| Summary: | <app-text/poppler-0.57.0-r1: Integer overflow in the JPEG 2000 image parsing functionality | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | major | CC: | printing, reavertm |
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | https://bugzilla.redhat.com/show_bug.cgi?id=1470138 | ||
| Whiteboard: | A2 [glsa+ cve] | ||
| Package list: | Runtime testing required: | --- | |
| Bug Depends on: | 619558 | ||
| Bug Blocks: | |||
setting dependency to stabilization bug. Removing dependency, there's no evidence that this is fixed. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b0f7e72d6950013ea98f65116dc44cedd8923dd5 commit b0f7e72d6950013ea98f65116dc44cedd8923dd5 Author: Andreas Sturmlechner <asturm@gentoo.org> AuthorDate: 2017-11-24 22:55:47 +0000 Commit: Andreas Sturmlechner <asturm@gentoo.org> CommitDate: 2017-11-24 23:06:22 +0000 app-text/poppler: Fix CVE-2017-{2820,9083} Bug: https://bugs.gentoo.org/619558 Bug: https://bugs.gentoo.org/624708 Package-Manager: Portage-2.3.16, Repoman-2.3.6 .../poppler-0.57.0-disable-internal-jpx.patch | 25 ++++++++++++++++++++++ app-text/poppler/poppler-0.57.0-r1.ebuild | 1 + 2 files changed, 26 insertions(+)} The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=25a02f548c6203536c02e119b06d16a80be7fc73 commit 25a02f548c6203536c02e119b06d16a80be7fc73 Author: Andreas Sturmlechner <asturm@gentoo.org> AuthorDate: 2017-12-20 23:07:07 +0000 Commit: Andreas Sturmlechner <asturm@gentoo.org> CommitDate: 2017-12-20 23:07:55 +0000 app-text/poppler: Fix CVE-2017-{2820,9083} Bug: https://bugs.gentoo.org/619558 Bug: https://bugs.gentoo.org/624708 Package-Manager: Portage-2.3.19, Repoman-2.3.6 app-text/poppler/poppler-0.61.1.ebuild | 1 + app-text/poppler/poppler-0.62.0.ebuild | 1 + app-text/poppler/poppler-9999.ebuild | 1 + 3 files changed, 3 insertions(+)} Added to existing GLSA. This issue was resolved and addressed in GLSA 201801-17 at https://security.gentoo.org/glsa/201801-17 by GLSA coordinator Aaron Bauman (b-man). |
From ${URL} : An exploitable integer overflow vulnerability exists in the JPEG 2000 image parsing functionality of freedesktop.org Poppler. A specially crafted PDF file can lead to an integer overflow causing out of bounds memory overwrite on the heap resulting in potential arbitrary code execution. To trigger this vulnerability, a victim must open the malicious PDF in an application using this library. External References: https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0321 @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.