188863 2007-08-14 17:09 0000 app-text/poppler < 0.5.4-r2 Vulnerablities in included Xpdf code (CVE-2007-3387) 2007-09-19 22:01:52 0000 1 1 1 Unclassified Gentoo Security Vulnerabilities unspecified All Linux RESOLVED FIXED http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3387 B2 [glsa] P2 normal --- 1 jaervosz@gentoo.org security@gentoo.org printing@gentoo.org jaervosz@gentoo.org 2007-08-14 17:09:02 0000 Integer overflow in the StreamPredictor::StreamPredictor function in gpdf before 2.8.2, as used in (1) poppler, (2) xpdf, (3) kpdf, (4) kdegraphics, (5) CUPS, and other products, might allow remote attackers to execute arbitrary code via a crafted PDF file. genstef@gentoo.org 2007-08-22 21:22:07 0000 poppler-0.5.91 fixed this jaervosz@gentoo.org 2007-08-23 17:26:12 0000 Thx genstef. Arches please test and mark stable. Target keywords are: poppler-0.5.9-r1.ebuild:KEYWORDS="alpha amd64 arm hppa ia64 m68k ~mips ppc ppc64 s390 sh sparc ~sparc-fbsd x86 ~x86-fbsd" jonas@chown.dk 2007-08-23 18:19:20 0000 Just did a sync and =app-text/poppler-0.5.9* (and =app-text/poppler-bindings-0.5.9*) is still en package.mask. Should it not be removed from package.mask? jer@gentoo.org 2007-08-23 18:22:36 0000 Stable for HPPA. genstef@gentoo.org 2007-08-23 19:06:54 0000 I put in an backported ebuild in for stabling: poppler-0.5.4-r2 0.5.91 is a hard masked release candidate, please do not stable it jaervosz@gentoo.org 2007-08-24 06:09:31 0000 Sorry I thought it was ready for stable marking and thanks for backporting. fauli@gentoo.org 2007-08-24 07:31:54 0000 x86 stable gustavoz@gentoo.org 2007-08-24 13:14:27 0000 sparc stable. jer@gentoo.org 2007-08-24 14:22:14 0000 Stable for HPPA again. armin76@gentoo.org 2007-08-24 17:19:19 0000 alpha/ia64 stable jonas@chown.dk 2007-08-25 18:15:36 0000 app-text/poppler-0.5.4-r2 USE="jpeg zlib -cjk" 1. Emerges on AMD64. 2. No collisions etc. 3. Works on AMD64. Can still view PDF documents with viewers depending on poppler. Please mark stable on AMD64. Portage 2.1.2.11 (default-linux/amd64/2007.0/desktop, gcc-4.1.2, glibc-2.5-r4, 2.6.22-gentoo-r2 x86_64) ================================================================= System uname: 2.6.22-gentoo-r2 x86_64 Intel(R) Core(TM)2 CPU 6600 @ 2.40GHz Gentoo Base System release 1.12.9 Timestamp of tree: Fri, 24 Aug 2007 21:50:01 +0000 distcc 2.18.3 x86_64-pc-linux-gnu (protocols 1 and 2) (default port 3632) [enabled] ccache version 2.4 [enabled] dev-java/java-config: 1.3.7, 2.0.33-r1 dev-lang/python: 2.4.4-r4 dev-python/pycrypto: 2.0.1-r6 dev-util/ccache: 2.4-r7 sys-apps/sandbox: 1.2.17 sys-devel/autoconf: 2.13, 2.61 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10 sys-devel/binutils: 2.17 sys-devel/gcc-config: 1.3.16 sys-devel/libtool: 1.5.24 virtual/os-headers: 2.6.21 ACCEPT_KEYWORDS="amd64" AUTOCLEAN="yes" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-march=nocona -O2 -msse3 -pipe -fomit-frame-pointer" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config" CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/splash /etc/terminfo" CXXFLAGS="-march=nocona -O2 -msse3 -pipe -fomit-frame-pointer" DISTDIR="/usr/portage/distfiles" FEATURES="ccache collision-protect distcc distlocks metadata-transfer multilib-strict parallel-fetch sandbox sfperms strict test" GENTOO_MIRRORS="http://ftp.belnet.be/mirror/rsync.gentoo.org/gentoo/ http://ftp.du.se/pub/os/gentoo http://trumpetti.atm.tut.fi/gentoo/ http://ftp.snt.utwente.nl/pub/os/linux/gentoo http://ds.thn.htu.se/linux/gentoo" LC_ALL="en_DK.utf8" MAKEOPTS="-j6" PKGDIR="/usr/portage/packages" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --filter=H_**/files/digest-*" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/portage/local/layman/php-testing /usr/local/portage" SYNC="rsync://rsync.europe.gentoo.org/gentoo-portage" USE="X a52 aac acl acpi aiglx alsa amd64 apache2 arts atk berkdb bitmap-fonts cairo cdr cli cracklib crypt cups dbus dga directfb dri dts dvd dvdr dvdread eds emboss encode evo fam fbcn ffmpeg firefox fortran ftp gd gdbm gif gphoto2 gpm gstreamer gtk hal iconv icq ieee1394 ipv6 isdnlog java jpeg kde kerberos lm_sensors mad midi mikmod mjpeg mmx mozilla mp3 mpeg mplayer msn mudflap ncurses nls nptl nptlonly ogg oggvorbis opengl openmp pam pcre pda pdf perl png ppds pppd python qt qt3 qt3support qt4 quicktime readline reflection samba sdl session spell spl sse sse2 sse3 ssl svg tcpd test threads tiff truetype truetype-fonts type1-fonts unicode vorbis xcomposite xml xorg xscreensaver xv xvid zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mulaw multi null plug rate route share shm softvol" ELIBC="glibc" INPUT_DEVICES="keyboard mouse" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" USERLAND="GNU" VIDEO_CARDS="radeon" Unset: CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LDFLAGS, LINGUAS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS dertobi123@gentoo.org 2007-08-28 19:37:17 0000 ppc stable angelos@gentoo.org 2007-08-28 20:07:14 0000 amd64 stable corsair@gentoo.org 2007-08-29 10:15:53 0000 ppc64 stable py@gentoo.org 2007-08-29 12:46:26 0000 unless I missed something, this is clearly remote exec of code with user help, so B2. GLSA request filed. falco@gentoo.org 2007-09-15 22:58:43 0000 just for a reminder for future usages. These packages include the vulnerable piece of code: app-text/xpdf #185225 media-libs/libextractor #192636 app-office/{koffice,kword} #187139 kde-base/{kdegraphics,kpdf} #187139 app-text/tetex #188172 gnustep-libs/pdfkit #188185 net-print/cups #188861 rbu@gentoo.org 2007-09-16 04:20:02 0000 (In reply to comment #16) > media-libs/libextractor #192636 Only in versions <= 0.5.12. After that, it is built with --disable-xpdf by default. falco@gentoo.org 2007-09-19 22:01:52 0000 GLSA 200709-12, sorry for the delay