The function GfxImageColorMap::getGray in GfxState.cc in Poppler 0.54.0 allows remote attackers to cause a denial of service (stack-based buffer over-read and application crash) via a crafted PDF document, related to missing color-map validation in ImageOutputDev.cc.
We're quite behind on poppler version so barring any major issues I think we should proceed with stabilising the latest 0.57.0. We'll need to coordinate with office team for libreoffice-bin and we'll need to look into some revdep issues like bug #626844 and bug #626874.
I've done a quick test of the revdeps, and haven't found any other issues beyond what are already marked as blocking this bug.
Let's proceed with stabilising app-text/poppler-0.57.0.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=cd3c859b04898990e9087cd8ee51cbf922feff7d commit cd3c859b04898990e9087cd8ee51cbf922feff7d Author: Michael Palimaka <kensington@gentoo.org> AuthorDate: 2017-10-01 12:12:13 +0000 Commit: Michael Palimaka <kensington@gentoo.org> CommitDate: 2017-10-01 12:12:30 +0000 app-text/poppler: stabilise 0.57.0 for amd64/x86 Bug: https://bugs.gentoo.org/627390 Package-Manager: Portage-2.3.8, Repoman-2.3.3 app-text/poppler/poppler-0.57.0.ebuild | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)}
ia64 stable
ppc/ppc64 stable
arm stable
hppa stable
alpha ping
Stable on alpha.
@arm64: want to have a go at it as well?
Cleaned up vulnerable version.
New GLSA Request filed.
KDE work done.
Removing arches for cleaned up version.
This issue was resolved and addressed in GLSA 201801-17 at https://security.gentoo.org/glsa/201801-17 by GLSA coordinator Aaron Bauman (b-man).