .deb files, it no longer crashes. Thanks for the quick resolution!

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package poppler - 0.10.5-1ubuntu2.5

---------------
poppler (0.10.5-1ubuntu2.5) jaunty-security; urgency=low

  * SECURITY UPDATE: segfault in Okular with security update (LP: #457985)
    - debian/patches/30_security_CVE-2009-3605.patch: update patch to use
      gmallocn_checkoverflow in splash/SplashFTFont.cc, as bitmap->h can
      be 0 and this was causing a regression with Okular.
    - CVE-2009-3605

 -- Marc Deslauriers <email address hidden> Thu, 22 Oct 2009 09:34:25 -0400

Changed in poppler (Ubuntu):
status: Confirmed → Fix Released
Changed in poppler:
status: Unknown → Invalid
Changed in poppler:
status: Invalid → Unknown
Changed in poppler:
importance: Unknown → High
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.