Ubuntu
evince package

evince crashes (segmentation fault) when opening file rfc8655.pdf and other new-format Internet standards

Bug #1849888 reported by Erik Auerswald
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
evince (Ubuntu)
Fix Released
High
Unassigned

Bug Description

When trying to display the PDF file rfc8655.pdf from https://tools.ietf.org/pdf/rfc8655.pdf evince crashes:

    $ evince rfc8655.pdf
    Segmentation fault (core dumped)

I would have expected the PDF file to be displayed. Instead, evince crashed and did not display the document.

The built-in PDF renderer of Firefox 70.0 does display the PDF correctly.

Since the segmentation fault hints at a memory management error triggered by external input this may have security implications. I did not investigate this any further. I do not set the "This bug is a security vulnerability" flag because I do not know if it really is (it probably is, but I have no proof) and I do not want this bug report to be private.

$ lsb_release -rd
Description: Ubuntu 18.04.3 LTS
Release: 18.04

$ apt-cache policy evince
evince:
  Installed: 3.28.4-0ubuntu1.2
  Candidate: 3.28.4-0ubuntu1.2
  Version table:
 *** 3.28.4-0ubuntu1.2 500
        500 http://de.archive.ubuntu.com/ubuntu bionic-updates/main amd64 Packages
        500 http://security.ubuntu.com/ubuntu bionic-security/main amd64 Packages
        100 /var/lib/dpkg/status
     3.28.2-1 500
        500 http://de.archive.ubuntu.com/ubuntu bionic/main amd64 Packages

$ evince --version
GNOME Document Viewer 3.28.4

$ cat /etc/lsb-release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=18.04
DISTRIB_CODENAME=bionic
DISTRIB_DESCRIPTION="Ubuntu 18.04.3 LTS"

This is a fresh install of Ubuntu 18.04 LTS on x86-64 (the upgrade from 16.04 resulted in a non-booting system).

Revision history for this message
Erik Auerswald (auerswal) wrote :

The problem seems to lie in the new format for IETF RFCs, i.e., all official PDF files of RFCs released using the new format result in evince crashes:

https://www.rfc-editor.org/rfc/rfc8651.pdf
https://www.rfc-editor.org/rfc/rfc8653.pdf
https://www.rfc-editor.org/rfc/rfc8654.pdf
https://www.rfc-editor.org/rfc/rfc8655.pdf

$ ls -a
. ..
$ wget -nv https://www.rfc-editor.org/rfc/rfc8651.pdf https://www.rfc-editor.org/rfc/rfc8653.pdf https://www.rfc-editor.org/rfc/rfc8654.pdf https://www.rfc-editor.org/rfc/rfc8655.pdf
2019-11-05 09:53:01 URL:https://www.rfc-editor.org/rfc/rfc8651.pdf [137041/137041] -> "rfc8651.pdf" [1]
2019-11-05 09:53:02 URL:https://www.rfc-editor.org/rfc/rfc8653.pdf [128896/128896] -> "rfc8653.pdf" [1]
2019-11-05 09:53:02 URL:https://www.rfc-editor.org/rfc/rfc8654.pdf [102866/102866] -> "rfc8654.pdf" [1]
2019-11-05 09:53:02 URL:https://www.rfc-editor.org/rfc/rfc8655.pdf [325847/325847] -> "rfc8655.pdf" [1]
FINISHED --2019-11-05 09:53:02--
Total wall clock time: 2,3s
Downloaded: 4 files, 678K in 1,0s (654 KB/s)
$ evince rfc8651.pdf
Segmentation fault (core dumped)
$ evince rfc8653.pdf
Segmentation fault (core dumped)
$ evince rfc8654.pdf
Segmentation fault (core dumped)
$ evince rfc8655.pdf
Segmentation fault (core dumped)

Older PDFs work fine, e.g., https://www.rfc-editor.org/rfc/pdfrfc/rfc8649.txt.pdf .

The built-in PDF viewer of Firefox can display all the above PDF files.
The built-in PDF viewer of Chrome can display all the above PDF files.
The MuPDF PDF viewer can display all the above PDF files.

Revision history for this message
Erik Auerswald (auerswal) wrote :

To add a bit of background: the IETF (standards body for the Internet) decided to change the format of their newly published standards from ASCII text to XML. From this XML both HTML and PDF versions are generated (and a text version which may omit diagrams / pictures). The PDF version cannot be read on Ubuntu 18.04 with default configuration, because the default document viewer evince crashes when opening the file.

summary: - evince crashes (segmentation fault) when opening file rfc8655.pdf
+ evince crashes (segmentation fault) when opening file rfc8655.pdf and
+ other new-format Internet standards
Revision history for this message
Sebastien Bacher (seb128) wrote :

Thank you for taking the time to report this bug and helping to make Ubuntu better. Please try to obtain a backtrace following the instructions at http://wiki.ubuntu.com/DebuggingProgramCrash and upload the backtrace (as an attachment) to the bug report. This will greatly help us in tracking down your problem.

Changed in evince (Ubuntu):
importance: Undecided → High
status: New → Incomplete
Revision history for this message
Sebastien Bacher (seb128) wrote :

It seems fixed in newer serie but on bionic

0x00007f7f6afb41d0 in g_string_free (string=0xffffffff,
    free_segment=free_segment@entry=1) at ../../../../glib/gstring.c:217
217 ../../../../glib/gstring.c: Aucun fichier ou dossier de ce type.
(gdb) bt
#0 0x00007f7f6afb41d0 in g_string_free (string=0xffffffff, free_segment=free_segment@entry=1) at ../../../../glib/gstring.c:217
#1 0x00007f7f58156073 in poppler_attachment_finalize(GObject*) (obj=0x5598f02eae90 [PopplerAttachment]) at ./glib/poppler-attachment.cc:88
#2 0x00007f7f6b272012 in g_object_unref (_object=0x5598f02eae90)
    at ../../../../gobject/gobject.c:3340
#3 0x00007f7f5839525e in pdf_document_attachments_get_attachments(EvDocumentAttachments*) (document=<optimized out>) at ev-poppler.cc:3924

Revision history for this message
Sebastien Bacher (seb128) wrote :

==3259== Invalid read of size 8
==3259== at 0x77821D0: g_string_free (gstring.c:217)
==3259== by 0x1AD33072: poppler_attachment_finalize(_GObject*) (poppler-attachment.cc:88)
==3259== by 0x74D5011: g_object_unref (gobject.c:3340)
==3259== by 0x1AAE825D: ??? (ev-poppler.cc:3924)
==3259== by 0x5093B79: ev_job_attachments_run (ev-jobs.c:473)
==3259== by 0x5095C01: ev_job_thread (ev-job-scheduler.c:184)
==3259== by 0x5095C01: ev_job_thread_proxy (ev-job-scheduler.c:217)
==3259== by 0x7788194: g_thread_proxy (gthread.c:784)
==3259== by 0x7DD06DA: start_thread (pthread_create.c:463)
==3259== by 0x810988E: clone (clone.S:95)

Revision history for this message
Sebastien Bacher (seb128) wrote :

Closing for the current serie since it works in 19.10, could be a candidate for a SRU to bionic if someone figures out the fix to backport

Changed in evince (Ubuntu):
status: Incomplete → Fix Released
Revision history for this message
Erik Auerswald (auerswal) wrote :

This problem still affects 18.04 ("bionic"), as is obvious from the bug history.

A similar, but different, problem still affects current evince versions, including those newer than the version in 19.10, see https://mailarchive.ietf.org/arch/msg/tools-discuss/hgenvnKeP9zX-IBX5FyD6zyEkmI/ .

Please see bug #1885313 (https://bugs.launchpad.net/ubuntu/+source/evince/+bug/1885313) which is actually not a duplicate of this one.

Thanks,
Erik

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.