** Please note that this issue is confidential at the moment and no information
should be disclosed until it is made public **
We have been contacted by oCERT about a vulnerability in poppler:
The poppler PDF rendering library suffers a memory management bug which leads
to arbitrary code execution.
The vulnerability is present in the Page class constructor/destructor. The
pageWidgets object is not initialized in the Page constructor if specific
conditions are met, but it is deleted afterwards in the destructor regardless
of its initialization.
Specific PDF files can be crafted which allocate arbitrary memory to trigger
poppler <= 0.8.3
Created attachment 158795 [details, diff]
dang/tgurr please prepare an ebuild with the attached patch... do not commit anything to the tree, but attach the ebuild etc. to this bug so the arch liaisions can test it
Created attachment 158877 [details, diff]
Previous patch, renamed
Created attachment 158879 [details]
Ebuild with patch
Note: 0.8.4 is in the tree now, also with this bug. The same patch applies. That will have to be bumped at the same time as 0.8.3, but not to stable.
Arch Security Liaisons, please test the attached ebuild (app-text/poppler-0.8.3-r1) and report it stable on this bug.
Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 release s390 sh sparc x86"
CC'ing current Liaisons:
alpha : yoswink
amd64 : welp
hppa : jer
ppc : dertobi123
ppc64 : corsair
release : pva
sparc : fmccor
x86 : opfer
Sparc looks good for poppler-0.8.3-r1. However, for this to go stable, testing shows that *at least* these packages must also go stable:
(and also several rebuilds besides, such as xpdf, evince, and gimp for me).
So please make sure to catch everything which needs an upgrade along with poppler before making this stable. I just mentioned the ones I know about; there might be others, and I suspect they are triggered by the required poppler-bindings upgrade.
Created attachment 158999 [details]
poppler 0.6.3 ebuild
Blast. I'd completely forgotten that 0.8.x wasn't stable yet. Here's an ebuild for 0.6.3-r1 (fortunately, the same patch applies). Please test this one for stable instead.
0.6.3-r1 is good on sparc, too.
HPPA is OK.
x86 will go with stable
Ready for alpha.
evince using stable poppler-bindings and 0.6.3-r1 of popler is able to show a pdf without any problem.
sorry for the version mess up earlier...
Anyways, this is going public at 16:00 CET.
It would be nice if the remaining arches could give their OK by that time too.
Adding ranger and gentoofan23 as support for the missing arches. Please test the poppler-0.6.3-r1.ebuild attached to this bug in your stable tree and report the results here.
seems ok for ppc64
ppc64 gave their ok already, ppc is still missing though (and amd64) ;-)
I'm not the amd64 security guy, but I am on the amd64 team, and I did test it on amd64. I'm not sure of the rules for sec bugs, but if that's sufficient, you can count amd64.
public via $URL
printing herd/dang, please commit the relevant ebuilds
poppler-0.6.3-r1 has collected the following stable keywords here already:
"alpha amd64 hppa ppc64 sparc x86"
to be added when commited: ia64 arm m68k s390 sh (ppc)
Committed. I left 0.6.3, but it (and 0.6.1-r1) should be removed when everyone has updated thier stable keywords.
remaining arches, please test and stabilize =app-text/poppler-0.6.3-r1
GLSA is drafted and ready to go
this was GLSA 200807-04.