622430 – (CVE-2017-9406, CVE-2017-9408) <app-text/poppler-0.55.0: Multiple Vulnerabilities (CVE-2017-{9406,9408})

Bug 622430 (CVE-2017-9406, CVE-2017-9408) - <app-text/poppler-0.55.0: Multiple Vulnerabilities (CVE-2017-{9406,9408})

Summary: <app-text/poppler-0.55.0: Multiple Vulnerabilities (CVE-2017-{9406,9408})

Status:	RESOLVED FIXED

Alias:	CVE-2017-9406, CVE-2017-9408

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor (vote)
Assignee:	Gentoo Security

URL:	https://bugzilla.redhat.com/show_bug....
Whiteboard:	A3 [glsa+ cve]
Keywords:

Depends on:	CVE-2017-9865
Blocks:
	Show dependency tree

Reported:	2017-06-21 22:42 UTC by Volkan
Modified:	2018-01-17 13:43 UTC (History)
CC List:	3 users (show)

See Also:	https://bugs.freedesktop.org/show_bug.cgi?id=100776 https://bugs.freedesktop.org/show_bug.cgi?id=100775
Package list:	app-text/poppler-0.56.0
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Volkan 2017-06-21 22:42:02 UTC

CVE-2017-9408 
A memory leak vulnerability was found in poppler in the function Object::initArray in Object.cc, which allows attackers to cause a denial of service via a crafted file.

Upstream issue:

https://bugs.freedesktop.org/show_bug.cgi?id=100776

CVE-2017-9406 
A memory leak vulnerability was found in poppler in the function gmalloc in gmem.cc, which allows attackers to cause a denial of service via a crafted file.

Upstream issue:

https://bugs.freedesktop.org/show_bug.cgi?id=100775

Comment 1 Agostino Sarubbo gentoo-dev

2017-06-22 07:50:38 UTC

For the record:
https://github.com/ImageMagick/ImageMagick/issues/462#issuecomment-298251168

Comment 2 Manuel Rüger (RETIRED) gentoo-dev

2017-06-22 11:56:26 UTC

These have been addressed in 0.56.0, which is available in tree.

There's another fix https://cgit.freedesktop.org/poppler/poppler/commit/?id=3a2759aa2a98c2157cb35731b95e393b8882f8d3 but that seems to point to a wrong CVE.

Comment 3 Thomas Deutschmann (RETIRED) gentoo-dev

2017-06-28 11:58:32 UTC

@ Maintainer(s): Can we start stabilization of =app-text/poppler-0.56.0?

Comment 4 Michael Palimaka (kensington) gentoo-dev

2017-08-09 12:00:33 UTC

(In reply to Thomas Deutschmann from comment #3)
> @ Maintainer(s): Can we start stabilization of =app-text/poppler-0.56.0?

I'm suggesting we move forward with 0.57.0 in bug #627390.

Comment 5 Yury German Gentoo Infrastructure

2017-08-10 07:18:14 UTC

Setting dependency as per suggestion

Comment 6 Michael Palimaka (kensington) gentoo-dev

2017-10-01 11:53:33 UTC

These were actually fixed in 0.55

Comment 7 Christopher Díaz Riveros (RETIRED) gentoo-dev

2017-11-24 14:31:25 UTC

Added to existing GLSA

Comment 8 Andreas Sturmlechner gentoo-dev

2017-11-24 19:34:24 UTC

KDE work done.

Comment 9 GLSAMaker/CVETool Bot gentoo-dev

2018-01-17 13:43:23 UTC

This issue was resolved and addressed in
 GLSA 201801-17 at https://security.gentoo.org/glsa/201801-17
by GLSA coordinator Aaron Bauman (b-man).