Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 188185 - gnustep-libs/pdfkit and imagekits include vulnerable xpdf code (CVE-2007-3387)
Summary: gnustep-libs/pdfkit and imagekits include vulnerable xpdf code (CVE-2007-3387)
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High enhancement (vote)
Assignee: Gentoo Security
Whiteboard: B2 [maskglsa]
Keywords: PMASKED
Depends on: 189372 195990
  Show dependency tree
Reported: 2007-08-08 22:59 UTC by Matt Fleming (RETIRED)
Modified: 2007-11-01 19:37 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Matt Fleming (RETIRED) gentoo-dev 2007-08-08 22:59:59 UTC
pdfkit uses vulnerable xpdf code and needs an update. See bug 185225 for a patch.
Comment 1 Matt Fleming (RETIRED) gentoo-dev 2007-08-08 23:04:03 UTC
CC'ing maintainer and setting whiteboard status.
Comment 2 Robert Buchholz (RETIRED) gentoo-dev 2007-08-08 23:24:56 UTC
As I pointed out in the bug mentioned above, I believe pdfkit is still vulnerable to older xpdf issues, among them bug #114428.
Comment 3 Bernard Cafarelli gentoo-dev 2007-08-09 11:59:37 UTC
Not maintained anymore upstream, does not compile with gcc 4.x, does not compile with stable freetype (bugs #131690, #172887, #188146 for example). It won't be easy to test a fix

pdfkit is scheduled for portage removal when we start to move ebuilds in from the gnustep overlay (including popplerkit, pdfkit replacement). So why not mask it now?

Packages depending on it are gnustep-apps/viewpdf (replaced by gnustep-apps/vindaloo), and gnustep-apps/gworkspace (in a conditional DEPEND for pdf support, replaced by a popplerkit DEPEND in the overlay)
Comment 4 Fabian Groffen gentoo-dev 2007-08-09 12:01:42 UTC
another vote for masking the gnustep app, moving over apps from the overlay to the main tree is for me scheduled in the near future.
Comment 5 Fabian Groffen gentoo-dev 2007-08-11 13:34:50 UTC
Ok, I masked gnustep-libs/pdfkit, gnustep-apps/viewpdf and gnustep-apps/gworkspace.  I expect replacements to enter the tree in a week or two.
Comment 6 Robert Buchholz (RETIRED) gentoo-dev 2007-09-08 02:26:21 UTC
Fabian, any update on this?
Comment 7 Bernard Cafarelli gentoo-dev 2007-09-08 10:00:26 UTC
We are waiting for ~ppc rekeywording of new gnustep-base packages (bug #189372), as gnustep-libs/popplerkit and gnustep-apps/gworkspace need these (and are also ~ppc)

After that, popplerkit (and vindaloo), and new gworkspace depending on popplerkit instead of pdfkit can get in the tree
Comment 8 Bernard Cafarelli gentoo-dev 2007-09-10 16:44:48 UTC
OK, working gnustep-libs/popplerkit and gnustep-apps/vindaloo are in portage, as is gnustep-apps/gworkspace-0.8.6 (~arch for now)

We can now send a last-rites mail for pdfkit and viewpdf soon, with the usual 30 days before removal, or less?

Also, gworkspace is again available, but ~arch only for now (there was a stable version available)
Comment 9 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-09-29 16:35:26 UTC
hmm, maybe we should have a maskglsa for this one?
Comment 10 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-10-02 21:25:05 UTC
(In reply to comment #9)
> hmm, maybe we should have a maskglsa for this one?

policy says yes, and i agree with it. Request filed.
Comment 11 Bernard Cafarelli gentoo-dev 2007-10-08 12:25:29 UTC
gnustep-libs/imagekits also has a bundled pdfkit (and installs its own copy)
It is scheduled for removal at the same time as pdfkit and viewpdf
Comment 12 Robert Buchholz (RETIRED) gentoo-dev 2007-10-09 21:59:09 UTC
(In reply to comment #11)
> gnustep-libs/imagekits also has a bundled pdfkit (and installs its own copy)

Thanks for letting us know.

Comment 13 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-10-18 23:17:39 UTC
MASKGLSA 200710-20
Comment 14 Robert Buchholz (RETIRED) gentoo-dev 2007-11-01 19:37:20 UTC
All traces of pdfkit and imagekits removed, thanks Bernard.