Summary: | app-text/poppler: Heap-buffer overflow in the image rendering functionality | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED INVALID | ||
Severity: | normal | CC: | kde, office, printing, reavertm |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://bugzilla.redhat.com/show_bug.cgi?id=1470139 | ||
Whiteboard: | A3 [noglsa cve] | ||
Package list: | Runtime testing required: | --- |
Description
Agostino Sarubbo
2017-07-12 15:27:03 UTC
Setting dependency on Bug #627390 Dropping blocker on yet another poppler bug with no evidence of it being fixed... Per the upstream advisory: "The Poppler library, by default, uses a private implementation of reading and rendering images. There is a compilation option for libjpeg support, but the flag is not enabled by default. This private implementation contains assumptions about the JPEG file headers that can lead to heap corruption when broken." The default has changed to libjpeg since 0.55. To build this private implementation, one has to pass -DENABLE_DCTDECODER=unmaintained, but Gentoo either passes 'libjpeg' or 'none'. Which by definition makes us unaffected. Gentoo by default is not impacted by this vulnerability. |