From ${URL} : A heap buffer overflow vulnerability was found in the poppler library. A maliciously crafted file could cause the application to crash. Upstream fix: https://cgit.freedesktop.org/poppler/poppler/commit/?id=b3425dd3261679958cd56c0f71995c15d2124433 References (reproducer attached): http://seclists.org/oss-sec/2016/q2/56 @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
fixed in > 0.40.0
Arches please stabilize =app-text/poppler-0.42.0. Target: | | u | | a a a n p r s | n | | l m r h i m m i p i s p | e u s | r | p d a m p a 6 i o p c s 3 a x | a s l | e | h 6 r 6 p 6 8 p s p 6 c 9 s r 8 | p e o | p | a 4 m 4 a 4 k s 2 c 4 v 0 h c 6 | i d t | o ----------+---------------------------------+------------+------- 0.42.0 | + + + o + + o ~ o + + o ~ ~ + + | 6 o 0/59 | gentoo
FYI, a version of libreoffice-bin-5.1.2.2 compiled against poppler-0.42.0 (and icu-57.1) is in preparation. As soon as it is finished I'll file the corresponding stable request for libreoffice (and icu).
Stable for HPPA PPC64.
arm stable
amd64 stable
alpha stable
x86 will be done in bug 580672 (to prevent people from needing to rebuild libreoffice multiple times)
ia64, ppc, sparc: ping!!!
ppc stable
sparc stable
ia64 stable. Maintainer(s), please cleanup. Security, please add it to the existing request, or file a new one.
x86 is not done yet bug #580672
(In reply to Johannes Huber from comment #13) > x86 is not done yet bug #580672 x86 has 0.45.0 stable now; cleanup done
(In reply to Andreas K. Hüttel from comment #14) > (In reply to Johannes Huber from comment #13) > > x86 is not done yet bug #580672 > > x86 has 0.45.0 stable now; cleanup done Thanks. Removing maintainers then.
This issue was resolved and addressed in GLSA 201611-15 at https://security.gentoo.org/glsa/201611-15 by GLSA coordinator Aaron Bauman (b-man).
