From ${URL} : poppler 0.54.0, as used in Evince and other products, has a NULL pointer dereference in the JPXStream::readUByte function in JPXStream.cc. For example, the perf_test utility will crash (segmentation fault) when parsing an invalid PDF file. Upstream bug: https://bugs.freedesktop.org/show_bug.cgi?id=101084 @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
commit 2f137d79eb6929fa0606f158f86e4520fff958a2 (HEAD -> master, origin/master, origin/HEAD) Author: Manuel Rüger <mrueg@gentoo.org> Date: Wed May 24 16:05:05 2017 +0200 app-text/poppler: Version bump to 0.55.0 Package-Manager: Portage-2.3.6, Repoman-2.3.2
Now I can recognize something is missing, while doing: emerge -1 =app-text/poppler-0.55.0 ---- -- Performing Test ICONV_SECOND_ARGUMENT_IS_CONST -- Performing Test ICONV_SECOND_ARGUMENT_IS_CONST - Failed -- Found Iconv: /usr/lib/libc.so CMake Error at CMakeLists.txt:233 (message): Invalid ENABLE_LIBOPENJPEG value: -- Configuring incomplete, errors occurred! ---- I don't know what is missing: qlist -Iv jpeg shows: media-libs/libjpeg-turbo-1.5.1 media-libs/openjpeg-2.1.2 media-video/mjpegtools-2.1.0-r2 virtual/jpeg-0-r2
FYI: poppler-0.55 didn't address CVE-2017-9083. @ Ulenrich: I cannot reproduce. However, please file a new bug.
(In reply to Ulenrich from comment #2) > Now I can recognize something is missing, while doing: > > emerge -1 =app-text/poppler-0.55.0 > ---- > -- Performing Test ICONV_SECOND_ARGUMENT_IS_CONST > -- Performing Test ICONV_SECOND_ARGUMENT_IS_CONST - Failed > -- Found Iconv: /usr/lib/libc.so > CMake Error at CMakeLists.txt:233 (message): > Invalid ENABLE_LIBOPENJPEG value: > > -- Configuring incomplete, errors occurred! > ---- > > I don't know what is missing: qlist -Iv jpeg shows: > media-libs/libjpeg-turbo-1.5.1 > media-libs/openjpeg-2.1.2 > media-video/mjpegtools-2.1.0-r2 > virtual/jpeg-0-r2 That's being tracked in bug #619720.
There's no evidence this is fixed.
Adding blocking CVEs that are all variations of this security issue [internal unmaintained JPX decoder] that is caused when building without system-jpeg libs. Fedora does not care because they always build with system-jpeg, however in Gentoo we allow the user to disable both options and poppler's buildsystem is making us believe there would be no JPX decoder built in that case, when later the following happens: --- if(LIBOPENJPEG_FOUND) set(poppler_SRCS ${poppler_SRCS} poppler/JPEG2000Stream.cc ) set(poppler_LIBS ${poppler_LIBS} ${LIBOPENJPEG_LIBRARIES}) add_definitions(-DUSE_OPENJPEG1) elseif (LIBOPENJPEG2_FOUND) set(poppler_SRCS ${poppler_SRCS} poppler/JPEG2000Stream.cc ) add_definitions(-DUSE_OPENJPEG2) set(poppler_LIBS ${poppler_LIBS} ${LIBOPENJPEG2_LIBRARIES}) else () set(poppler_SRCS ${poppler_SRCS} poppler/JPXStream.cc ) endif() --- Even though the rest of the code is all built with HAVE_JPX_DECODER=OFF, so is probably not making use of it. If we trust the ifdefs. 1.) The easiest way to solve this without any patching of code necessary would be adding REQUIRED_USE="|| ( jpeg jpeg2k )", and we can introduce this as a stable revbump. 2.) Patch CMakeLists.txt and let the stabilisations begin again: --- a/CMakeLists.txt 2017-07-31 23:39:14.000000000 +0200 +++ b/CMakeLists.txt 2017-11-24 21:34:54.651636371 +0100 @@ -506,9 +506,11 @@ add_definitions(-DUSE_OPENJPEG2) set(poppler_LIBS ${poppler_LIBS} ${LIBOPENJPEG2_LIBRARIES}) else () - set(poppler_SRCS ${poppler_SRCS} - poppler/JPXStream.cc - ) + if(NOT WITH_OPENJPEG AND HAVE_JPX_DECODER) + set(poppler_SRCS ${poppler_SRCS} + poppler/JPXStream.cc + ) + endif() endif() if(USE_CMS) It builds fine. if(LCMS_FOUND)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b0f7e72d6950013ea98f65116dc44cedd8923dd5 commit b0f7e72d6950013ea98f65116dc44cedd8923dd5 Author: Andreas Sturmlechner <asturm@gentoo.org> AuthorDate: 2017-11-24 22:55:47 +0000 Commit: Andreas Sturmlechner <asturm@gentoo.org> CommitDate: 2017-11-24 23:06:22 +0000 app-text/poppler: Fix CVE-2017-{2820,9083} Bug: https://bugs.gentoo.org/619558 Bug: https://bugs.gentoo.org/624708 Package-Manager: Portage-2.3.16, Repoman-2.3.6 .../poppler-0.57.0-disable-internal-jpx.patch | 25 ++++++++++++++++++++++ app-text/poppler/poppler-0.57.0-r1.ebuild | 1 + 2 files changed, 26 insertions(+)}
Arches, please stabilise.
ppc64 stable
hppa stable
Looking good on ppc. # cat poppler.report USE='-cairo -cjk -curl -cxx -doc -introspection -jpeg -jpeg2k -lcms -nss -png -qt4 -qt5 -tiff -utils' succeeded for =app-text/poppler-0.57.0-r1 USE='cairo -cjk curl cxx -doc introspection jpeg jpeg2k lcms -nss -png -qt4 -qt5 -tiff -utils' succeeded for =app-text/poppler-0.57.0-r1 USE='-cairo cjk -curl cxx -doc introspection -jpeg jpeg2k lcms -nss png -qt4 -qt5 -tiff -utils' succeeded for =app-text/poppler-0.57.0-r1 USE='-cairo -cjk curl -cxx -doc introspection jpeg jpeg2k -lcms -nss png -qt4 qt5 -tiff -utils' succeeded for =app-text/poppler-0.57.0-r1 USE='-cairo cjk curl -cxx -doc introspection -jpeg -jpeg2k lcms nss -png -qt4 qt5 tiff -utils' succeeded for =app-text/poppler-0.57.0-r1 USE='cairo -cjk -curl cxx -doc introspection -jpeg -jpeg2k lcms -nss png qt4 qt5 tiff -utils' succeeded for =app-text/poppler-0.57.0-r1 USE='cairo -cjk curl cxx doc -introspection jpeg jpeg2k -lcms nss -png -qt4 -qt5 -tiff utils' succeeded for =app-text/poppler-0.57.0-r1 USE='-cairo -cjk curl cxx doc introspection -jpeg jpeg2k lcms nss -png qt4 -qt5 -tiff utils' succeeded for =app-text/poppler-0.57.0-r1 USE='cairo -cjk curl -cxx -doc introspection jpeg jpeg2k -lcms -nss png -qt4 qt5 -tiff utils' succeeded for =app-text/poppler-0.57.0-r1 USE='-cairo cjk curl -cxx -doc introspection -jpeg -jpeg2k -lcms -nss -png qt4 qt5 -tiff utils' succeeded for =app-text/poppler-0.57.0-r1 USE='-cairo -cjk curl -cxx doc introspection jpeg jpeg2k -lcms nss -png qt4 qt5 -tiff utils' succeeded for =app-text/poppler-0.57.0-r1 USE='-cairo cjk curl -cxx doc introspection jpeg -jpeg2k -lcms nss png qt4 qt5 -tiff utils' succeeded for =app-text/poppler-0.57.0-r1 USE='cairo cjk curl cxx -doc -introspection jpeg -jpeg2k lcms nss png qt4 qt5 tiff utils' succeeded for =app-text/poppler-0.57.0-r1 USE='cairo cjk curl cxx doc introspection jpeg jpeg2k lcms nss png qt4 qt5 tiff utils' succeeded for =app-text/poppler-0.57.0-r1 FEATURES= test succeeded for =app-text/poppler-0.57.0-r1
ppc stable (ernsteiswuerfel)
amd64 stable
x86 stable
ia64 stable
Stable on alpha.
arm ping
sparc stable (thanks to Rolf Eike Beer)
arm stable, all arches done.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9283eee020cca78236442b948c74b1327c6a80e6 commit 9283eee020cca78236442b948c74b1327c6a80e6 Author: Andreas Sturmlechner <asturm@gentoo.org> AuthorDate: 2017-12-12 18:55:28 +0000 Commit: Andreas Sturmlechner <asturm@gentoo.org> CommitDate: 2017-12-12 18:55:28 +0000 app-text/poppler: Drop vulnerable 0.57.0 (r0) Bug: https://bugs.gentoo.org/619558 Package-Manager: Portage-2.3.18, Repoman-2.3.6 app-text/poppler/poppler-0.57.0.ebuild | 146 --------------------------------- 1 file changed, 146 deletions(-)}
kde, office teams done.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=25a02f548c6203536c02e119b06d16a80be7fc73 commit 25a02f548c6203536c02e119b06d16a80be7fc73 Author: Andreas Sturmlechner <asturm@gentoo.org> AuthorDate: 2017-12-20 23:07:07 +0000 Commit: Andreas Sturmlechner <asturm@gentoo.org> CommitDate: 2017-12-20 23:07:55 +0000 app-text/poppler: Fix CVE-2017-{2820,9083} Bug: https://bugs.gentoo.org/619558 Bug: https://bugs.gentoo.org/624708 Package-Manager: Portage-2.3.19, Repoman-2.3.6 app-text/poppler/poppler-0.61.1.ebuild | 1 + app-text/poppler/poppler-0.62.0.ebuild | 1 + app-text/poppler/poppler-9999.ebuild | 1 + 3 files changed, 3 insertions(+)}
This issue was resolved and addressed in GLSA 201801-17 at https://security.gentoo.org/glsa/201801-17 by GLSA coordinator Aaron Bauman (b-man).
