Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 674666 (CVE-2018-20650)

Summary: <app-text/poppler-0.73.0: a reachable abort in FileSpec::FileSpec in FileSpec.cc
Product: Gentoo Security Reporter: D'juan McDonald (domhnall) <flopwiki>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: kde, printing, reavertm
Priority: Normal Flags: stable-bot: sanity-check+
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://gitlab.freedesktop.org/poppler/poppler/issues/704
Whiteboard: B3 [noglsa cve]
Package list:
app-text/poppler-0.74.0
 Runtime testing required: ---
Bug Depends on: 674814, 675446, 675660, 676956, 676960    
Bug Blocks: 670880, 670920, 673860, 677278    

Description D'juan McDonald (domhnall) 2019-01-06 11:05:12 UTC 
(https://nvd.nist.gov/vuln/detail/CVE-2018-20650):
A reachable Object::dictLookup assertion in Poppler 0.72.0 allows attackers to cause a denial of service due to the lack of a check for the dict data type, as demonstrated by use of the FileSpec class (in FileSpec.cc) in pdfdetach.

Upstream Patch: https://gitlab.freedesktop.org/poppler/poppler/commit/de0c0b8324e776f0b851485e0fc9622fc35695b7


Gentoo Security Padawan
(domhnall)
Comment 1 Andreas Sturmlechner gentoo-dev 2019-01-17 01:28:29 UTC 
We'll use this one for stabilisation
Comment 2 Andreas Sturmlechner gentoo-dev 2019-02-08 22:20:42 UTC 
Bumping to app-text/poppler-0.74.0.
Comment 3 Andreas Sturmlechner gentoo-dev 2019-02-21 12:10:32 UTC 
Arches, please stabilise!
Comment 4 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2019-02-22 10:27:24 UTC 
amd64 stable
Comment 5 Mart Raudsepp gentoo-dev 2019-02-22 18:23:51 UTC 
arm64 stable
Comment 6 Rolf Eike Beer archtester 2019-02-22 20:26:32 UTC 
sparc stable
Comment 7 Sergei Trofimovich (RETIRED) gentoo-dev 2019-02-23 20:51:28 UTC 
hppa stable
Comment 8 Sergei Trofimovich (RETIRED) gentoo-dev 2019-02-23 21:00:18 UTC 
ppc64 stable
Comment 9 Sergei Trofimovich (RETIRED) gentoo-dev 2019-02-23 21:02:39 UTC 
ppc stable
Comment 10 Thomas Deutschmann (RETIRED) gentoo-dev 2019-02-24 19:02:10 UTC 
x86 stable
Comment 11 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2019-02-28 15:24:04 UTC 
arm stable
Comment 12 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2019-03-02 16:32:10 UTC 
alpha stable
Comment 13 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2019-03-02 16:32:31 UTC 
s390 stable
Comment 14 Matt Turner gentoo-dev 2019-03-02 20:04:17 UTC 
ia64 stable. all arches stable
Comment 15 Larry the Git Cow gentoo-dev 2019-03-02 20:29:04 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=645f5890750786bb8d3853c2746d9955a92096e5

commit 645f5890750786bb8d3853c2746d9955a92096e5
Author:     Andreas Sturmlechner <asturm@gentoo.org>
AuthorDate: 2019-03-02 20:21:08 +0000
Commit:     Andreas Sturmlechner <asturm@gentoo.org>
CommitDate: 2019-03-02 20:21:08 +0000

    app-text/poppler: Security cleanup
    
    Bug: https://bugs.gentoo.org/674666
    Package-Manager: Portage-2.3.62, Repoman-2.3.12
    Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org>

 app-text/poppler/Manifest                        |   4 -
 app-text/poppler/files/poppler-0.68.0-bool.patch |  36 -------
 app-text/poppler/poppler-0.68.0.ebuild           | 127 -----------------------
 app-text/poppler/poppler-0.71.0.ebuild           | 127 -----------------------
 app-text/poppler/poppler-0.72.0.ebuild           | 127 -----------------------
 app-text/poppler/poppler-0.73.0.ebuild           | 127 -----------------------
 6 files changed, 548 deletions(-)
Comment 16 Andreas Sturmlechner gentoo-dev 2019-03-02 20:33:36 UTC 
Security, please proceed.