Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 542220 - <app-text/poppler-0.32.0: segmentation fault in XRef::getEntry at XRef.cc:1317
Summary: <app-text/poppler-0.32.0: segmentation fault in XRef::getEntry at XRef.cc:1317
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: A3 [glsa]
Keywords:
Depends on: 545600 545680
Blocks:
  Show dependency tree
 
Reported: 2015-03-05 07:54 UTC by Agostino Sarubbo
Modified: 2016-11-22 12:42 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2015-03-05 07:54:32 UTC
From ${URL} :

Segmentation fault found on poppler via fuzzed PDF input file. Reported to
Debian bug tracking system as:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=779699


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Andreas K. Hüttel archtester gentoo-dev 2015-03-05 09:02:24 UTC
Fixed since 0.28.0, http://cgit.freedesktop.org/poppler/poppler/commit/?id=d6ea8acbb348fdb43601a963ba5407e933565003

I'd prefer to wait for 0.32.0 (to be released today?) for a sec stabilization since that includes more fuzzing fixes.
Comment 2 Adrian Bassett 2015-03-12 09:37:29 UTC
(In reply to Andreas K. Hüttel from comment #1)
> Fixed since 0.28.0,
> http://cgit.freedesktop.org/poppler/poppler/commit/
> ?id=d6ea8acbb348fdb43601a963ba5407e933565003
> 
> I'd prefer to wait for 0.32.0 (to be released today?) for a sec
> stabilization since that includes more fuzzing fixes.

I'm sure you know but (http://poppler.freedesktop.org/ (viewed today)):

The latest stable release is poppler-0.32.0.tar.xz, released on March 7, 2015:

        core:
         * Annotations: Fix rendering of empty BG/BC arrays
         * Splash: Fix wrong colour shown when GouraudTriangleShFill uses a DeviceN colorspace. Bug #89182
         * Splash: Fix use of uninitialized variable in Splash::pipeRun
         * Remove unnecesary check for font validity. Bug #88939
         * Small optimization in GooString::appendfv(). Bug #89096
         * Fix crashes in malformed files

        utils:
         * pdftops: Make colorpsace optimization an option instead of default
         * pdfseparate: use always an unique instance for PDFDoc for savePageAs

        build system:
         * cmake: If extra-cmake-modules is around include the Sanitizers module
Comment 3 Andreas K. Hüttel archtester gentoo-dev 2015-03-14 19:16:18 UTC
(In reply to Andreas K. Hüttel from comment #1)
> Fixed since 0.28.0,
> http://cgit.freedesktop.org/poppler/poppler/commit/
> ?id=d6ea8acbb348fdb43601a963ba5407e933565003
> 
> I'd prefer to wait for 0.32.0 (to be released today?) for a sec
> stabilization since that includes more fuzzing fixes.

It's been bumped in the meantime. We can wait a few more days and then stabilize 0.32.0
Comment 4 Andreas K. Hüttel archtester gentoo-dev 2015-03-20 15:30:40 UTC
We need feedback on bug 540132. Once that is handled somehow, we can stabilize

app-text/poppler-0.32.0
app-office/libreoffice-bin-4.3.5.2-r1
app-office/libreoffice-bin-debug-4.3.5.2-r1
Comment 5 Andreas K. Hüttel archtester gentoo-dev 2015-04-04 13:05:53 UTC
Calling a maintainer timeout on the blocker bugs. Arches please stabilize:

Target: ppc64
sci-libs/ogdi-3.2.0_beta2    (bug 413635)

Target: amd64 ppc ppc64 x86
sci-libs/gdal-1.11.1-r3    (bug 540132)

Target: all stable arches
app-text/poppler-0.32.0

Target: amd64 x86
app-office/libreoffice-bin-4.3.5.2-r1
app-office/libreoffice-bin-debug-4.3.5.2-r1
Comment 6 Andreas K. Hüttel archtester gentoo-dev 2015-04-04 20:28:42 UTC
(In reply to Andreas K. Hüttel from comment #5)
> Calling a maintainer timeout on the blocker bugs. Arches please stabilize:
> 
> Target: ppc64
> sci-libs/ogdi-3.2.0_beta2    (bug 413635)
> 
> Target: amd64 ppc ppc64 x86
> sci-libs/gdal-1.11.1-r3    (bug 540132)
> 
> Target: all stable arches
> app-text/poppler-0.32.0
> 
> Target: amd64 x86
> app-office/libreoffice-bin-4.3.5.2-r1
> app-office/libreoffice-bin-debug-4.3.5.2-r1
Comment 7 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2015-04-04 21:04:02 UTC
amd64 stable
Comment 8 Mike Limansky 2015-04-05 15:08:42 UTC
(In reply to Mikle Kolyada from comment #7)
> amd64 stable

This breaks current stable inkscape (bug 545600). Is it possible to stabilize media-gfx/inkscape-0.48.5-r1 as well?
Comment 9 Jeroen Roovers (RETIRED) gentoo-dev 2015-04-07 05:32:40 UTC
Stable for HPPA.
Comment 10 Agostino Sarubbo gentoo-dev 2015-04-09 07:19:26 UTC
x86 stable
Comment 11 Markus Meier gentoo-dev 2015-04-09 20:49:04 UTC
arm stable
Comment 12 Agostino Sarubbo gentoo-dev 2015-04-13 09:45:57 UTC
alpha stable
Comment 13 Agostino Sarubbo gentoo-dev 2015-04-14 12:33:41 UTC
ia64 stable
Comment 14 Agostino Sarubbo gentoo-dev 2015-04-17 12:46:03 UTC
ppc64 stable
Comment 15 Pacho Ramos gentoo-dev 2015-04-21 18:43:54 UTC
ppc stable
Comment 16 Agostino Sarubbo gentoo-dev 2015-04-29 09:19:09 UTC
sparc stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 17 Andreas K. Hüttel archtester gentoo-dev 2015-05-18 11:19:18 UTC
Cleanup done
Comment 18 Yury German Gentoo Infrastructure gentoo-dev 2015-06-06 14:36:55 UTC
Arches and Maintainer(s), Thank you for your work.
Comment 19 GLSAMaker/CVETool Bot gentoo-dev 2016-11-22 11:38:46 UTC
This issue was resolved and addressed in
 GLSA 201611-15 at https://security.gentoo.org/glsa/201611-15
by GLSA coordinator Aaron Bauman (b-man).