Bug 459866 (CVE-2013-1788)

Comment 1 Andreas K. Hüttel 2013-03-10 12:54:06 UTC

All consumers fixed to build, poppler-0.22 unmasked. Let's give this a while in testing and then stabilize.

Comment 2 Andreas K. Hüttel 2013-03-17 10:54:48 UTC

Arches please stabilize app-text/poppler-0.22.2-r1

Target:
"alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86"

Comment 3 Agostino Sarubbo 2013-03-17 13:40:51 UTC

(In reply to comment #2)
> Arches please stabilize app-text/poppler-0.22.2-r1
> 
> Target:
> "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86"

=dev-tex/luatex-0.70.1-r2 should be stabilized at same time.

Comment 4 Agostino Sarubbo 2013-03-17 13:48:06 UTC

amd64 stable

Comment 5 Agostino Sarubbo 2013-03-17 13:48:48 UTC

x86 stable

Comment 6 Agostino Sarubbo 2013-03-17 15:58:54 UTC

arm stable

Comment 7 Agostino Sarubbo 2013-03-17 16:03:15 UTC

sparc stable

Comment 8 Andreas K. Hüttel 2013-03-18 08:16:04 UTC

Arches please wait. This needs reavertm's agreement first.

this broke stable app-text/evince-2.32.0-r4

Comment 10 Andreas K. Hüttel 2013-03-20 23:19:42 UTC

(In reply to comment #9)
> this broke stable app-text/evince-2.32.0-r4

Sorry about that, glib backend was b0rken. This should be fixed in -r2 now.

Arches please fast-stabilize app-text/poppler-0.22.2-r2

Target:
"alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86"

Comment 11 Jeroen Roovers (RETIRED) 2013-03-21 16:01:08 UTC

Stable for HPPA.

Comment 12 Andreas K. Hüttel 2013-03-22 13:23:04 UTC

(In reply to comment #11)
> Stable for HPPA.

Sorry for the confusion- jer, please stable -0.22.2-r2 too (so I can remove -r1 when all arches are done).

Comment 13 Agostino Sarubbo 2013-03-22 16:19:11 UTC

amd64 stable

Comment 14 Agostino Sarubbo 2013-03-22 16:21:53 UTC

x86 stable

Comment 15 Agostino Sarubbo 2013-03-22 17:29:09 UTC

ppc stable

Comment 16 Jeroen Roovers (RETIRED) 2013-03-22 17:42:27 UTC

Stable for HPPA.

Comment 17 Agostino Sarubbo 2013-03-23 09:58:13 UTC

ppc64 stable

Comment 18 Agostino Sarubbo 2013-03-23 12:55:03 UTC

arm stable

Comment 19 Agostino Sarubbo 2013-03-23 13:36:45 UTC

alpha stable

Comment 20 Agostino Sarubbo 2013-03-31 11:17:53 UTC

sh stable

Comment 21 Agostino Sarubbo 2013-04-01 19:46:19 UTC

ia64 stable

Comment 22 Agostino Sarubbo 2013-04-02 10:57:18 UTC

sparc stable

Comment 23 Agostino Sarubbo 2013-04-02 13:21:07 UTC

s390 stable

Comment 24 GLSAMaker/CVETool Bot 2013-04-11 17:00:04 UTC

CVE-2013-1790 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1790):
  poppler/Stream.cc in poppler before 0.22.1 allows context-dependent
  attackers to have an unspecified impact via vectors that trigger a read of
  uninitialized memory by the CCITTFaxStream::lookChar function.

CVE-2013-1789 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1789):
  splash/Splash.cc in poppler before 0.22.1 allows context-dependent attackers
  to cause a denial of service (NULL pointer dereference and crash) via
  vectors related to the (1) Splash::arbitraryTransformMask, (2)
  Splash::blitMask, and (3) Splash::scaleMaskYuXu functions.

CVE-2013-1788 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1788):
  poppler before 0.22.1 allows context-dependent attackers to cause a denial
  of service (crash) and possibly execute arbitrary code via vectors that
  trigger an "invalid memory access" in (1) splash/Splash.cc, (2)
  poppler/Function.cc, and (3) poppler/Stream.cc.

Comment 25 Andreas K. Hüttel 2013-04-11 17:17:32 UTC

All affected versions removed from the tree. Thanks everyone.

Comment 26 Sean Amoss (RETIRED) 2013-04-20 13:33:27 UTC

Already on existing GLSA draft.

Comment 27 GLSAMaker/CVETool Bot 2013-10-06 16:08:44 UTC

This issue was resolved and addressed in
 GLSA 201310-03 at http://security.gentoo.org/glsa/glsa-201310-03.xml
by GLSA coordinator Sean Amoss (ackle).