Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 645868 (CVE-2017-1000456)

Summary: <app-text/poppler-0.61.0: Invalid read causes crash and can lead to overflow in subsequent calculations (CVE-2017-1000456)
Product: Gentoo Security Reporter: Ian Zimmerman <nobrowser>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal    
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: A3 [glsa+ cve]
Package list:
Runtime testing required: ---
Bug Depends on: 644388    
Bug Blocks:    

Description Ian Zimmerman 2018-01-27 01:32:00 UTC 
According to the RedHat summary [1]:

libpoppler in poppler version 0.60.1 is vulnerable to an invalid read and subsequent crash when parsing a specially crafted PDF. The invalid read is caused by incorrect boundary validation in TextOutputDev.cc:TextPool::addWord(), leading to overflow in subsequent calculations.

(I checked and it is present in the gentoo stable version, which is 0.57.0-r1.)

Upstream patch at [2], needs massaging for gentoo stable version.

[1]
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-1000456

[2]
https://cgit.freedesktop.org/poppler/poppler/commit/?id=7ee9dadef37b20bca707a6b1e858e17d191e368b


Reproducible: Always
Comment 1 Andreas Sturmlechner gentoo-dev 2018-04-07 15:43:11 UTC 
Cleanup done, security, please proceed.
Comment 2 GLSAMaker/CVETool Bot gentoo-dev 2018-04-08 14:27:19 UTC 
This issue was resolved and addressed in
 GLSA 201804-03 at https://security.gentoo.org/glsa/201804-03
by GLSA coordinator Aaron Bauman (b-man).