Bug 120985 - app-text/{poppler|xpdf} second Xpdf round this year aka splash handling heap overflow (CVE-2006-0301)
Bug#: 120985 Product:  Gentoo Security Version: unspecified Platform: All
OS/Version: Linux Status: RESOLVED Severity: normal Priority: P2
Resolution: FIXED Assigned To: security@gentoo.org Reported By: jaervosz@gentoo.org
Component: Vulnerabilities
URL:  https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=179046
Summary: app-text/{poppler|xpdf} second Xpdf round this year aka splash handling heap overflow (CVE-2006-0301)
Keywords:  
Status Whiteboard: B2 [glsa] jaervosz
Opened: 2006-01-30 14:21 0000
Description:   Opened: 2006-01-30 14:21 0000 
PDF splash handling heap overflow

Dirk Mueller told vendor-sec about a buffer overflow issue in the xpdf
codebase when handling splash images.

------- Comment #1 From Sune Kloppenborg Jeppesen 2006-01-30 14:26:11 0000 ------- 
Printing/Gnome please provide updated ebuild.

------- Comment #2 From Sune Kloppenborg Jeppesen 2006-01-31 02:37:24 0000 ------- 
Further details here:

https://bugzilla.novell.com/show_bug.cgi?id=141242

------- Comment #3 From Sune Kloppenborg Jeppesen 2006-01-31 02:39:12 0000 ------- 
*** Bug 120451 has been marked as a duplicate of this bug. ***

------- Comment #4 From Stefan Schweizer 2006-02-03 11:14:02 0000 ------- 
latest kpdf-3.5.1 uses poppler now thanks to flameeyes

the bug was fixed in poppler-0.5.0-r3

and gpdf users should upgrade to evince whihc uses kpdf ;)

For xpdf I think we should patch it to use poppler, because no one of printing
cares about it.

------- Comment #5 From Stefan Schweizer 2006-02-03 15:43:20 0000 ------- 
gpdf seems to have beeen fixed independantly.

poppler has been fixed for this bug.
xpdf has been fixed for this bug.

app-text/poppler-0.5.0-r4
and
app-text/xpdf-3.01-r7
need to go stable for this bug.

------- Comment #6 From Sune Kloppenborg Jeppesen 2006-02-04 00:50:43 0000 ------- 
Gpdf is not fixed. Handling it on bug #120985 to start stable marking here.

Arches please test and mark stable.

------- Comment #7 From René Nussbaumer 2006-02-04 08:19:24 0000 ------- 
Stable on hppa. There's a depends problem with ~s390 while commiting xpdf.

------- Comment #8 From Sune Kloppenborg Jeppesen 2006-02-04 10:42:39 0000 ------- 
Sorry, correct gpdf bug #121511

------- Comment #9 From Stefan Schweizer 2006-02-04 17:04:01 0000 ------- 
Please also mark poppler-bindings-0.5.0 stable, both poppler and
poppler-bindings should have the same stable-version.
List of what needs to go stable:

app-text/poppler-0.5.0-r4
app-text/poppler-bindings-0.5.0
app-text/xpdf-3.01-r7

------- Comment #10 From Jason Wever (RETIRED) 2006-02-04 18:05:25 0000 ------- 
Packages in comment #9 stable on SPARC.

------- Comment #11 From Simon Stelling (RETIRED) 2006-02-05 02:54:18 0000 ------- 
all three stable on amd64

------- Comment #12 From Jose Luis Rivero (yoswink) 2006-02-05 08:41:24 0000 ------- 
alpha stable

------- Comment #13 From Tobias Scherbaum 2006-02-05 11:44:33 0000 ------- 
ppc stable

------- Comment #14 From Markus Rothe 2006-02-05 23:41:56 0000 ------- 
stable on ppc64

------- Comment #15 From Mark Loeser 2006-02-06 05:59:05 0000 ------- 
x86 done

------- Comment #16 From Jeroen Roovers 2006-02-08 19:29:30 0000 ------- 
(In reply to comment #9)
> Please also mark poppler-bindings-0.5.0 stable, both poppler and
> poppler-bindings should have the same stable-version.
> List of what needs to go stable:
> 
> app-text/poppler-0.5.0-r4
> app-text/poppler-bindings-0.5.0
> app-text/xpdf-3.01-r7

Readding hppa. :-\

------- Comment #17 From René Nussbaumer 2006-02-09 02:13:10 0000 ------- 
Stabalized also poppler-bindings. Because of hppa was not readded by bug-change
so  there is this delay.

------- Comment #18 From Thierry Carrez (RETIRED) 2006-02-12 09:40:35 0000 ------- 
GLSA 200602-04