Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 489720 (CVE-2013-4473) - <app-text/poppler-0.24.3 : multiple vulnerabilities (CVE-2013-{4473,4474})
Summary: <app-text/poppler-0.24.3 : multiple vulnerabilities (CVE-2013-{4473,4474})
Status: RESOLVED FIXED
Alias: CVE-2013-4473
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
URL: http://www.openwall.com/lists/oss-sec...
Whiteboard: A2 [glsa]
Keywords:
Depends on: 490022
Blocks:
  Show dependency tree
 
Reported: 2013-10-29 08:26 UTC by Agostino Sarubbo
Modified: 2014-01-21 19:31 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2013-10-29 08:26:37 UTC
> - Stack based buffer overflow, affecting poppler in the utils
> section (reported by Daniel Kahn Gillmor, fixed in poppler 0.24.2)

Please use CVE-2013-4473 for the Stack based buffer overflow

> - User controlled format string, affecting poppler in the utils 
> section (reported by Daniel Kahn Gillmor and Pedro Ribeiro, fixed
> in poppler 0.24.3)

Please use CVE-2013-4474 for the User controlled format string
Comment 1 Andreas K. Hüttel archtester gentoo-dev 2013-10-29 08:56:43 UTC
Now this one will need a libreoffice-bin rebuild...
Comment 2 Andreas K. Hüttel archtester gentoo-dev 2013-10-29 09:05:32 UTC
2.24.3 bumped
Comment 3 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2013-10-29 17:12:11 UTC
arches, please test and mark stable:

=app-text/poppler-2.24.3

target KEYWORDS="alpha amd64 arm hppa ia64 ppc ppc64 sparc x86"
Comment 4 Andreas K. Hüttel archtester gentoo-dev 2013-10-29 21:39:07 UTC
(In reply to Mikle Kolyada from comment #3)
> arches, please test and mark stable:
> 
> =app-text/poppler-2.24.3
> 
> target KEYWORDS="alpha amd64 arm hppa ia64 ppc ppc64 sparc x86"

and its dependency 

=net-print/cups-filters-1.0.36-r1

same targets... (note, -r1 and NOT -r2 which requires newer gs)
Comment 5 Agostino Sarubbo gentoo-dev 2013-10-31 15:55:29 UTC
amd64 / x86 stable
Comment 6 Jeroen Roovers (RETIRED) gentoo-dev 2013-11-01 14:38:21 UTC
*** Bug 490046 has been marked as a duplicate of this bug. ***
Comment 7 Agostino Sarubbo gentoo-dev 2013-11-01 20:58:00 UTC
alpha stable
Comment 8 Agostino Sarubbo gentoo-dev 2013-11-02 07:32:26 UTC
ppc stable
Comment 9 Agostino Sarubbo gentoo-dev 2013-11-02 07:33:25 UTC
ppc64 stable
Comment 10 Agostino Sarubbo gentoo-dev 2013-11-02 08:03:37 UTC
arm stable
Comment 11 Jeroen Roovers (RETIRED) gentoo-dev 2013-11-02 16:24:23 UTC
Stable for HPPA.
Comment 12 Chí-Thanh Christopher Nguyễn gentoo-dev 2013-11-03 00:31:45 UTC
Re-adding alpha/arm/ppc/ppc64 for cups-filters
Comment 13 Agostino Sarubbo gentoo-dev 2013-11-03 06:22:42 UTC
alpha stable
Comment 14 Agostino Sarubbo gentoo-dev 2013-11-03 06:22:48 UTC
arm stable
Comment 15 Agostino Sarubbo gentoo-dev 2013-11-03 06:22:56 UTC
ppc stable
Comment 16 Agostino Sarubbo gentoo-dev 2013-11-03 06:23:03 UTC
ppc64 stable
Comment 17 Agostino Sarubbo gentoo-dev 2013-11-12 20:13:54 UTC
ia64 stable
Comment 18 GLSAMaker/CVETool Bot gentoo-dev 2013-11-27 11:12:57 UTC
CVE-2013-4474 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4474):
  Format string vulnerability in the extractPages function in
  utils/pdfseparate.cc in poppler before 024.2 allows remote attackers to
  cause a denial of service (crash) via format string specifiers in a
  destination filename.

CVE-2013-4473 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4473):
  Stack-based buffer overflow in the extractPages function in
  utils/pdfseparate.cc in poppler before 0.24.2 allows remote attackers to
  cause a denial of service (crash) and possibly execute arbitrary code via a
  source filename.
Comment 19 Agostino Sarubbo gentoo-dev 2013-12-17 15:02:56 UTC
sparc stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 20 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2013-12-17 17:07:08 UTC
glsa request filed
Comment 21 Andreas K. Hüttel archtester gentoo-dev 2013-12-17 17:27:55 UTC
All vulnerable versions have been removed.
Comment 22 GLSAMaker/CVETool Bot gentoo-dev 2014-01-21 19:31:39 UTC
This issue was resolved and addressed in
 GLSA 201401-21 at http://security.gentoo.org/glsa/glsa-201401-21.xml
by GLSA coordinator Sean Amoss (ackle).