See bug 144428 for details. CUPS is traditionally affected by the same flaws so this bug will track it.
cups < cups-1.1.23-r3 is vulnerable. Starting with -r3, we disable the internal xpdf and use the xpdf package, so the fix for xpdf will make be sufficient for cups. Therefore, at least -r3 needs to go stable (preferably -r4, since that has other fixes). Target keywords: alpha amd64 arm hppa ia64 mips ppc ppc64 s390 sh sparc x86
Daniel good move, wish all other packages bundling xpdf could do the same:-) Arches please test and mark stable. Note: It's bug #114428 and not the one reported above.
amd64 done.
1.1.23-r4 sparc stable.
1.1.23-r4 stable on ppc64.
hppa, ppc done
Alpha done
x86 done
While I am all for security, this action makes cups dependend on x11-libs/libXt (via xpdf). I enjoy running my server with cups and without X11 related packages. Is there any way we can solve this?
GLSA 200512-08 First round done. ia64, mips, s390, sh don't forget to mark stable to benifit from the GLSA.
About comment #9, adding -motif to xpdf in package.use might prevent bringing X deps in. In the event it doesn't solve it, please open a separate (non-security) bug so that xpdf/CUPS maintainers can solve the problem.
-motif worked. Sorry for posting in the wrong section.
There is a bit of a conflict for me. emerge kpdf and cups. Kpdf wants poppler and cups wants xpdf but I cannot install poppler and xpdf at same time
Joshua, currently non X applications are moving towards depending on poppler instead of xpdf. At the moment stable is broken, but the printing herd is working to get this fixed.
You *can* install poppler and xpdf at the same time. New poppler block old xpdf. Unmerge xpdf, and let it's deps pull it back in, and all should be fine.