Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 622430 (CVE-2017-9406, CVE-2017-9408)

Summary: <app-text/poppler-0.55.0: Multiple Vulnerabilities (CVE-2017-{9406,9408})
Product: Gentoo Security Reporter: Volkan <vBugZilla>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: printing, reavertm, sudormrfhalt
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://bugzilla.redhat.com/show_bug.cgi?id=1458702, https://bugzilla.redhat.com/show_bug.cgi?id=1458701
See Also: https://bugs.freedesktop.org/show_bug.cgi?id=100776
https://bugs.freedesktop.org/show_bug.cgi?id=100775
Whiteboard: A3 [glsa+ cve]
Package list:
app-text/poppler-0.56.0
Runtime testing required: ---
Bug Depends on: 627390    
Bug Blocks:    

Description Volkan 2017-06-21 22:42:02 UTC
CVE-2017-9408 
A memory leak vulnerability was found in poppler in the function Object::initArray in Object.cc, which allows attackers to cause a denial of service via a crafted file.

Upstream issue:

https://bugs.freedesktop.org/show_bug.cgi?id=100776

CVE-2017-9406 
A memory leak vulnerability was found in poppler in the function gmalloc in gmem.cc, which allows attackers to cause a denial of service via a crafted file.

Upstream issue:

https://bugs.freedesktop.org/show_bug.cgi?id=100775
Comment 1 Agostino Sarubbo gentoo-dev 2017-06-22 07:50:38 UTC
For the record:
https://github.com/ImageMagick/ImageMagick/issues/462#issuecomment-298251168
Comment 2 Manuel Rüger (RETIRED) gentoo-dev 2017-06-22 11:56:26 UTC
These have been addressed in 0.56.0, which is available in tree.

There's another fix https://cgit.freedesktop.org/poppler/poppler/commit/?id=3a2759aa2a98c2157cb35731b95e393b8882f8d3 but that seems to point to a wrong CVE.
Comment 3 Thomas Deutschmann gentoo-dev Security 2017-06-28 11:58:32 UTC
@ Maintainer(s): Can we start stabilization of =app-text/poppler-0.56.0?
Comment 4 Michael Palimaka (kensington) gentoo-dev 2017-08-09 12:00:33 UTC
(In reply to Thomas Deutschmann from comment #3)
> @ Maintainer(s): Can we start stabilization of =app-text/poppler-0.56.0?

I'm suggesting we move forward with 0.57.0 in bug #627390.
Comment 5 Yury German Gentoo Infrastructure gentoo-dev 2017-08-10 07:18:14 UTC
Setting dependency as per suggestion
Comment 6 Michael Palimaka (kensington) gentoo-dev 2017-10-01 11:53:33 UTC
These were actually fixed in 0.55
Comment 7 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-11-24 14:31:25 UTC
Added to existing GLSA
Comment 8 Andreas Sturmlechner gentoo-dev 2017-11-24 19:34:24 UTC
KDE work done.
Comment 9 GLSAMaker/CVETool Bot gentoo-dev 2018-01-17 13:43:23 UTC
This issue was resolved and addressed in
 GLSA 201801-17 at https://security.gentoo.org/glsa/201801-17
by GLSA coordinator Aaron Bauman (b-man).