Summary: | app-text/poppler < 0.6.1-r1 Multiple issues in XPDF code (CVE-2007-{4352|5392|5393}) | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | Gentoo Security | Reporter: | Sune Kloppenborg Jeppesen (RETIRED) <jaervosz> | ||||||
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> | ||||||
Status: | RESOLVED FIXED | ||||||||
Severity: | normal | CC: | aballier, magowiz, sven.koehler, tgurr | ||||||
Priority: | High | ||||||||
Version: | unspecified | ||||||||
Hardware: | All | ||||||||
OS: | Linux | ||||||||
URL: | http://secunia.com/advisories/27260/ | ||||||||
Whiteboard: | B2 [glsa] | ||||||||
Package list: | Runtime testing required: | --- | |||||||
Bug Depends on: | 196673, 198238, 198409 | ||||||||
Bug Blocks: | 176081 | ||||||||
Attachments: |
|
Description
Sune Kloppenborg Jeppesen (RETIRED)
2007-10-22 19:50:06 UTC
Created attachment 134985 [details, diff]
poppler-0.6.1-xpdf-3.02pl2.patch
Patch provided by Derek B. Noonburg, recreated to apply to poppler 0.6.1.
Hi Stefan, if you want stable testing before the disclosure date please attach updated ebuilds to this bug. Do not commit anything yet. Adding Timo as part of printing in case he wants to test this. Still, please do not commit anything. Created attachment 135418 [details, diff]
xpdf-3.02pl2.patch
The original xpdf patch against 3.02pl1.
Adding Alexis for tex. This one is public now. Do we have a list of affected packages? From our embedded-copies list: == XPDF == * app-text/poppler * app-text/tetex * app-text/cstetex * app-text/ptex * app-office/kword * app-office/koffice * kde-base/kpdf * kde-base/kdegraphics False positives: * media-libs/libextractor: Since 0.5.12 libextractor is shipping its own PDF support and at least in 0.5.15 it is also enabled by default. * net-print/cups: Uses poppler * app-text/xpdf: Uses poppler * gnustep-libs/pdfkit: removed * gnustep-libs/imagekits: removed * okular (kpdf in kde 4): Uses poppler teTex is being handled in bug 198238. fixed in: - texlive-core-2007-r6 - tetex-3.0_p1-r5 for ptex, better ping cjk for cstetex, I dont know, I've mailed the person who was helping us maintaining it to know it status, if no answer I'll last rite it. The bugs blocking this one handle this issue in the packages mentioned in comment 7. printing, any progress on poppler? Fixed in poppler-0.6.1-r1, applies your attached patch. Thanks, Timo. Arches, please test and mark stable app-text/poppler-0.6.1-r1. Target keywords : "alpha amd64 arm hppa ia64 m68k mips ppc ppc64 s390 sh sparc x86" Please do not mind the bugs blocking this one. Don't forget app-text/poppler-bindings-0.6.1 x86 stable Sparc stable for app-text/poppler-0.6.1-r1 and app-text/poppler-bindings-0.6.1. ppc64 stable Don't forget app-text/evince-2.20.1, because older versions break with the new poppler. *** Bug 198616 has been marked as a duplicate of this bug. *** ppc64 stable: app-text/poppler-0.6.1-r1 app-text/poppler-bindings-0.6.1 app-text/evince-2.20.1 evince done for x86 Sparc done for evince-2.20.1 *** Bug 198706 has been marked as a duplicate of this bug. *** amd64 done. alpha/ia64 stable Stable for HPPA. Oh, I didn't do evince yet. Evince stable for HPPA too. ppc stable - and from what i've heard the glsa is coming soon ... app-text/poppler-0.6.1-r1 app-text/poppler-bindings-0.6.1 app-text/evince-2.20.1 app-text/xpdf-3.02 The new one is xpdf here, because 3.01 gets broken with this new xpdf. Arches, please test and mark stable app-text/xpdf-3.02. Target keywords : "alpha amd64 arm hppa ia64 mips ppc ppc64 sh sparc x86" Already stabled : "x86" Missing keywords: "alpha amd64 arm hppa ia64 mips ppc ppc64 sh sparc" Sparc stable for app-text/xpdf-3.02. xpdf stable for ppc Stable for HPPA. ppc64 stable amd64 stable for xpdf-3.02, shouldn't 176081 be marked as duplicate of this? confusing. (In reply to comment #35) > amd64 stable for xpdf-3.02, shouldn't 176081 be marked as duplicate of this? > confusing. Sorry, I accidently did not remove arches from that bug. I'll leave it up to the assignee to close. alpha/ia64 stable back to [glsa] GLSA 200711-22 Does not affect current (2008.0) release. Removing release. |