Bugzilla Bug 188863

Integer overflow in the StreamPredictor::StreamPredictor function in gpdf
before 2.8.2, as used in (1) poppler, (2) xpdf, (3) kpdf, (4) kdegraphics, (5)
CUPS, and other products, might allow remote attackers to execute arbitrary
code via a crafted PDF file.

poppler-0.5.91 fixed this

Thx genstef.

Arches please test and mark stable. Target keywords are:

poppler-0.5.9-r1.ebuild:KEYWORDS="alpha amd64 arm hppa ia64 m68k ~mips ppc
ppc64 s390 sh sparc ~sparc-fbsd x86 ~x86-fbsd"

Just did a sync and =app-text/poppler-0.5.9* (and
=app-text/poppler-bindings-0.5.9*) is still en package.mask. Should it not be
removed from package.mask?

Stable for HPPA.

I put in an backported ebuild in for stabling: poppler-0.5.4-r2

0.5.91 is a hard masked release candidate, please do not stable it

Sorry I thought it was ready for stable marking and thanks for backporting.

x86 stable

sparc stable.

Stable for HPPA again.

alpha/ia64 stable

app-text/poppler-0.5.4-r2  USE="jpeg zlib -cjk"

1. Emerges on AMD64. 
2. No collisions etc. 
3. Works on AMD64. Can still view PDF documents with viewers depending on
poppler. 

Please mark stable on AMD64. 

Portage 2.1.2.11 (default-linux/amd64/2007.0/desktop, gcc-4.1.2, glibc-2.5-r4,
2.6.22-gentoo-r2 x86_64)
=================================================================
System uname: 2.6.22-gentoo-r2 x86_64 Intel(R) Core(TM)2 CPU 6600 @ 2.40GHz
Gentoo Base System release 1.12.9
Timestamp of tree: Fri, 24 Aug 2007 21:50:01 +0000
distcc 2.18.3 x86_64-pc-linux-gnu (protocols 1 and 2) (default port 3632)
[enabled]
ccache version 2.4 [enabled]
dev-java/java-config: 1.3.7, 2.0.33-r1
dev-lang/python:     2.4.4-r4
dev-python/pycrypto: 2.0.1-r6
dev-util/ccache:     2.4-r7
sys-apps/sandbox:    1.2.17
sys-devel/autoconf:  2.13, 2.61
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10
sys-devel/binutils:  2.17
sys-devel/gcc-config: 1.3.16
sys-devel/libtool:   1.5.24
virtual/os-headers:  2.6.21
ACCEPT_KEYWORDS="amd64"
AUTOCLEAN="yes"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-march=nocona -O2 -msse3 -pipe -fomit-frame-pointer"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config
/usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config"
CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf
/etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/
/etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/splash /etc/terminfo"
CXXFLAGS="-march=nocona -O2 -msse3 -pipe -fomit-frame-pointer"
DISTDIR="/usr/portage/distfiles"
FEATURES="ccache collision-protect distcc distlocks metadata-transfer
multilib-strict parallel-fetch sandbox sfperms strict test"
GENTOO_MIRRORS="http://ftp.belnet.be/mirror/rsync.gentoo.org/gentoo/
http://ftp.du.se/pub/os/gentoo http://trumpetti.atm.tut.fi/gentoo/
http://ftp.snt.utwente.nl/pub/os/linux/gentoo
http://ds.thn.htu.se/linux/gentoo"
LC_ALL="en_DK.utf8"
MAKEOPTS="-j6"
PKGDIR="/usr/portage/packages"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress
--force --whole-file --delete --delete-after --stats --timeout=180
--exclude=/distfiles --exclude=/local --exclude=/packages
--filter=H_**/files/digest-*"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/portage/local/layman/php-testing /usr/local/portage"
SYNC="rsync://rsync.europe.gentoo.org/gentoo-portage"
USE="X a52 aac acl acpi aiglx alsa amd64 apache2 arts atk berkdb bitmap-fonts
cairo cdr cli cracklib crypt cups dbus dga directfb dri dts dvd dvdr dvdread
eds emboss encode evo fam fbcn ffmpeg firefox fortran ftp gd gdbm gif gphoto2
gpm gstreamer gtk hal iconv icq ieee1394 ipv6 isdnlog java jpeg kde kerberos
lm_sensors mad midi mikmod mjpeg mmx mozilla mp3 mpeg mplayer msn mudflap
ncurses nls nptl nptlonly ogg oggvorbis opengl openmp pam pcre pda pdf perl png
ppds pppd python qt qt3 qt3support qt4 quicktime readline reflection samba sdl
session spell spl sse sse2 sse3 ssl svg tcpd test threads tiff truetype
truetype-fonts type1-fonts unicode vorbis xcomposite xml xorg xscreensaver xv
xvid zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci
emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m
maestro3 trident usb-audio via82xx via82xx-modem ymfpci"
ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file
hooks iec958 ioplug ladspa lfloat linear meter mulaw multi null plug rate route
share shm softvol" ELIBC="glibc" INPUT_DEVICES="keyboard mouse" KERNEL="linux"
LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses
text" USERLAND="GNU" VIDEO_CARDS="radeon"
Unset:  CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LDFLAGS, LINGUAS,
PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS

ppc stable

amd64 stable

ppc64 stable

unless I missed something, this is clearly remote exec of code with user help,
so B2. GLSA request filed.

just for a reminder for future usages.

These packages include the vulnerable piece of code:

app-text/xpdf #185225
media-libs/libextractor #192636
app-office/{koffice,kword} #187139
kde-base/{kdegraphics,kpdf} #187139
app-text/tetex #188172
gnustep-libs/pdfkit #188185
net-print/cups #188861

(In reply to comment #16)
> media-libs/libextractor #192636
Only in versions <= 0.5.12. After that, it is built with --disable-xpdf by
default.

GLSA 200709-12, sorry for the delay