libextractor uses vulnerable xpdf code and needs updating. see, https://bugs.gentoo.org/show_bug.cgi?id=187139
CC'ing maintainer and setting whiteboard status
See bug 185225 for a patch for the xpdf code.
Adding CVE number
This is not an issue. Since 0.5.12 libextractor is shipping its own PDF support and at least in 0.5.15 it is also enabled by default: checking whether to enable xpdf-based extractor... no net-p2p, could you please make sure this setting is forced in case the defaults change - by adding --disable-xpdf to configure? Thanks.
Reassigning to maintainers.
*** Bug 192636 has been marked as a duplicate of this bug. ***
--disable-xpdf added. Thanks Matt and Robert.