Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 489720 (CVE-2013-4473)

Summary: <app-text/poppler-0.24.3 : multiple vulnerabilities (CVE-2013-{4473,4474})
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: major CC: reavertm, stephan.litterst
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://www.openwall.com/lists/oss-security/2013/10/29/1
Whiteboard: A2 [glsa]
Package list:
Runtime testing required: ---
Bug Depends on: 490022    
Bug Blocks:    

Description Agostino Sarubbo gentoo-dev 2013-10-29 08:26:37 UTC 
> - Stack based buffer overflow, affecting poppler in the utils
> section (reported by Daniel Kahn Gillmor, fixed in poppler 0.24.2)

Please use CVE-2013-4473 for the Stack based buffer overflow

> - User controlled format string, affecting poppler in the utils 
> section (reported by Daniel Kahn Gillmor and Pedro Ribeiro, fixed
> in poppler 0.24.3)

Please use CVE-2013-4474 for the User controlled format string
Comment 1 Andreas K. Hüttel archtester gentoo-dev 2013-10-29 08:56:43 UTC 
Now this one will need a libreoffice-bin rebuild...
Comment 2 Andreas K. Hüttel archtester gentoo-dev 2013-10-29 09:05:32 UTC 
2.24.3 bumped
Comment 3 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2013-10-29 17:12:11 UTC 
arches, please test and mark stable:

=app-text/poppler-2.24.3

target KEYWORDS="alpha amd64 arm hppa ia64 ppc ppc64 sparc x86"
Comment 4 Andreas K. Hüttel archtester gentoo-dev 2013-10-29 21:39:07 UTC 
(In reply to Mikle Kolyada from comment #3)
> arches, please test and mark stable:
> 
> =app-text/poppler-2.24.3
> 
> target KEYWORDS="alpha amd64 arm hppa ia64 ppc ppc64 sparc x86"

and its dependency 

=net-print/cups-filters-1.0.36-r1

same targets... (note, -r1 and NOT -r2 which requires newer gs)
Comment 5 Agostino Sarubbo gentoo-dev 2013-10-31 15:55:29 UTC 
amd64 / x86 stable
Comment 6 Jeroen Roovers (RETIRED) gentoo-dev 2013-11-01 14:38:21 UTC 
*** Bug 490046 has been marked as a duplicate of this bug. ***
Comment 7 Agostino Sarubbo gentoo-dev 2013-11-01 20:58:00 UTC 
alpha stable
Comment 8 Agostino Sarubbo gentoo-dev 2013-11-02 07:32:26 UTC 
ppc stable
Comment 9 Agostino Sarubbo gentoo-dev 2013-11-02 07:33:25 UTC 
ppc64 stable
Comment 10 Agostino Sarubbo gentoo-dev 2013-11-02 08:03:37 UTC 
arm stable
Comment 11 Jeroen Roovers (RETIRED) gentoo-dev 2013-11-02 16:24:23 UTC 
Stable for HPPA.
Comment 12 Chí-Thanh Christopher Nguyễn gentoo-dev 2013-11-03 00:31:45 UTC 
Re-adding alpha/arm/ppc/ppc64 for cups-filters
Comment 13 Agostino Sarubbo gentoo-dev 2013-11-03 06:22:42 UTC 
alpha stable
Comment 14 Agostino Sarubbo gentoo-dev 2013-11-03 06:22:48 UTC 
arm stable
Comment 15 Agostino Sarubbo gentoo-dev 2013-11-03 06:22:56 UTC 
ppc stable
Comment 16 Agostino Sarubbo gentoo-dev 2013-11-03 06:23:03 UTC 
ppc64 stable
Comment 17 Agostino Sarubbo gentoo-dev 2013-11-12 20:13:54 UTC 
ia64 stable
Comment 18 GLSAMaker/CVETool Bot gentoo-dev 2013-11-27 11:12:57 UTC 
CVE-2013-4474 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4474):
  Format string vulnerability in the extractPages function in
  utils/pdfseparate.cc in poppler before 024.2 allows remote attackers to
  cause a denial of service (crash) via format string specifiers in a
  destination filename.

CVE-2013-4473 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4473):
  Stack-based buffer overflow in the extractPages function in
  utils/pdfseparate.cc in poppler before 0.24.2 allows remote attackers to
  cause a denial of service (crash) and possibly execute arbitrary code via a
  source filename.
Comment 19 Agostino Sarubbo gentoo-dev 2013-12-17 15:02:56 UTC 
sparc stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 20 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2013-12-17 17:07:08 UTC 
glsa request filed
Comment 21 Andreas K. Hüttel archtester gentoo-dev 2013-12-17 17:27:55 UTC 
All vulnerable versions have been removed.
Comment 22 GLSAMaker/CVETool Bot gentoo-dev 2014-01-21 19:31:39 UTC 
This issue was resolved and addressed in
 GLSA 201401-21 at http://security.gentoo.org/glsa/glsa-201401-21.xml
by GLSA coordinator Sean Amoss (ackle).