poppler: CVE-2024-6239

A flaw was found in the Poppler's Pdfinfo utility. This issue occurs when using -dests parameter with pdfinfo utility. By using certain malformed input files, an attacker could cause the utility to crash, leading to a denial of service. CVE-2024-6239-0002 is the CVE fix and CVE-2024-6239-0001 is dependent commit to fix the CVE. Reference: https://nvd.nist.gov/vuln/detail/CVE-2024-6239 Upstream patch: 0554731052 fc1c711cb5 Signed-off-by: Yogita Urade <yogita.urade@windriver.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>
2026-04-02 02:49:12 +00:00 · 2024-08-21 09:05:35 +00:00 · 2024-08-21 09:05:35 +00:00 · 4534a0a077
commit 4534a0a077
parent 0edc4266ac
3 changed files with 1388 additions and 0 deletions
--- a/meta-oe/recipes-support/poppler/poppler/CVE-2024-6239-0001.patch
+++ b/meta-oe/recipes-support/poppler/poppler/CVE-2024-6239-0001.patch
--- a/meta-oe/recipes-support/poppler/poppler/CVE-2024-6239-0002.patch
+++ b/meta-oe/recipes-support/poppler/poppler/CVE-2024-6239-0002.patch
@ -0,0 +1,111 @@
+From 0554731052d1a97745cb179ab0d45620589dd9c4 Mon Sep 17 00:00:00 2001
+From: Albert Astals Cid <aacid@kde.org>
+Date: Fri, 17 Jun 2024 00:54:55 +0200
+Subject: [PATCH] pdfinfo: Fix crash in broken documents when using -dests
+
+CVE: CVE-2024-6239
+Upstream-Status: Backport [https://gitlab.freedesktop.org/poppler/poppler/-/commit/0554731052d1a97745cb179ab0d45620589dd9c4]
+
+Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
+---
+ utils/pdfinfo.cc | 35 +++++++++++++++--------------------
+ 1 file changed, 15 insertions(+), 20 deletions(-)
+
+diff --git a/utils/pdfinfo.cc b/utils/pdfinfo.cc
+index 2057d22..5f96b41 100644
+--- a/utils/pdfinfo.cc
+++ b/utils/pdfinfo.cc
+@@ -15,7 +15,7 @@
+ // under GPL version 2 or later
+ //
+ // Copyright (C) 2006 Dom Lachowicz <cinamod@hotmail.com>
+-// Copyright (C) 2007-2010, 2012, 2016-2022 Albert Astals Cid <aacid@kde.org>
+// Copyright (C) 2007-2010, 2012, 2016-2022, 2024 Albert Astals Cid <aacid@kde.org>
+ // Copyright (C) 2010 Hib Eris <hib@hiberis.nl>
+ // Copyright (C) 2011 Vittal Aithal <vittal.aithal@cognidox.com>
+ // Copyright (C) 2012, 2013, 2016-2018, 2021 Adrian Johnson <ajohnson@redneon.com>
+@@ -112,16 +112,21 @@ static const ArgDesc argDesc[] = { { "-f", argInt, &firstPage, 0, "first page to
+                                    { "-?", argFlag, &printHelp, 0, "print usage information" },
+                                    {} };
+
+-static void printTextString(const GooString *s, const UnicodeMap *uMap)
+static void printStdTextString(const std::string &s, const UnicodeMap *uMap)
+ {
+     char buf[8];
+-    std::vector<Unicode> u = TextStringToUCS4(s->toStr());
+    const std::vector<Unicode> u = TextStringToUCS4(s);
+     for (const auto &c : u) {
+         int n = uMap->mapUnicode(c, buf, sizeof(buf));
+         fwrite(buf, 1, n, stdout);
+     }
+ }
+
+static void printTextString(const GooString *s, const UnicodeMap *uMap)
+{
+    printStdTextString(s->toStr(), uMap);
+}
+
+ static void printUCS4String(const Unicode *u, int len, const UnicodeMap *uMap)
+ {
+     char buf[8];
+@@ -293,11 +298,6 @@ static void printStruct(const StructElement *element, unsigned indent)
+     }
+ }
+
+-struct GooStringCompare
+-{
+-    bool operator()(GooString *lhs, GooString *rhs) const { return lhs->cmp(const_cast<GooString *>(rhs)) < 0; }
+-};
+-
+ static void printLinkDest(const std::unique_ptr<LinkDest> &dest)
+ {
+     GooString s;
+@@ -368,29 +368,25 @@ static void printLinkDest(const std::unique_ptr<LinkDest> &dest)
+
+ static void printDestinations(PDFDoc *doc, const UnicodeMap *uMap)
+ {
+-    std::map<Ref, std::map<GooString *, std::unique_ptr<LinkDest>, GooStringCompare>> map;
+    std::map<Ref, std::map<std::string, std::unique_ptr<LinkDest>>> map;
+
+     int numDests = doc->getCatalog()->numDestNameTree();
+     for (int i = 0; i < numDests; i++) {
+-        GooString *name = new GooString(doc->getCatalog()->getDestNameTreeName(i));
+        const GooString *name = doc->getCatalog()->getDestNameTreeName(i);
+         std::unique_ptr<LinkDest> dest = doc->getCatalog()->getDestNameTreeDest(i);
+-        if (dest && dest->isPageRef()) {
+        if (name && dest && dest->isPageRef()) {
+             Ref pageRef = dest->getPageRef();
+-            map[pageRef].insert(std::make_pair(name, std::move(dest)));
+-        } else {
+-            delete name;
+            map[pageRef].insert(std::make_pair(name->toStr(), std::move(dest)));
+         }
+     }
+
+     numDests = doc->getCatalog()->numDests();
+     for (int i = 0; i < numDests; i++) {
+-        GooString *name = new GooString(doc->getCatalog()->getDestsName(i));
+        const char *name = doc->getCatalog()->getDestsName(i);
+         std::unique_ptr<LinkDest> dest = doc->getCatalog()->getDestsDest(i);
+-        if (dest && dest->isPageRef()) {
+        if (name && dest && dest->isPageRef()) {
+             Ref pageRef = dest->getPageRef();
+             map[pageRef].insert(std::make_pair(name, std::move(dest)));
+-        } else {
+-            delete name;
+         }
+     }
+
+@@ -404,9 +400,8 @@ static void printDestinations(PDFDoc *doc, const UnicodeMap *uMap)
+                     printf("%4d ", i);
+                     printLinkDest(it.second);
+                     printf(" \"");
+-                    printTextString(it.first, uMap);
+                    printStdTextString(it.first, uMap);
+                     printf("\"\n");
+-                    delete it.first;
+                 }
+             }
+         }
+--
+2.40.0
--- a/meta-oe/recipes-support/poppler/poppler_23.04.0.bb
+++ b/meta-oe/recipes-support/poppler/poppler_23.04.0.bb
@ -9,6 +9,8 @@ SRC_URI = "http://poppler.freedesktop.org/${BP}.tar.xz \
           file://0001-cmake-Do-not-use-isystem.patch \
           file://jpeg-stdio.patch \
           file://CVE-2023-34872.patch \
+           file://CVE-2024-6239-0001.patch \
+           file://CVE-2024-6239-0002.patch \
           "
 SRC_URI[sha256sum] = "b6d893dc7dcd4138b9e9df59a13c59695e50e80dc5c2cacee0674670693951a1"