Bug 1165440 - PDF Attachment causes Kontact/KMail crash because of Segfault in libopenjpeg
PDF Attachment causes Kontact/KMail crash because of Segfault in libopenjpeg
Status: RESOLVED FIXED
Classification: openSUSE
Product: openSUSE Distribution
Classification: openSUSE
Component: KDE Applications
Leap 15.1
x86-64 SUSE Other
: P5 - None : Normal (vote)
: ---
Assigned To: E-Mail List
E-mail List
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2020-03-02 12:40 UTC by Tobias Triffterer
Modified: 2020-04-17 10:57 UTC (History)
3 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
Stack trace of the crash (41.49 KB, text/plain)
2020-03-02 12:40 UTC, Tobias Triffterer
Details
Layout of the email causing the crash (1.94 KB, text/plain)
2020-03-02 12:42 UTC, Tobias Triffterer
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Tobias Triffterer 2020-03-02 12:40:51 UTC
Created attachment 831687 [details]
Stack trace of the crash

Today I received an email with an attached PDF that instantly crashed Kontact.

The email originates from a trusted source (the HR department of our university) and contains documents I asked for, so there is no reason to suspect a malicious attachment. The email is displayed without problems in Thunderbird and K-9 Mail and Okular can open the attached PDF files without any issues.

As far as I can conclude from the stack trace, Kontact tries to extract some information from the PDF file (maybe to create a preview image?). To do this, Kontact uses libpoppler which in turn uses libopenjpeg. Inside the method opj_destroy_codec() of libopenjpeg a segmentation fault occurs.

The PDF file contains two scanned pages and its metadata names “Adobe Acrobat Pro DC 20 Paper Capture Plug-in” as the creating application.

To make sure that the PDF file is the cause, I sent several emails to myself with various PDF files attached. Any email that contains this specific PDF file causes a segfault once I click on it in the message list, all other email with other PDF files display just fine.

It may well be that there is any issue with the PDF file, but an attachment should obviously not be able to crash the email application.

The PDF file contains private information, so I cannot add it as an attachment to this bug report.


I am running openSUSE Leap 15.1 with all currently available updated installed. The version numbers of the libraries involved in this issue are as follows:

- libopenjpeg: 1.5.2-lp151.3.3
- libpoppler73: 0.62.0-lp151.3.4
- KDE PIM: 18.12.3-lp151.3.1
- KDE Frameworks: 5.55.0
- Qt: 5.9.7

I attached the stack trace of the crash and will also attach a copy of the source code of the email with all private information removed.
Comment 1 Tobias Triffterer 2020-03-02 12:42:03 UTC
Created attachment 831688 [details]
Layout of the email causing the crash

Private information and content has been redacted.
Comment 2 Wolfgang Bauer 2020-04-02 09:22:50 UTC
Related upstream bug reports:
https://bugs.kde.org/show_bug.cgi?id=409001
https://bugs.kde.org/show_bug.cgi?id=414102

It (the kitinerary plugin in particular) does indeed try to extract some information from the attached PDF.

As a workaround, you can delete or rename the corresponding plugin, /usr/lib64/qt5/plugins/messageviewer/bodypartformatter/messageviewer_bodypartformatter_semantic.so

The actual bug/crash is actually in libpoppler or libopenjp2 though (likely quite specific to the versions used in Leap 15.1).
And we'd really need an email that triggers it to do anything here.

Newer kdepim versions use an external process for this, which should avoid kmail itself crashing. But there still would be a crash I suppose, and I'm not at all sure it can even be backported.
Comment 3 Wolfgang Bauer 2020-04-02 10:06:11 UTC
PS: I tend to think it's more a bug in libopenjp2 (openjpeg2000).
According to https://bugs.kde.org/show_bug.cgi?id=414102, the crash still happened on Leap 15.1 after upgrading the KDE/Qt packages and libpoppler to newer versions, while it doesn't happen on KDE Neon.

And Kubuntu 18.04 LTS (on which KDE Neon is based) does indeed contain some additional (security) patches/fixes in their openjpeg2 package, compared to Leap 15.1:
  * CVE-2017-17480: stack-based buffer overflow in the pgxtovolume function in
    jp3d/convert.c (Closes: #884738).
  * CVE-2018-14423: division-by-zero in pi_next_pcrl, pi_next_cprl, and
    pi_next_rpcl in lib/openjp3d/pi.c (Closes: #904873).
  * CVE-2018-18088: null pointer dereference in imagetopnm in jp2/convert.c
    (Closes: #910763).
  * CVE-2018-5785: integer overflow caused by an out-of-bounds left shift in the
    opj_j2k_setup_encoder function (openjp2/j2k.c) (Closes: #888533).
  * CVE-2018-6616: excessive iteration in the opj_t1_encode_cblks function of
    openjp2/t1.c (Closes: #889683).

So I think it would be a good idea trying to install the latest libopenjp2-7 package from the "graphics" project:
https://software.opensuse.org//download.html?project=graphics&package=openjpeg2
Does that fix the crash maybe?

I would try it myself, but I'd need an email to reproduce the crash in the first place...
Comment 4 Wolfgang Bauer 2020-04-05 12:10:22 UTC
I found another upstream bug report today, which does have a mail attached:
https://bugs.kde.org/show_bug.cgi?id=417979

I am able to reproduce the crash now.
Comment 5 Wolfgang Bauer 2020-04-06 17:42:49 UTC
Ok, so this is actually a linker problem, not a bug in the code.

The crash disappears if I run kmail like this:
LD_PRELOAD=/usr/lib64/libopenjp2.so.7 kmail

I noticed that the crash happens because some initialisation functions in libopenjp2 are not run even though libpoppler actually does call them. Apparently they are "shadowed" by some other library that's pulled in by something...

I'd say it's a clash between libopenjpeg1 and libopenjp2 (which do have functions with the same name AFAICS):
linux@linux-lf90:~> ldd /usr/bin/kmail | grep openjp
        libopenjpeg.so.1 => /usr/lib64/libopenjpeg.so.1 (0x00007f4a25784000)

AFAICT, libopenjpeg1 is pulled in by libavcodec57, which in turn is used by QtWebEngine... :-/
Comment 6 Wolfgang Bauer 2020-04-07 07:47:44 UTC
Confirmed.
I rebuilt ffmpeg-3/libavcodec57 with libopenjp2, and that fixed the crash as well.

Although, I see at least two packages in Leap 15.1 that use both libavcodec57 and libopenjpeg1, and therefore might get broken then: blender and gpac

Maybe we should just disable poppler/PDF support in 15.1's kitinerary...

As that means disabling funtionality, I'd like to hear other opinions though.

(although, users that want it can still install the versions from the KDE:* repos, and 15.2 will be released soon as well anyway)

Btw, the crash does not occur in newer versions, because they use an external executable for extraction, and that executable has much less dependencies. It doesn't load QtWebEngine in particular. (and ffmpeg-4 is actually built with libopenjp2 anyway, so Tumbleweed was never affected)
Comment 7 Swamp Workflow Management 2020-04-10 09:40:06 UTC
This is an autogenerated message for OBS integration:
This bug (1165440) was mentioned in
https://build.opensuse.org/request/show/792921 15.1+Backports:SLE-15-SP1 / kitinerary
Comment 8 Swamp Workflow Management 2020-04-15 01:13:30 UTC
openSUSE-RU-2020:0518-1: An update that has one recommended fix can now be installed.

Category: recommended (moderate)
Bug References: 1165440
CVE References: 
Sources used:
openSUSE Leap 15.1 (src):    kitinerary-18.12.3-lp151.2.4.1
openSUSE Backports SLE-15-SP1 (src):    kitinerary-18.12.3-bp151.3.3.1
Comment 9 Tobias Triffterer 2020-04-15 15:34:39 UTC
I installed the update openSUSE-2020-518 today and I can now view the e-mail in Kontact without any issues.

I want to thank everyone for the quick reaction on this bug report... :-)

I think the status of this bug report can now be set to “RESOLVED”.
Comment 10 Wolfgang Bauer 2020-04-17 10:57:54 UTC
Update released.