From ${URL} : Segmentation fault found on poppler via fuzzed PDF input file. Reported to Debian bug tracking system as: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=779699 @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Fixed since 0.28.0, http://cgit.freedesktop.org/poppler/poppler/commit/?id=d6ea8acbb348fdb43601a963ba5407e933565003 I'd prefer to wait for 0.32.0 (to be released today?) for a sec stabilization since that includes more fuzzing fixes.
(In reply to Andreas K. Hüttel from comment #1) > Fixed since 0.28.0, > http://cgit.freedesktop.org/poppler/poppler/commit/ > ?id=d6ea8acbb348fdb43601a963ba5407e933565003 > > I'd prefer to wait for 0.32.0 (to be released today?) for a sec > stabilization since that includes more fuzzing fixes. I'm sure you know but (http://poppler.freedesktop.org/ (viewed today)): The latest stable release is poppler-0.32.0.tar.xz, released on March 7, 2015: core: * Annotations: Fix rendering of empty BG/BC arrays * Splash: Fix wrong colour shown when GouraudTriangleShFill uses a DeviceN colorspace. Bug #89182 * Splash: Fix use of uninitialized variable in Splash::pipeRun * Remove unnecesary check for font validity. Bug #88939 * Small optimization in GooString::appendfv(). Bug #89096 * Fix crashes in malformed files utils: * pdftops: Make colorpsace optimization an option instead of default * pdfseparate: use always an unique instance for PDFDoc for savePageAs build system: * cmake: If extra-cmake-modules is around include the Sanitizers module
(In reply to Andreas K. Hüttel from comment #1) > Fixed since 0.28.0, > http://cgit.freedesktop.org/poppler/poppler/commit/ > ?id=d6ea8acbb348fdb43601a963ba5407e933565003 > > I'd prefer to wait for 0.32.0 (to be released today?) for a sec > stabilization since that includes more fuzzing fixes. It's been bumped in the meantime. We can wait a few more days and then stabilize 0.32.0
We need feedback on bug 540132. Once that is handled somehow, we can stabilize app-text/poppler-0.32.0 app-office/libreoffice-bin-4.3.5.2-r1 app-office/libreoffice-bin-debug-4.3.5.2-r1
Calling a maintainer timeout on the blocker bugs. Arches please stabilize: Target: ppc64 sci-libs/ogdi-3.2.0_beta2 (bug 413635) Target: amd64 ppc ppc64 x86 sci-libs/gdal-1.11.1-r3 (bug 540132) Target: all stable arches app-text/poppler-0.32.0 Target: amd64 x86 app-office/libreoffice-bin-4.3.5.2-r1 app-office/libreoffice-bin-debug-4.3.5.2-r1
(In reply to Andreas K. Hüttel from comment #5) > Calling a maintainer timeout on the blocker bugs. Arches please stabilize: > > Target: ppc64 > sci-libs/ogdi-3.2.0_beta2 (bug 413635) > > Target: amd64 ppc ppc64 x86 > sci-libs/gdal-1.11.1-r3 (bug 540132) > > Target: all stable arches > app-text/poppler-0.32.0 > > Target: amd64 x86 > app-office/libreoffice-bin-4.3.5.2-r1 > app-office/libreoffice-bin-debug-4.3.5.2-r1
amd64 stable
(In reply to Mikle Kolyada from comment #7) > amd64 stable This breaks current stable inkscape (bug 545600). Is it possible to stabilize media-gfx/inkscape-0.48.5-r1 as well?
Stable for HPPA.
x86 stable
arm stable
alpha stable
ia64 stable
ppc64 stable
ppc stable
sparc stable. Maintainer(s), please cleanup. Security, please add it to the existing request, or file a new one.
Cleanup done
Arches and Maintainer(s), Thank you for your work.
This issue was resolved and addressed in GLSA 201611-15 at https://security.gentoo.org/glsa/201611-15 by GLSA coordinator Aaron Bauman (b-man).