The function GfxImageColorMap::getGray in GfxState.cc in Poppler 0.54.0 allows remote attackers to cause a denial of service (stack-based buffer over-read and application crash) via a crafted PDF document, related to missing color-map validation in ImageOutputDev.cc.
We're quite behind on poppler version so barring any major issues I think we should proceed with stabilising the latest 0.57.0.
We'll need to coordinate with office team for libreoffice-bin and we'll need to look into some revdep issues like bug #626844 and bug #626874.
I've done a quick test of the revdeps, and haven't found any other issues beyond what are already marked as blocking this bug.
Let's proceed with stabilising app-text/poppler-0.57.0.
The bug has been referenced in the following commit(s):
Author: Michael Palimaka <email@example.com>
AuthorDate: 2017-10-01 12:12:13 +0000
Commit: Michael Palimaka <firstname.lastname@example.org>
CommitDate: 2017-10-01 12:12:30 +0000
app-text/poppler: stabilise 0.57.0 for amd64/x86
Package-Manager: Portage-2.3.8, Repoman-2.3.3
app-text/poppler/poppler-0.57.0.ebuild | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)}
Stable on alpha.
@arm64: want to have a go at it as well?
Cleaned up vulnerable version.
New GLSA Request filed.
KDE work done.
Removing arches for cleaned up version.
This issue was resolved and addressed in
GLSA 201801-17 at https://security.gentoo.org/glsa/201801-17
by GLSA coordinator Aaron Bauman (b-man).