According to the RedHat summary [1]: libpoppler in poppler version 0.60.1 is vulnerable to an invalid read and subsequent crash when parsing a specially crafted PDF. The invalid read is caused by incorrect boundary validation in TextOutputDev.cc:TextPool::addWord(), leading to overflow in subsequent calculations. (I checked and it is present in the gentoo stable version, which is 0.57.0-r1.) Upstream patch at [2], needs massaging for gentoo stable version. [1] https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-1000456 [2] https://cgit.freedesktop.org/poppler/poppler/commit/?id=7ee9dadef37b20bca707a6b1e858e17d191e368b Reproducible: Always
Cleanup done, security, please proceed.
This issue was resolved and addressed in GLSA 201804-03 at https://security.gentoo.org/glsa/201804-03 by GLSA coordinator Aaron Bauman (b-man).