Bug 622430 (CVE-2017-9406, CVE-2017-9408)

Summary:	<app-text/poppler-0.55.0: Multiple Vulnerabilities (CVE-2017-{9406,9408})
Product:	Gentoo Security	Reporter:	Volkan <vBugZilla>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	minor	CC:	printing, reavertm, sudormrfhalt
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	https://bugzilla.redhat.com/show_bug.cgi?id=1458702, https://bugzilla.redhat.com/show_bug.cgi?id=1458701
See Also:	https://bugs.freedesktop.org/show_bug.cgi?id=100776 https://bugs.freedesktop.org/show_bug.cgi?id=100775
Whiteboard:	A3 [glsa+ cve]
Package list:	app-text/poppler-0.56.0	Runtime testing required:	---
Bug Depends on:	627390
Bug Blocks:

Description Volkan 2017-06-21 22:42:02 UTC

CVE-2017-9408 
A memory leak vulnerability was found in poppler in the function Object::initArray in Object.cc, which allows attackers to cause a denial of service via a crafted file.

Upstream issue:

https://bugs.freedesktop.org/show_bug.cgi?id=100776

CVE-2017-9406 
A memory leak vulnerability was found in poppler in the function gmalloc in gmem.cc, which allows attackers to cause a denial of service via a crafted file.

Upstream issue:

https://bugs.freedesktop.org/show_bug.cgi?id=100775

Comment 1 Agostino Sarubbo gentoo-dev

2017-06-22 07:50:38 UTC

For the record:
https://github.com/ImageMagick/ImageMagick/issues/462#issuecomment-298251168

Comment 2 Manuel Rüger (RETIRED) gentoo-dev

2017-06-22 11:56:26 UTC

These have been addressed in 0.56.0, which is available in tree.

There's another fix https://cgit.freedesktop.org/poppler/poppler/commit/?id=3a2759aa2a98c2157cb35731b95e393b8882f8d3 but that seems to point to a wrong CVE.

Comment 3 Thomas Deutschmann (RETIRED) gentoo-dev

2017-06-28 11:58:32 UTC

@ Maintainer(s): Can we start stabilization of =app-text/poppler-0.56.0?

Comment 4 Michael Palimaka (kensington) gentoo-dev

2017-08-09 12:00:33 UTC

(In reply to Thomas Deutschmann from comment #3)
> @ Maintainer(s): Can we start stabilization of =app-text/poppler-0.56.0?

I'm suggesting we move forward with 0.57.0 in bug #627390.

Comment 5 Yury German Gentoo Infrastructure

2017-08-10 07:18:14 UTC

Setting dependency as per suggestion

Comment 6 Michael Palimaka (kensington) gentoo-dev

2017-10-01 11:53:33 UTC

These were actually fixed in 0.55

Comment 7 Christopher Díaz Riveros (RETIRED) gentoo-dev

2017-11-24 14:31:25 UTC

Added to existing GLSA

Comment 8 Andreas Sturmlechner gentoo-dev

2017-11-24 19:34:24 UTC

KDE work done.

Comment 9 GLSAMaker/CVETool Bot gentoo-dev

2018-01-17 13:43:23 UTC

This issue was resolved and addressed in
 GLSA 201801-17 at https://security.gentoo.org/glsa/201801-17
by GLSA coordinator Aaron Bauman (b-man).