Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 622430 (CVE-2017-9406, CVE-2017-9408) - <app-text/poppler-0.55.0: Multiple Vulnerabilities (CVE-2017-{9406,9408})
Summary: <app-text/poppler-0.55.0: Multiple Vulnerabilities (CVE-2017-{9406,9408})
Status: RESOLVED FIXED
Alias: CVE-2017-9406, CVE-2017-9408
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: A3 [glsa+ cve]
Keywords:
Depends on: CVE-2017-9865
Blocks:
  Show dependency tree
 
Reported: 2017-06-21 22:42 UTC by Volkan
Modified: 2018-01-17 13:43 UTC (History)
3 users (show)

See Also:
Package list:
app-text/poppler-0.56.0
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Volkan 2017-06-21 22:42:02 UTC
CVE-2017-9408 
A memory leak vulnerability was found in poppler in the function Object::initArray in Object.cc, which allows attackers to cause a denial of service via a crafted file.

Upstream issue:

https://bugs.freedesktop.org/show_bug.cgi?id=100776

CVE-2017-9406 
A memory leak vulnerability was found in poppler in the function gmalloc in gmem.cc, which allows attackers to cause a denial of service via a crafted file.

Upstream issue:

https://bugs.freedesktop.org/show_bug.cgi?id=100775
Comment 1 Agostino Sarubbo gentoo-dev 2017-06-22 07:50:38 UTC
For the record:
https://github.com/ImageMagick/ImageMagick/issues/462#issuecomment-298251168
Comment 2 Manuel Rüger (RETIRED) gentoo-dev 2017-06-22 11:56:26 UTC
These have been addressed in 0.56.0, which is available in tree.

There's another fix https://cgit.freedesktop.org/poppler/poppler/commit/?id=3a2759aa2a98c2157cb35731b95e393b8882f8d3 but that seems to point to a wrong CVE.
Comment 3 Thomas Deutschmann gentoo-dev Security 2017-06-28 11:58:32 UTC
@ Maintainer(s): Can we start stabilization of =app-text/poppler-0.56.0?
Comment 4 Michael Palimaka (kensington) gentoo-dev 2017-08-09 12:00:33 UTC
(In reply to Thomas Deutschmann from comment #3)
> @ Maintainer(s): Can we start stabilization of =app-text/poppler-0.56.0?

I'm suggesting we move forward with 0.57.0 in bug #627390.
Comment 5 Yury German Gentoo Infrastructure gentoo-dev Security 2017-08-10 07:18:14 UTC
Setting dependency as per suggestion
Comment 6 Michael Palimaka (kensington) gentoo-dev 2017-10-01 11:53:33 UTC
These were actually fixed in 0.55
Comment 7 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-11-24 14:31:25 UTC
Added to existing GLSA
Comment 8 Andreas Sturmlechner gentoo-dev 2017-11-24 19:34:24 UTC
KDE work done.
Comment 9 GLSAMaker/CVETool Bot gentoo-dev 2018-01-17 13:43:23 UTC
This issue was resolved and addressed in
 GLSA 201801-17 at https://security.gentoo.org/glsa/201801-17
by GLSA coordinator Aaron Bauman (b-man).