From ${URL} : An exploitable integer overflow vulnerability exists in the JPEG 2000 image parsing functionality of freedesktop.org Poppler. A specially crafted PDF file can lead to an integer overflow causing out of bounds memory overwrite on the heap resulting in potential arbitrary code execution. To trigger this vulnerability, a victim must open the malicious PDF in an application using this library. External References: https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0321 @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
setting dependency to stabilization bug.
Removing dependency, there's no evidence that this is fixed.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b0f7e72d6950013ea98f65116dc44cedd8923dd5 commit b0f7e72d6950013ea98f65116dc44cedd8923dd5 Author: Andreas Sturmlechner <asturm@gentoo.org> AuthorDate: 2017-11-24 22:55:47 +0000 Commit: Andreas Sturmlechner <asturm@gentoo.org> CommitDate: 2017-11-24 23:06:22 +0000 app-text/poppler: Fix CVE-2017-{2820,9083} Bug: https://bugs.gentoo.org/619558 Bug: https://bugs.gentoo.org/624708 Package-Manager: Portage-2.3.16, Repoman-2.3.6 .../poppler-0.57.0-disable-internal-jpx.patch | 25 ++++++++++++++++++++++ app-text/poppler/poppler-0.57.0-r1.ebuild | 1 + 2 files changed, 26 insertions(+)}
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=25a02f548c6203536c02e119b06d16a80be7fc73 commit 25a02f548c6203536c02e119b06d16a80be7fc73 Author: Andreas Sturmlechner <asturm@gentoo.org> AuthorDate: 2017-12-20 23:07:07 +0000 Commit: Andreas Sturmlechner <asturm@gentoo.org> CommitDate: 2017-12-20 23:07:55 +0000 app-text/poppler: Fix CVE-2017-{2820,9083} Bug: https://bugs.gentoo.org/619558 Bug: https://bugs.gentoo.org/624708 Package-Manager: Portage-2.3.19, Repoman-2.3.6 app-text/poppler/poppler-0.61.1.ebuild | 1 + app-text/poppler/poppler-0.62.0.ebuild | 1 + app-text/poppler/poppler-9999.ebuild | 1 + 3 files changed, 3 insertions(+)}
Added to existing GLSA.
This issue was resolved and addressed in GLSA 201801-17 at https://security.gentoo.org/glsa/201801-17 by GLSA coordinator Aaron Bauman (b-man).