Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 229931 (CVE-2008-2950) - app-text/poppler <0.6.3-r1 uninitialized pointer (CVE-2008-2950)
Summary: app-text/poppler <0.6.3-r1 uninitialized pointer (CVE-2008-2950)
Alias: CVE-2008-2950
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
Whiteboard: B2 [glsa]
Depends on:
Reported: 2008-06-28 19:14 UTC by Matthias Geerdsen (RETIRED)
Modified: 2020-04-09 19:03 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---

patch (poppler.patch,400 bytes, patch)
2008-06-28 19:16 UTC, Matthias Geerdsen (RETIRED)
no flags Details | Diff
Previous patch, renamed (poppler-0.8.3-page-init.patch,400 bytes, patch)
2008-06-29 17:39 UTC, Daniel Gryniewicz (RETIRED)
no flags Details | Diff
Ebuild with patch (poppler-0.8.3-r1.ebuild,1.27 KB, text/plain)
2008-06-29 17:40 UTC, Daniel Gryniewicz (RETIRED)
no flags Details
poppler 0.6.3 ebuild (poppler-0.6.3-r1.ebuild,1.27 KB, text/plain)
2008-06-30 19:36 UTC, Daniel Gryniewicz (RETIRED)
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Matthias Geerdsen (RETIRED) gentoo-dev 2008-06-28 19:14:46 UTC
** Please note that this issue is confidential at the moment and no information
should be disclosed until it is made public **

We have been contacted by oCERT about a vulnerability in poppler:


The poppler PDF rendering library suffers a memory management bug which leads
to arbitrary code execution.

The vulnerability is present in the Page class constructor/destructor. The
pageWidgets object is not initialized in the Page constructor if specific
conditions are met, but it is deleted afterwards in the destructor regardless
of its initialization.

Specific PDF files can be crafted which allocate arbitrary memory to trigger
the vulnerability.

Affected version:

poppler <= 0.8.3
Comment 1 Matthias Geerdsen (RETIRED) gentoo-dev 2008-06-28 19:16:26 UTC
Created attachment 158795 [details, diff]
Comment 2 Matthias Geerdsen (RETIRED) gentoo-dev 2008-06-28 19:17:49 UTC
dang/tgurr please prepare an ebuild with the attached patch... do not commit anything to the tree, but attach the ebuild etc. to this bug so the arch liaisions can test it
Comment 3 Daniel Gryniewicz (RETIRED) gentoo-dev 2008-06-29 17:39:59 UTC
Created attachment 158877 [details, diff]
Previous patch, renamed
Comment 4 Daniel Gryniewicz (RETIRED) gentoo-dev 2008-06-29 17:40:49 UTC
Created attachment 158879 [details]
Ebuild with patch
Comment 5 Daniel Gryniewicz (RETIRED) gentoo-dev 2008-06-29 17:41:30 UTC
Note: 0.8.4 is in the tree now, also with this bug.  The same patch applies.  That will have to be bumped at the same time as 0.8.3, but not to stable.
Comment 6 Matthias Geerdsen (RETIRED) gentoo-dev 2008-06-30 11:09:54 UTC
thanks Daniel

Arch Security Liaisons, please test the attached ebuild (app-text/poppler-0.8.3-r1) and report it stable on this bug.
Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 release s390 sh sparc x86"

CC'ing current Liaisons:
   alpha : yoswink
   amd64 : welp
    hppa : jer
     ppc : dertobi123
   ppc64 : corsair
 release : pva
   sparc : fmccor
     x86 : opfer
Comment 7 Ferris McCormick (RETIRED) gentoo-dev 2008-06-30 14:30:56 UTC
Sparc looks good for poppler-0.8.3-r1.  However, for this to go stable, testing shows that *at least* these packages must also go stable:
(and also several rebuilds besides, such as xpdf, evince, and gimp for me).
So please make sure to catch everything which needs an upgrade along with poppler before making this stable.  I just mentioned the ones I know about; there might be others, and I suspect they are triggered by the required poppler-bindings upgrade.
Comment 8 Daniel Gryniewicz (RETIRED) gentoo-dev 2008-06-30 19:36:05 UTC
Created attachment 158999 [details]
poppler 0.6.3 ebuild

Blast.  I'd completely forgotten that 0.8.x wasn't stable yet.  Here's an ebuild for 0.6.3-r1 (fortunately, the same patch applies).  Please test this one for stable instead.
Comment 9 Ferris McCormick (RETIRED) gentoo-dev 2008-06-30 20:09:14 UTC
0.6.3-r1 is good on sparc, too.
Comment 10 Jeroen Roovers (RETIRED) gentoo-dev 2008-06-30 23:38:59 UTC
Comment 11 Markus Rothe (RETIRED) gentoo-dev 2008-07-01 05:27:45 UTC
ppc64 ok
Comment 12 Christian Faulhammer (RETIRED) gentoo-dev 2008-07-03 13:06:33 UTC
x86 will go with stable
Comment 13 Jose Luis Rivero (yoswink) (RETIRED) gentoo-dev 2008-07-03 15:34:21 UTC
Ready for alpha.

evince using stable poppler-bindings and 0.6.3-r1 of popler is able to show a pdf without any problem.
Comment 14 Matthias Geerdsen (RETIRED) gentoo-dev 2008-07-07 09:14:49 UTC
sorry for the version mess up earlier...

Anyways, this is going public at 16:00 CET.

It would be nice if the remaining arches could give their OK by that time too.

Comment 15 Robert Buchholz (RETIRED) gentoo-dev 2008-07-07 09:26:20 UTC
Adding ranger and gentoofan23 as support for the missing arches. Please test the poppler-0.6.3-r1.ebuild attached to this bug in your stable tree and report the results here.
Comment 16 Brent Baude (RETIRED) gentoo-dev 2008-07-07 13:01:28 UTC
seems ok for ppc64
Comment 17 Matthias Geerdsen (RETIRED) gentoo-dev 2008-07-07 13:16:17 UTC
ppc64 gave their ok already, ppc is still missing though (and amd64) ;-)
Comment 18 Daniel Gryniewicz (RETIRED) gentoo-dev 2008-07-07 13:25:38 UTC
I'm not the amd64 security guy, but I am on the amd64 team, and I did test it on amd64.  I'm not sure of the rules for sec bugs, but if that's sufficient, you can count amd64.
Comment 19 Matthias Geerdsen (RETIRED) gentoo-dev 2008-07-07 14:16:13 UTC
public via $URL

printing herd/dang, please commit the relevant ebuilds
poppler-0.6.3-r1 has collected the following stable keywords here already:
"alpha amd64 hppa ppc64 sparc x86"

removing liaisons
to be added when commited: ia64 arm m68k s390 sh (ppc)
Comment 20 Daniel Gryniewicz (RETIRED) gentoo-dev 2008-07-07 14:45:34 UTC
Committed.  I left 0.6.3, but it (and 0.6.1-r1) should be removed when everyone has updated thier stable keywords.
Comment 21 Matthias Geerdsen (RETIRED) gentoo-dev 2008-07-07 15:00:44 UTC
thanks Daniel

remaining arches, please test and stabilize =app-text/poppler-0.6.3-r1

GLSA is drafted and ready to go
Comment 22 Raúl Porcel (RETIRED) gentoo-dev 2008-07-08 12:50:54 UTC
ia64 stable
Comment 23 Tobias Scherbaum (RETIRED) gentoo-dev 2008-07-08 17:02:02 UTC
ppc stable
Comment 24 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-07-09 21:29:21 UTC
this was GLSA 200807-04.