Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 645868 (CVE-2017-1000456) - <app-text/poppler-0.61.0: Invalid read causes crash and can lead to overflow in subsequent calculations (CVE-2017-1000456)
Summary: <app-text/poppler-0.61.0: Invalid read causes crash and can lead to overflow ...
Status: RESOLVED FIXED
Alias: CVE-2017-1000456
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: A3 [glsa+ cve]
Keywords:
Depends on: CVE-2017-14975, CVE-2017-14976, CVE-2017-14977
Blocks:
  Show dependency tree
 
Reported: 2018-01-27 01:32 UTC by Ian Zimmerman
Modified: 2018-04-08 14:27 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Ian Zimmerman 2018-01-27 01:32:00 UTC
According to the RedHat summary [1]:

libpoppler in poppler version 0.60.1 is vulnerable to an invalid read and subsequent crash when parsing a specially crafted PDF. The invalid read is caused by incorrect boundary validation in TextOutputDev.cc:TextPool::addWord(), leading to overflow in subsequent calculations.

(I checked and it is present in the gentoo stable version, which is 0.57.0-r1.)

Upstream patch at [2], needs massaging for gentoo stable version.

[1]
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-1000456

[2]
https://cgit.freedesktop.org/poppler/poppler/commit/?id=7ee9dadef37b20bca707a6b1e858e17d191e368b


Reproducible: Always
Comment 1 Andreas Sturmlechner gentoo-dev 2018-04-07 15:43:11 UTC
Cleanup done, security, please proceed.
Comment 2 GLSAMaker/CVETool Bot gentoo-dev 2018-04-08 14:27:19 UTC
This issue was resolved and addressed in
 GLSA 201804-03 at https://security.gentoo.org/glsa/201804-03
by GLSA coordinator Aaron Bauman (b-man).