Manipulation of encrypted text allows plaintext revovery
We would like to share information regarding vulnerabilities in the PDF specification which probably also impacts poppler.
Before sharing additional details (including the vulnerability report and exploits) we would like to make sure that this issue is not public. When creating the issue we checked the box which says "This issue is confidential and should only be visible to team members with at least Reporter access". However, when logging into gitlab.freedesktop.org for the first time we were prompted with a text including "This site and all other freedesktop.org services provide public forums: anything you publish here will be visible to anyone on the internet." Could you please confirm that the information shared in this issue is indeed not public and restricted in its visibility? Thank you.
Edit:
The attached pdfs exploit the vulnerabilities for Evince v3.22.1, v3.32.0 exploits_evince.tgz and Okular v0.26.1, v1.7.3 exploits_okular.tgz. The password for the encrypted pdf files is 'pass'. Since Evince and Okular use poppler, this might be of interest for poppler as well regarding the implementation of countermeasures. Both a maintainer of Okular and Evince agreed to share the details regarding Okular resp. Evince with poppler.
SUMMARY The attached report analyzes PDF encryption and shows two novel techniques for breaking the confidentiality of encrypted documents. report_okular_evince.pdf Note that there is a typo in the report: Evince v3.22.1 (as stated above), not v3.2.11 is affected. Also note that in addition to the versions mentioned in the report, Okular v1.7.3 and Evince v3.32.0 (as mentioned above) are vulnerable to the same vulnerabilities as described in the report as well.
Firstly, the PDF feature of partially encrypted documents is abused to wrap the encrypted part of the document within attacker-controlled content and therefore, exfiltrate the plaintext once the document is opened by a legitimate user. Secondly, abusing a flaw in the PDF encryption specification allows an attacker to arbitrarily manipulate encrypted content without knowing the corresponding key/password. The only requirement is one single block of known plaintext, which is fulfilled by design. By using exfiltration channels the attacks allow the recovery of the entire plaintext or parts of it within an encrypted document. The attacks rely only on standard compliant PDF features. The attacks described have been validated for widely used PDF viewers proofing many of them as vulnerable.
Workarounds in the various implementations may provide a short-term countermeasure. Adequate countermeasures rather need to be included as part of upcoming specifications. Therefore the issue has been escalated to the ISO working group on Crypto and Signatures and will be taken up in the next revision of the PDF Spec.
Disclosure is currently planned for the end of August 2019. Please restrain from publishing any details before that date.