(https://nvd.nist.gov/vuln/detail/CVE-2018-20662): In Poppler 0.72.0, PDFDoc::setup in PDFDoc.cc allows attackers to cause a denial-of-service (application crash caused by Object.h SIGABRT, because of a wrong return value from PDFDoc::setup) by crafting a PDF file in which an xref data structure is mishandled during extractPDFSubtype processing. Upstream Patch: https://gitlab.freedesktop.org/poppler/poppler/commit/9fd5ec0e6e5f763b190f2a55ceb5427cfe851d5f [reverted]
Maintainers please advise if this is fixed in tree.
It isn't, as the upstream bug is still open and the original patch reverted for a good reason.
https://gitlab.freedesktop.org/poppler/poppler/merge_requests/193/diffs?commit_id=7b4e372deeb716eb3fe3a54b31ed41af759224f9
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c21200f502c2efbddf80d5ff88aae6b24213a6dc commit c21200f502c2efbddf80d5ff88aae6b24213a6dc Author: Andreas Sturmlechner <asturm@gentoo.org> AuthorDate: 2019-06-14 17:53:29 +0000 Commit: Andreas Sturmlechner <asturm@gentoo.org> CommitDate: 2019-06-14 20:42:20 +0000 app-text/poppler: Security cleanup Bug: https://bugs.gentoo.org/674618 Bug: https://bugs.gentoo.org/681128 Bug: https://bugs.gentoo.org/681152 Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org> Package-Manager: Portage-2.3.66, Repoman-2.3.11 app-text/poppler/Manifest | 2 - app-text/poppler/poppler-0.74.0.ebuild | 127 --------------------------------- app-text/poppler/poppler-0.76.1.ebuild | 127 --------------------------------- 3 files changed, 256 deletions(-)
Cleanup done, KDE team out.
