RHEL 6 : poppler (Unpatched Vulnerability)

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Red Hat Security Advisory poppler. The text
# itself is copyright (C) Red Hat, Inc.
##

include('compat.inc');

if (description)
{
  script_id(196847);
  script_version("1.0");
  script_set_attribute(attribute:"plugin_modification_date", value:"2024/05/11");

  script_cve_id(
    "CVE-2017-7515",
    "CVE-2017-9083",
    "CVE-2017-9406",
    "CVE-2017-9408",
    "CVE-2017-9865",
    "CVE-2017-14517",
    "CVE-2017-14518",
    "CVE-2017-14519",
    "CVE-2017-14617",
    "CVE-2017-14926",
    "CVE-2017-14927",
    "CVE-2017-14928",
    "CVE-2017-14929",
    "CVE-2017-14975",
    "CVE-2017-14976",
    "CVE-2017-14977",
    "CVE-2017-15565",
    "CVE-2017-1000456",
    "CVE-2018-13988",
    "CVE-2018-16646",
    "CVE-2018-18897",
    "CVE-2018-20481",
    "CVE-2018-20650",
    "CVE-2018-20662",
    "CVE-2019-9543",
    "CVE-2019-9631",
    "CVE-2019-9959",
    "CVE-2019-11026",
    "CVE-2019-12293",
    "CVE-2020-27778",
    "CVE-2020-36023",
    "CVE-2020-36024",
    "CVE-2022-37050",
    "CVE-2022-37051",
    "CVE-2022-37052",
    "CVE-2022-38349",
    "CVE-2022-38784"
  );

  script_name(english:"RHEL 6 : poppler (Unpatched Vulnerability)");

  script_set_attribute(attribute:"synopsis", value:
"The remote Red Hat 6 host is affected by multiple vulnerabilities that will not be patched.");
  script_set_attribute(attribute:"description", value:
"The remote Redhat Enterprise Linux 6 host has one or more packages installed that are affected by multiple
vulnerabilities that have been acknowledged by the vendor but will not be patched.

  - poppler: heap-based buffer over-read in function downsample_row_box_filter in CairoRescaleBox.cc
    (CVE-2019-9631)

  - freedesktop.org libpoppler 0.60.1 fails to validate boundaries in TextPool::addWord, leading to overflow
    in subsequent calculations. (CVE-2017-1000456)

  - In Poppler 0.59.0, a NULL Pointer Dereference exists in the XRef::parseEntry() function in XRef.cc via a
    crafted PDF document. (CVE-2017-14517)

  - In Poppler 0.59.0, a floating point exception exists in the isImageInterpolationRequired() function in
    Splash.cc via a crafted PDF document. (CVE-2017-14518)

  - In Poppler 0.59.0, memory corruption occurs in a call to Object::streamGetChar in Object.h after a
    repeating series of Gfx::display, Gfx::go, Gfx::execOp, Gfx::opShowText, and Gfx::doShowText calls (aka a
    Gfx.cc infinite loop). (CVE-2017-14519)

  - In Poppler 0.59.0, a floating point exception occurs in the ImageStream class in Stream.cc, which may lead
    to a potential attack when handling malicious PDF files. (CVE-2017-14617)

  - In Poppler 0.59.0, a NULL Pointer Dereference exists in AnnotRichMedia::Content::Content in Annot.cc via a
    crafted PDF document. (CVE-2017-14926)

  - In Poppler 0.59.0, a NULL Pointer Dereference exists in the SplashOutputDev::type3D0() function in
    SplashOutputDev.cc via a crafted PDF document. (CVE-2017-14927)

  - In Poppler 0.59.0, a NULL Pointer Dereference exists in AnnotRichMedia::Configuration::Configuration in
    Annot.cc via a crafted PDF document. (CVE-2017-14928)

  - In Poppler 0.59.0, memory corruption occurs in a call to Object::dictLookup() in Object.h after a
    repeating series of Gfx::display, Gfx::go, Gfx::execOp, Gfx::opFill, Gfx::doPatternFill,
    Gfx::doTilingPatternFill and Gfx::drawForm calls (aka a Gfx.cc infinite loop), a different vulnerability
    than CVE-2017-14519. (CVE-2017-14929)

  - The FoFiType1C::convertToType0 function in FoFiType1C.cc in Poppler 0.59.0 has a NULL pointer dereference
    vulnerability because a data structure is not initialized, which allows an attacker to launch a denial of
    service attack. (CVE-2017-14975)

  - The FoFiType1C::convertToType0 function in FoFiType1C.cc in Poppler 0.59.0 has a heap-based buffer over-
    read vulnerability if an out-of-bounds font dictionary index is encountered, which allows an attacker to
    launch a denial of service attack. (CVE-2017-14976)

  - The FoFiTrueType::getCFFBlock function in FoFiTrueType.cc in Poppler 0.59.0 has a NULL pointer dereference
    vulnerability due to lack of validation of a table pointer, which allows an attacker to launch a denial of
    service attack. (CVE-2017-14977)

  - In Poppler 0.59.0, a NULL Pointer Dereference exists in the GfxImageColorMap::getGrayLine() function in
    GfxState.cc via a crafted PDF document. (CVE-2017-15565)

  - poppler through version 0.55.0 is vulnerable to an uncontrolled recursion in pdfunite resulting into
    potential denial-of-service. (CVE-2017-7515)

  - poppler 0.54.0, as used in Evince and other products, has a NULL pointer dereference in the
    JPXStream::readUByte function in JPXStream.cc. For example, the perf_test utility will crash (segmentation
    fault) when parsing an invalid PDF file. (CVE-2017-9083)

  - In Poppler 0.54.0, a memory leak vulnerability was found in the function gmalloc in gmem.cc, which allows
    attackers to cause a denial of service via a crafted file. (CVE-2017-9406)

  - In Poppler 0.54.0, a memory leak vulnerability was found in the function Object::initArray in Object.cc,
    which allows attackers to cause a denial of service via a crafted file. (CVE-2017-9408)

  - The function GfxImageColorMap::getGray in GfxState.cc in Poppler 0.54.0 allows remote attackers to cause a
    denial of service (stack-based buffer over-read and application crash) via a crafted PDF document, related
    to missing color-map validation in ImageOutputDev.cc. (CVE-2017-9865)

  - Poppler through 0.62 contains an out of bounds read vulnerability due to an incorrect memory access that
    is not mapped in its memory space, as demonstrated by pdfunite. This can result in memory corruption and
    denial of service. This may be exploitable when a victim opens a specially crafted PDF file.
    (CVE-2018-13988)

  - In Poppler 0.68.0, the Parser::getObj() function in Parser.cc may cause infinite recursion via a crafted
    file. A remote attacker can leverage this for a DoS attack. (CVE-2018-16646)

  - An issue was discovered in Poppler 0.71.0. There is a memory leak in GfxColorSpace::setDisplayProfile in
    GfxState.cc, as demonstrated by pdftocairo. (CVE-2018-18897)

  - XRef::getEntry in XRef.cc in Poppler 0.72.0 mishandles unallocated XRef entries, which allows remote
    attackers to cause a denial of service (NULL pointer dereference) via a crafted PDF document, when
    XRefEntry::setFlag in XRef.h is called from Parser::makeStream in Parser.cc. (CVE-2018-20481)

  - A reachable Object::dictLookup assertion in Poppler 0.72.0 allows attackers to cause a denial of service
    due to the lack of a check for the dict data type, as demonstrated by use of the FileSpec class (in
    FileSpec.cc) in pdfdetach. (CVE-2018-20650)

  - In Poppler 0.72.0, PDFDoc::setup in PDFDoc.cc allows attackers to cause a denial-of-service (application
    crash caused by Object.h SIGABRT, because of a wrong return value from PDFDoc::setup) by crafting a PDF
    file in which an xref data structure is mishandled during extractPDFSubtype processing. (CVE-2018-20662)

  - FontInfoScanner::scanFonts in FontInfo.cc in Poppler 0.75.0 has infinite recursion, leading to a call to
    the error function in Error.cc. (CVE-2019-11026)

  - In Poppler through 0.76.1, there is a heap-based buffer over-read in JPXStream::init in JPEG2000Stream.cc
    via data with inconsistent heights or widths. (CVE-2019-12293)

  - An issue was discovered in Poppler 0.74.0. A recursive function call, in JBIG2Stream::readGenericBitmap()
    located in JBIG2Stream.cc, can be triggered by sending a crafted pdf file to (for example) the pdfseparate
    binary. It allows an attacker to cause Denial of Service (Segmentation fault) or possibly have unspecified
    other impact. This is related to JArithmeticDecoder::decodeBit. (CVE-2019-9543)

  - The JPXStream::init function in Poppler 0.78.0 and earlier doesn't check for negative values of stream
    length, leading to an Integer Overflow, thereby making it possible to allocate a large memory chunk on the
    heap, with a size controlled by an attacker, as demonstrated by pdftocairo. (CVE-2019-9959)

  - A flaw was found in Poppler in the way certain PDF files were converted into HTML. A remote attacker could
    exploit this flaw by providing a malicious PDF file that, when processed by the 'pdftohtml' program, would
    crash the application causing a denial of service. (CVE-2020-27778)

  - An issue was discovered in freedesktop poppler version 20.12.1, allows remote attackers to cause a denial
    of service (DoS) via crafted .pdf file to FoFiType1C::cvtGlyph function. (CVE-2020-36023)

  - An issue was discovered in freedesktop poppler version 20.12.1, allows remote attackers to cause a denial
    of service (DoS) via crafted .pdf file to FoFiType1C::convertToType1 function. (CVE-2020-36024)

  - In Poppler 22.07.0, PDFDoc::savePageAs in PDFDoc.c callows attackers to cause a denial-of-service
    (application crashes with SIGABRT) by crafting a PDF file in which the xref data structure is mishandled
    in getCatalog processing. Note that this vulnerability is caused by the incomplete patch of
    CVE-2018-20662. (CVE-2022-37050)

  - An issue was discovered in Poppler 22.07.0. There is a reachable abort which leads to denial of service
    because the main function in pdfunite.cc lacks a stream check before saving an embedded file.
    (CVE-2022-37051)

  - A reachable Object::getString assertion in Poppler 22.07.0 allows attackers to cause a denial of service
    due to a failure in markObject. (CVE-2022-37052)

  - An issue was discovered in Poppler 22.08.0. There is a reachable assertion in Object.h, will lead to
    denial of service because PDFDoc::replacePageDict in PDFDoc.cc lacks a stream check before saving an
    embedded file. (CVE-2022-38349)

  - Poppler prior to and including 22.08.0 contains an integer overflow in the JBIG2 decoder
    (JBIG2Stream::readTextRegionSeg() in JBIGStream.cc). Processing a specially crafted PDF file or JBIG2
    image could lead to a crash or the execution of arbitrary code. This is similar to the vulnerability
    described by CVE-2022-38171 in Xpdf. (CVE-2022-38784)

Note that Nessus has not tested for these issues but has instead relied on the package manager's report that the package
is installed.");
  script_set_attribute(attribute:"solution", value:
"The vendor has acknowledged the vulnerabilities but no solution has been provided. Refer to the vendor for remediation
guidance.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-9631");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"vendor_unpatched", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2017/05/19");
  script_set_attribute(attribute:"plugin_publication_date", value:"2024/05/11");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:5");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:6");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:8");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:compat-poppler022");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:evince");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:poppler");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Red Hat Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2024 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl", "redhat_repos.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu");

  exit(0);
}


include('rpm.inc');
include('rhel.inc');

if (!get_kb_item("global_settings/vendor_unpatched"))
exit(0, "Unpatched Vulnerabilities Detection not active.");

if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_release = get_kb_item('Host/RedHat/release');
if (isnull(os_release) || 'Red Hat' >!< os_release) audit(AUDIT_OS_NOT, 'Red Hat');
var os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:os_release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Red Hat');
os_ver = os_ver[1];
if (!rhel_check_release(operator: 'ge', os_version: os_ver, rhel_version: '6')) audit(AUDIT_OS_NOT, 'Red Hat 6.x', 'Red Hat ' + os_ver);

if (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);

var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 's390' >!< cpu && 'aarch64' >!< cpu && 'ppc' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Red Hat', cpu);

var constraints = [
  {
    'pkgs': [
      {'reference':'evince', 'release':'6', 'rpm_spec_vers_cmp':TRUE, 'unpatched_pkg':'evince', 'cves':['CVE-2017-9083']},
      {'reference':'poppler', 'release':'6', 'rpm_spec_vers_cmp':TRUE, 'unpatched_pkg':'poppler'}
    ]
  }
];


var flag = 0;
foreach var constraint_array ( constraints ) {
  var repo_relative_urls = NULL;
  var enterprise_linux_flag = rhel_repo_urls_has_content_dist_rhel(repo_urls:repo_relative_urls);
  foreach var pkg ( constraint_array['pkgs'] ) {
    var unpatched_pkg = NULL;
    var _release = NULL;
    var sp = NULL;
    var el_string = NULL;
    var rpm_spec_vers_cmp = NULL;
    var exists_check = NULL;
    var cves = NULL;
    if (!empty_or_null(pkg['unpatched_pkg'])) unpatched_pkg = pkg['unpatched_pkg'];
    if (!empty_or_null(pkg['release'])) _release = 'RHEL' + pkg['release'];
    if (!empty_or_null(pkg['sp'])) sp = pkg['sp'];
    if (!empty_or_null(pkg['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = pkg['rpm_spec_vers_cmp'];
    if (!empty_or_null(pkg['exists_check'])) exists_check = pkg['exists_check'];
    if (!empty_or_null(pkg['cves'])) cves = pkg['cves'];
    if (unpatched_pkg &&
        _release &&
        (!exists_check || rpm_exists(release:_release, rpm:exists_check)) &&
        unpatched_package_exists(release:_release, package:unpatched_pkg, cves: cves)) flag++;
  }
}

if (flag)
{
  var extra = NULL;
  security_report_v4(
      port       : 0,
      severity   : SECURITY_HOLE,
      extra      : unpatched_packages_report()
  );
  exit(0);
}
else
{
  var tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'evince / poppler');
}