CVE-2009-3938 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3938): Buffer overflow in the ABWOutputDev::endWord function in poppler/ABWOutputDev.cc in Poppler (aka libpoppler) 0.10.6, 0.12.0, and possibly other versions, as used by the Abiword pdftoabw utility, allows user-assisted remote attackers to cause a denial of service and possibly execute arbitrary code via a crafted PDF file.
For some reason, I do not see this patch for CVE-2009-3938 in poppler-0.12.4! http://bugs.freedesktop.org/attachment.cgi?id=30599&action=edit @herds: please advice/prepare a new ebuild/bump it.
"Albert Astals Cid 2010-03-24 13:21:18 PDT Well, it seems that Vincent wasn't really sure the patch was correct and noone is really really interested in fixing the code so it has not been commited. So well, if you guys want i can commit it, i really do not have an opinion, not sure if anyone really uses that code."
@security: So what's gonna happen with this bug?! :)
Sounds like we have a problem here. There is an upstream patch at https://bugs.freedesktop.org/attachment.cgi?id=30599 but the upstream itself isn't sure whether it's good, and they seem not to have committed it to their repo. Is it possible to rip out the vulnerable part of the library? I guess masking poppler is not really an option.
From upstream: Albert Astals Cid 2011-03-22 15:50:25 PDT pdftoabw was just removed from poppler as it was unmaintained so this won't be fixed. Sorry. If you were using it, this is the moment to step up and be its maintainer. Seems like the problem will solve itself (but in which version?)
From the poppler homepage: The latest unstable release is Poppler 0.17.0 (0.18 Alpha) poppler-0.17.0.tar.gz, released on Mar 30, 2011: core: [...] * Remove abiword output device utils: [...] * pdftoabw has been removed
(In reply to comment #6) > From the poppler homepage: > > The latest unstable release is Poppler 0.17.0 (0.18 Alpha) > poppler-0.17.0.tar.gz, released on Mar 30, 2011: > core: > [...] > * Remove abiword output device > > utils: > [...] > * pdftoabw has been removed Great, thank you. @kde, @printing, Maciej, is 0.17.0 something we can add to the tree and stabilize? Thank you.
Alternative suggestion, given that poppler is one of these more tricky packages breaking reverse-deps. Building the abiword backend is controlled by a useflag and a cmake switch. How about just force-disabling this? Should be possible with both current stable and ~arch. The functionality will disappear anyway... (Disclaimer- I'm looking at the internals of this package for the very first time now...)
Odd numbers are for unstable poppler releases, so 0.17.0 is what kernels 2.5.x used to be, so no, cannot be stabilized. I prefer removing abiword USE flag and passing -DENABLE_ABIWORD=OFF to mycmakeargs. Unfortunately I cannot fix it myself since my Linux box is broken for over a week and one of new hardware replacements - Asus p8p67 deluxe 3.0 - appeared to have buggy HW/SW/whatever and hangs in POST when connected to my WD2500YS disks so my Gentoo break-off will take a little longer...
*poppler-0.16.3-r1 (14 Apr 2011) *poppler-0.14.5-r1 (14 Apr 2011) 14 Apr 2011; Andreas K. Huettel <dilfridge@gentoo.org> +poppler-0.14.5-r1.ebuild, -poppler-0.16.3.ebuild, +poppler-0.16.3-r1.ebuild: Disable abiword backend (not supported anymore, security issues, bug 308017) Arches, please stabilize app-text/poppler-0.14.5-r1 Only change is force-disabling abiword support (formerly controlled by abiword useflag). Target: "alpha amd64 arm hppa ia64 ~mips ppc ppc64 s390 sh sparc x86 ~sparc-fbsd ~x86-fbsd ~x64-freebsd ~x86-freebsd ~amd64-linux ~ia64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris" i.e. stabilization on alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86
works on amd64
Stable for HPPA.
amd64 stable
x86 stable
Tested along with evince 2.32.0-r2 on SPARC, seems to display PDF documents OK, could stabilise.
arm stable
ppc done
alpha/ia64/s390/sh/sparc stable
ppc64 stable, last arch done
Thanks, everyone. Added to existing GLSA request.
Nothing to do for kde here anymore.
(In reply to comment #21) > Nothing to do for kde here anymore. Nor for printing.
Will anyone still read this GLSA if it ever comes out? Come on, stable is poppler-0.20 by now.
This issue was resolved and addressed in GLSA 201310-03 at http://security.gentoo.org/glsa/glsa-201310-03.xml by GLSA coordinator Sean Amoss (ackle).
