Ubuntu
poppler package

"goo/GooCheckedOps.h" is missing in 0.62.0-2ubuntu2.13 on Ubuntu Bionic

Bug #1989515 reported by Yaobin Wen
16
This bug affects 2 people
Affects Status Importance Assigned to Milestone
poppler (Ubuntu)
Fix Released
Undecided
Leonidas S. Barbosa

Bug Description

Somehow "goo/GooCheckedOps.h" is missing in 0.62.0-2ubuntu2.13 on Ubuntu Bionic but "goo/gmem.h" still has the statement `#include "GooCheckedOps.h"`. As a result, a compile error will happen when compiling code that uses poppler:

/usr/include/poppler/goo/gmem.h:31:11: fatal error: GooCheckedOps.h: No such file or directory

I'm using Ubuntu 18.04 and currently having 0.62.0-2ubuntu2.12 (the previous version) installed. I confirmed that "goo/gmem.h" doesn't have the `#include "GooCheckedOps.h"` statement.

I found this issue when I was compiling gdal on my Docker container. The Docker container was installed the problematic version 0.62.0-2ubuntu2.13 and I ran into the "No such file or directory" error.

I compiled on both Amd64 and AArch64 and I ran into the same error on both platforms.

By reading the diff between 2.12 and 2.13 (https://launchpadlibrarian.net/622079418/poppler_0.62.0-2ubuntu2.12_0.62.0-2ubuntu2.13.diff.gz), the patch looks quite right. But when I examined the contents of the built `.deb` packages, I didn't find the file "goo/GooCheckedOps.h".

Kind of weird, because the problem seems to be caused by applying "CVE-2022-38784-pre.patch" in half: the first part that creates "goo/GooCheckedOps.h" was not applied during the build process and the second part that modifies "goo/gmem.h" was applied.

Any thoughts? Ideas?

CVE References

Sebastien Bacher (seb128)
Changed in poppler (Ubuntu):
assignee: nobody → Leonidas S. Barbosa (leosilvab)
Revision history for this message
Leonidas S. Barbosa (leosilvab) wrote :

Hi,

Could you please provide with any steps in how to reproduce it?

Thanks!

Revision history for this message
Leonidas S. Barbosa (leosilvab) wrote :

Ok, i did find the issue -Thanks Security folks - and I'm issuing a security regression update.

Thanks.

Changed in poppler (Ubuntu):
status: New → In Progress
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package poppler - 0.62.0-2ubuntu2.14

---------------
poppler (0.62.0-2ubuntu2.14) bionic-security; urgency=medium

  * SECURITY REGRESSION: Adding missing install header
    - debian/patches/0001-Install-goo-GooCheckedOps.h.patch:
      this add goo/GooCheckedOps.h to the CMakeLists.txt in order
      to it be distributed in the libpoppler-private-dev that was
      missing in the previous fix for CVE-2022-38784. (LP: #1989515)

 -- Leonidas Da Silva Barbosa <email address hidden> Wed, 14 Sep 2022 13:46:18 -0300

Changed in poppler (Ubuntu):
status: In Progress → Fix Released
Revision history for this message
Yaobin Wen (yaobinwen) wrote :

Thank you for the quick response! I'll do a test today or tomorrow and let you know the result.

Revision history for this message
Yaobin Wen (yaobinwen) wrote :

I confirmed that the fix works: Firstly I compiled `gdal` and now it could be built successfully; secondly I wrote a simple program to include `goo/gmem.h` and didn't see the compile error anymore. Thanks!

Revision history for this message
Leonidas S. Barbosa (leosilvab) wrote :

Cool!

Thanks for testing :)

Hans Joachim Desserud (hjd)
tags: added: bionic regression-update
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.