Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 188863 - app-text/poppler < 0.5.4-r2 Vulnerablities in included Xpdf code (CVE-2007-3387)
Summary: app-text/poppler < 0.5.4-r2 Vulnerablities in included Xpdf code (CVE-2007-3387)
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
Whiteboard: B2 [glsa]
Depends on:
Reported: 2007-08-14 17:09 UTC by Sune Kloppenborg Jeppesen (RETIRED)
Modified: 2007-09-19 22:01 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-08-14 17:09:02 UTC
Integer overflow in the StreamPredictor::StreamPredictor function in gpdf before 2.8.2, as used in (1) poppler, (2) xpdf, (3) kpdf, (4) kdegraphics, (5) CUPS, and other products, might allow remote attackers to execute arbitrary code via a crafted PDF file.
Comment 1 Stefan Schweizer (RETIRED) gentoo-dev 2007-08-22 21:22:07 UTC
poppler-0.5.91 fixed this
Comment 2 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-08-23 17:26:12 UTC
Thx genstef.

Arches please test and mark stable. Target keywords are:

poppler-0.5.9-r1.ebuild:KEYWORDS="alpha amd64 arm hppa ia64 m68k ~mips ppc ppc64 s390 sh sparc ~sparc-fbsd x86 ~x86-fbsd"
Comment 3 Jonas Pedersen 2007-08-23 18:19:20 UTC
Just did a sync and =app-text/poppler-0.5.9* (and =app-text/poppler-bindings-0.5.9*) is still en package.mask. Should it not be removed from package.mask?
Comment 4 Jeroen Roovers (RETIRED) gentoo-dev 2007-08-23 18:22:36 UTC
Stable for HPPA.
Comment 5 Stefan Schweizer (RETIRED) gentoo-dev 2007-08-23 19:06:54 UTC
I put in an backported ebuild in for stabling: poppler-0.5.4-r2

0.5.91 is a hard masked release candidate, please do not stable it
Comment 6 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-08-24 06:09:31 UTC
Sorry I thought it was ready for stable marking and thanks for backporting.
Comment 7 Christian Faulhammer (RETIRED) gentoo-dev 2007-08-24 07:31:54 UTC
x86 stable
Comment 8 Gustavo Zacarias (RETIRED) gentoo-dev 2007-08-24 13:14:27 UTC
sparc stable.
Comment 9 Jeroen Roovers (RETIRED) gentoo-dev 2007-08-24 14:22:14 UTC
Stable for HPPA again.
Comment 10 Raúl Porcel (RETIRED) gentoo-dev 2007-08-24 17:19:19 UTC
alpha/ia64 stable
Comment 11 Jonas Pedersen 2007-08-25 18:15:36 UTC
app-text/poppler-0.5.4-r2  USE="jpeg zlib -cjk"

1. Emerges on AMD64. 
2. No collisions etc. 
3. Works on AMD64. Can still view PDF documents with viewers depending on poppler. 

Please mark stable on AMD64. 

Portage (default-linux/amd64/2007.0/desktop, gcc-4.1.2, glibc-2.5-r4, 2.6.22-gentoo-r2 x86_64)
System uname: 2.6.22-gentoo-r2 x86_64 Intel(R) Core(TM)2 CPU 6600 @ 2.40GHz
Gentoo Base System release 1.12.9
Timestamp of tree: Fri, 24 Aug 2007 21:50:01 +0000
distcc 2.18.3 x86_64-pc-linux-gnu (protocols 1 and 2) (default port 3632) [enabled]
ccache version 2.4 [enabled]
dev-java/java-config: 1.3.7, 2.0.33-r1
dev-lang/python:     2.4.4-r4
dev-python/pycrypto: 2.0.1-r6
dev-util/ccache:     2.4-r7
sys-apps/sandbox:    1.2.17
sys-devel/autoconf:  2.13, 2.61
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10
sys-devel/binutils:  2.17
sys-devel/gcc-config: 1.3.16
sys-devel/libtool:   1.5.24
virtual/os-headers:  2.6.21
CFLAGS="-march=nocona -O2 -msse3 -pipe -fomit-frame-pointer"
CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config"
CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/splash /etc/terminfo"
CXXFLAGS="-march=nocona -O2 -msse3 -pipe -fomit-frame-pointer"
FEATURES="ccache collision-protect distcc distlocks metadata-transfer multilib-strict parallel-fetch sandbox sfperms strict test"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --filter=H_**/files/digest-*"
PORTDIR_OVERLAY="/usr/portage/local/layman/php-testing /usr/local/portage"
USE="X a52 aac acl acpi aiglx alsa amd64 apache2 arts atk berkdb bitmap-fonts cairo cdr cli cracklib crypt cups dbus dga directfb dri dts dvd dvdr dvdread eds emboss encode evo fam fbcn ffmpeg firefox fortran ftp gd gdbm gif gphoto2 gpm gstreamer gtk hal iconv icq ieee1394 ipv6 isdnlog java jpeg kde kerberos lm_sensors mad midi mikmod mjpeg mmx mozilla mp3 mpeg mplayer msn mudflap ncurses nls nptl nptlonly ogg oggvorbis opengl openmp pam pcre pda pdf perl png ppds pppd python qt qt3 qt3support qt4 quicktime readline reflection samba sdl session spell spl sse sse2 sse3 ssl svg tcpd test threads tiff truetype truetype-fonts type1-fonts unicode vorbis xcomposite xml xorg xscreensaver xv xvid zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mulaw multi null plug rate route share shm softvol" ELIBC="glibc" INPUT_DEVICES="keyboard mouse" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" USERLAND="GNU" VIDEO_CARDS="radeon"

Comment 12 Tobias Scherbaum (RETIRED) gentoo-dev 2007-08-28 19:37:17 UTC
ppc stable
Comment 13 Christoph Mende (RETIRED) gentoo-dev 2007-08-28 20:07:14 UTC
amd64 stable
Comment 14 Markus Rothe (RETIRED) gentoo-dev 2007-08-29 10:15:53 UTC
ppc64 stable
Comment 15 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-08-29 12:46:26 UTC
unless I missed something, this is clearly remote exec of code with user help, so B2. GLSA request filed.
Comment 16 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-09-15 22:58:43 UTC
just for a reminder for future usages.

These packages include the vulnerable piece of code:

app-text/xpdf #185225
media-libs/libextractor #192636
app-office/{koffice,kword} #187139
kde-base/{kdegraphics,kpdf} #187139
app-text/tetex #188172
gnustep-libs/pdfkit #188185
net-print/cups #188861
Comment 17 Robert Buchholz (RETIRED) gentoo-dev 2007-09-16 04:20:02 UTC
(In reply to comment #16)
> media-libs/libextractor #192636
Only in versions <= 0.5.12. After that, it is built with --disable-xpdf by default.
Comment 18 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-09-19 22:01:52 UTC
GLSA 200709-12, sorry for the delay