From upstream changelog: poppler-0.66.0.tar.xz (Tue Jun 19, 2018): core: * Fix lots of security/leak issues found by oss-fuzz poppler has recently been added to google's oss-fuzz project, which means a large number of security issues (buffer overflows, uninitialized memory, integer overflows etc.) have been found. Just a few: https://cgit.freedesktop.org/poppler/poppler/commit/?id=b245154fdebc9a78db163bc95959c6c8f5b4126f https://cgit.freedesktop.org/poppler/poppler/commit/?id=9a8d33246601dbd2bea98bb3404596848f71162a https://cgit.freedesktop.org/poppler/poppler/commit/?id=adb7cac1b787b35c4f5d25e0441e459ab92d0469 See also the git history: https://cgit.freedesktop.org/poppler/poppler/log/ Many fixed in 0.66.0, but work is ongoing. We should treat 0.66.0 as a security update (and probably the next 1-2 versions as well).
We were planning to stabilise this version in any case.
Seems like they did not finish fixing those in 0.66.0: Release 0.67.0 core: * Fix lots of security/leak issues found by oss-fuzz If you plan to stabilize 0.67.0 instead of 0.66.0, we need to stabilize >=net-print/cups-filters-1.20.4 first because I had to add a compile fix for poppler-0.67.0
(In reply to Lars Wendler (Polynomial-C) from comment #2) > If you plan to stabilize 0.67.0 instead of 0.66.0, we need to stabilize > >=net-print/cups-filters-1.20.4 first because I had to add a compile fix for > poppler-0.67.0 That one in addition probably will not block us over the existing dependencies of this bug.
More fixes from upstream: The latest stable release is poppler-0.69.0.tar.xz, released on Sep 21, 2018: [...] * Fix security issues found by oss-fuzz
@Hanno: Can you identify the patch(es) we need to backport to 0.67.0?
There have been a lot of patches: https://cgit.freedesktop.org/poppler/poppler/log/?ofs=100 https://cgit.freedesktop.org/poppler/poppler/log/?ofs=50 Countless referencing overflow and oss-fuzz. I don't think backporting is feasible. Looking at the dependencies I think only inkscape is really blocking it right now, the others are only waiting for stabilization on minor archs.
(In reply to Hanno Boeck from comment #6) > Looking at the dependencies I think only inkscape is really blocking it > right now, the others are only waiting for stabilization on minor archs. We know that about 0.67.0 that this tracker was about, but we have no idea what new problems 0.68 and 0.69 are going to introduce on revdeps.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=26d130e47af495f6ab0937e2d45874101bfdfc4e commit 26d130e47af495f6ab0937e2d45874101bfdfc4e Author: Andreas Sturmlechner <asturm@gentoo.org> AuthorDate: 2018-11-03 21:25:13 +0000 Commit: Andreas Sturmlechner <asturm@gentoo.org> CommitDate: 2018-11-03 21:30:52 +0000 app-text/poppler: 0.68.0 version bump Depend on >=media-libs/openjpeg-2.3.0-r1 with fixed cmake install paths. Bug: https://bugs.gentoo.org/659828 Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org> Package-Manager: Portage-2.3.51, Repoman-2.3.11 app-text/poppler/Manifest | 1 + app-text/poppler/poppler-0.68.0.ebuild | 126 +++++++++++++++++++++++++++++++++ 2 files changed, 127 insertions(+)
We will target 0.68.0 for stabilisation soon, even if it fixes not all oss-fuzz security issues. Everything above requires patching practically every revdep.
Arches, please stabilise.
There is a dependency missing which also needs to be stabilized: The following keyword changes are necessary to proceed: (see "package.accept_keywords" in the portage(5) man page for more details) # required by app-text/poppler-0.68.0::gentoo[jpeg2k] # required by app-office/libreoffice-6.0.6.2::gentoo[pdfimport] # required by @__auto_slot_operator_replace_installed__ (argument) =media-libs/openjpeg-2.3.0-r1 ~amd64
An automated check of this bug failed - repoman reported dependency errors (255 lines truncated): > dependency.bad app-text/poppler/poppler-0.68.0.ebuild: DEPEND: alpha(default/linux/alpha/13.0) ['>=media-libs/openjpeg-2.3.0-r1:2='] > dependency.bad app-text/poppler/poppler-0.68.0.ebuild: RDEPEND: alpha(default/linux/alpha/13.0) ['>=media-libs/openjpeg-2.3.0-r1:2='] > dependency.bad app-text/poppler/poppler-0.68.0.ebuild: DEPEND: alpha(default/linux/alpha/13.0/desktop) ['>=media-libs/openjpeg-2.3.0-r1:2=']
x86 stable
sparc stable
ia64 stable
alpha stable
amd64 stable
Looking good on ppc64. openjpeg-2.3.0-r1 test failure (bug #673924). rdeps failing: luatex (bug #673924), gimp (bug #669080), pillow (bug #662686). # cat openjpeg-659828.report USE tests started on Fr 28. Dez 20:38:43 CET 2018 FEATURES=' test' failed for =media-libs/openjpeg-2.3.0-r1 USE='-doc -static-libs' succeeded for =media-libs/openjpeg-2.3.0-r1 USE='doc -static-libs' succeeded for =media-libs/openjpeg-2.3.0-r1 USE='-doc static-libs' succeeded for =media-libs/openjpeg-2.3.0-r1 USE='doc static-libs' succeeded for =media-libs/openjpeg-2.3.0-r1 FEATURES=' test' USE='' succeeded for =app-text/poppler-0.68.0 USE='cairo cjk curl -cxx doc -introspection -jpeg -jpeg2k lcms -nss -png -qt5 -tiff -utils' succeeded for =app-text/poppler-0.68.0 USE='cairo cjk curl cxx -doc -introspection jpeg jpeg2k -lcms -nss -png qt5 -tiff -utils' succeeded for =app-text/poppler-0.68.0 USE='cairo -cjk curl cxx doc -introspection jpeg jpeg2k lcms -nss -png qt5 -tiff -utils' succeeded for =app-text/poppler-0.68.0 USE='cairo -cjk -curl cxx doc introspection jpeg jpeg2k -lcms nss -png qt5 -tiff -utils' succeeded for =app-text/poppler-0.68.0 USE='-cairo -cjk -curl -cxx -doc -introspection jpeg jpeg2k lcms -nss png -qt5 tiff -utils' succeeded for =app-text/poppler-0.68.0 USE='cairo -cjk -curl cxx doc -introspection jpeg jpeg2k -lcms -nss -png qt5 tiff -utils' succeeded for =app-text/poppler-0.68.0 USE='-cairo cjk -curl -cxx -doc -introspection -jpeg jpeg2k lcms -nss -png qt5 tiff -utils' succeeded for =app-text/poppler-0.68.0 USE='-cairo cjk curl cxx doc -introspection -jpeg -jpeg2k lcms nss -png qt5 tiff -utils' succeeded for =app-text/poppler-0.68.0 USE='cairo -cjk curl -cxx doc introspection jpeg -jpeg2k -lcms nss -png qt5 -tiff utils' succeeded for =app-text/poppler-0.68.0 USE='-cairo -cjk -curl -cxx -doc -introspection -jpeg jpeg2k lcms -nss png qt5 -tiff utils' succeeded for =app-text/poppler-0.68.0 USE='cairo -cjk -curl cxx -doc introspection -jpeg -jpeg2k -lcms -nss png -qt5 tiff utils' succeeded for =app-text/poppler-0.68.0 USE='cairo -cjk curl -cxx -doc introspection -jpeg -jpeg2k lcms nss png qt5 tiff utils' succeeded for =app-text/poppler-0.68.0 revdep tests started on Fr 28. Dez 21:04:16 CET 2018 FEATURES=' test' USE='jpeg2k' succeeded for media-video/ffmpeg USE='jpeg2k' FEATURES=' test' failed for media-gfx/gimp FEATURES=' test' USE='jpeg2k' succeeded for dev-libs/efl FEATURES=' test' USE='-static' succeeded for app-text/llpp FEATURES=' test' USE='' succeeded for app-text/ghostscript-gpl FEATURES=' test' USE='jpeg2k' succeeded for media-video/gpac FEATURES=' test' USE='jpeg2k' succeeded for sci-libs/gdal FEATURES=' test' USE='jpeg2k' succeeded for app-text/poppler FEATURES=' test' USE='jpeg2k' succeeded for media-video/libav USE='jpeg2k' FEATURES=' test' failed for dev-python/pillow FEATURES=' test' failed for media-gfx/gimp FEATURES=' test' USE='pdf' succeeded for dev-libs/efl FEATURES=' test' failed for dev-tex/luatex FEATURES=' test' USE='pdf' succeeded for sci-libs/gdal FEATURES=' test' USE='pdf' succeeded for dev-games/openscenegraph FEATURES=' test' USE='' succeeded for app-office/scribus FEATURES=' test' USE='pdf' succeeded for xfce-extra/tumbler FEATURES=' test' USE='pdf' succeeded for media-gfx/graphviz FEATURES=' test' USE='' succeeded for net-print/cups-filters FEATURES=' test' USE='' succeeded for app-text/texlive-core
Made a litte mistake, my last post was about ppc not ppc64. This one is about ppc64: Looking good on ppc64. openjpeg-2.3.0-r1 test failure (bug #673924). rdeps failing: luatex (bug #673924), gimp (bug #669080), pillow (bug #662686). # cat openjpeg-659828.report USE tests started on Do 27. Dez 13:45:10 CET 2018 FEATURES=' test' failed for =media-libs/openjpeg-2.3.0-r1 USE='-doc -static-libs' succeeded for =media-libs/openjpeg-2.3.0-r1 USE='doc -static-libs' succeeded for =media-libs/openjpeg-2.3.0-r1 USE='-doc static-libs' succeeded for =media-libs/openjpeg-2.3.0-r1 USE='doc static-libs' succeeded for =media-libs/openjpeg-2.3.0-r1 FEATURES=' test' USE='' succeeded for =app-text/poppler-0.68.0 USE='cairo cjk -curl -cxx doc introspection jpeg jpeg2k lcms -nss -png -qt5 -tiff -utils' succeeded for =app-text/poppler-0.68.0 USE='cairo -cjk curl cxx doc -introspection jpeg -jpeg2k -lcms nss -png -qt5 -tiff -utils' succeeded for =app-text/poppler-0.68.0 USE='-cairo cjk curl -cxx -doc introspection -jpeg -jpeg2k lcms nss -png -qt5 -tiff -utils' succeeded for =app-text/poppler-0.68.0 USE='-cairo cjk -curl -cxx doc introspection jpeg jpeg2k lcms -nss png -qt5 -tiff -utils' succeeded for =app-text/poppler-0.68.0 USE='cairo -cjk -curl cxx doc introspection -jpeg -jpeg2k lcms -nss -png -qt5 tiff -utils' succeeded for =app-text/poppler-0.68.0 USE='-cairo cjk curl -cxx doc introspection -jpeg -jpeg2k -lcms -nss png -qt5 tiff -utils' succeeded for =app-text/poppler-0.68.0 USE='cairo -cjk curl -cxx doc introspection -jpeg jpeg2k -lcms -nss png -qt5 tiff -utils' succeeded for =app-text/poppler-0.68.0 USE='cairo -cjk -curl cxx -doc introspection -jpeg -jpeg2k -lcms nss -png qt5 tiff -utils' succeeded for =app-text/poppler-0.68.0 USE='-cairo cjk -curl -cxx -doc -introspection jpeg jpeg2k -lcms nss -png qt5 tiff -utils' succeeded for =app-text/poppler-0.68.0 USE='cairo -cjk curl cxx doc introspection -jpeg jpeg2k lcms -nss -png qt5 -tiff utils' succeeded for =app-text/poppler-0.68.0 USE='-cairo cjk -curl cxx -doc -introspection jpeg -jpeg2k lcms -nss -png qt5 tiff utils' succeeded for =app-text/poppler-0.68.0 USE='-cairo cjk -curl -cxx doc introspection -jpeg -jpeg2k lcms nss -png qt5 tiff utils' succeeded for =app-text/poppler-0.68.0 revdep tests started on Fr 28. Dez 23:59:19 CET 2018 FEATURES=' test' USE='jpeg2k' succeeded for app-text/poppler FEATURES=' test' USE='jpeg2k' succeeded for sci-libs/gdal USE='jpeg2k' FEATURES=' test' failed for dev-python/pillow USE='jpeg2k' FEATURES=' test' failed for media-gfx/gimp FEATURES=' test' USE='jpeg2k' succeeded for media-video/ffmpeg FEATURES=' test' USE='' succeeded for app-text/ghostscript-gpl FEATURES=' test' USE='jpeg2k' succeeded for media-video/libav FEATURES=' test' USE='' succeeded for app-text/mupdf FEATURES=' test' USE='jpeg2k' succeeded for media-gfx/imagemagick FEATURES=' test' USE='jpeg2k' succeeded for media-libs/leptonica FEATURES=' test' USE='' succeeded for net-print/cups-filters FEATURES=' test' USE='' succeeded for app-office/scribus FEATURES=' test' USE='latex' succeeded for dev-python/matplotlib FEATURES=' test' failed for dev-tex/luatex FEATURES=' test' USE='' succeeded for media-gfx/inkscape FEATURES=' test' USE='pdf' succeeded for sci-libs/gdal FEATURES=' test' USE='pdf' succeeded for media-gfx/graphviz FEATURES=' test' USE='' succeeded for app-text/texlive-core FEATURES=' test' USE='' succeeded for media-gfx/fbida FEATURES=' test' USE='pdf' succeeded for dev-games/openscenegraph
hppa stable
arm stable
arm64 stable
ping powerpc
ppc/ppc64 stable thanks to ernsteiswuerfel!
s390 stable
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4090dfd2d2c2be4cd3eccf155db2a3ddf1dd4091 commit 4090dfd2d2c2be4cd3eccf155db2a3ddf1dd4091 Author: Andreas Sturmlechner <asturm@gentoo.org> AuthorDate: 2019-01-30 22:27:45 +0000 Commit: Andreas Sturmlechner <asturm@gentoo.org> CommitDate: 2019-01-30 22:29:25 +0000 app-text/poppler: Security cleanup Bug: https://bugs.gentoo.org/659828 Package-Manager: Portage-2.3.59, Repoman-2.3.12 Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org> app-text/poppler/Manifest | 1 - app-text/poppler/files/poppler-0.62.0-glibc.patch | 34 ------ .../poppler/files/poppler-0.62.0-openjpeg2.patch | 14 --- app-text/poppler/poppler-0.62.0-r1.ebuild | 127 --------------------- 4 files changed, 176 deletions(-)
kde/office is done here, anyway.
This issue was resolved and addressed in GLSA 201904-04 at https://security.gentoo.org/glsa/201904-04 by GLSA coordinator Aaron Bauman (b-man).
