** Please note that this issue is confidential at the moment and no information should be disclosed until it is made public ** We have been contacted by oCERT about a vulnerability in poppler: Description: The poppler PDF rendering library suffers a memory management bug which leads to arbitrary code execution. The vulnerability is present in the Page class constructor/destructor. The pageWidgets object is not initialized in the Page constructor if specific conditions are met, but it is deleted afterwards in the destructor regardless of its initialization. Specific PDF files can be crafted which allocate arbitrary memory to trigger the vulnerability. Affected version: poppler <= 0.8.3
Created attachment 158795 [details, diff] patch
dang/tgurr please prepare an ebuild with the attached patch... do not commit anything to the tree, but attach the ebuild etc. to this bug so the arch liaisions can test it
Created attachment 158877 [details, diff] Previous patch, renamed
Created attachment 158879 [details] Ebuild with patch
Note: 0.8.4 is in the tree now, also with this bug. The same patch applies. That will have to be bumped at the same time as 0.8.3, but not to stable.
thanks Daniel Arch Security Liaisons, please test the attached ebuild (app-text/poppler-0.8.3-r1) and report it stable on this bug. Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 release s390 sh sparc x86" CC'ing current Liaisons: alpha : yoswink amd64 : welp hppa : jer ppc : dertobi123 ppc64 : corsair release : pva sparc : fmccor x86 : opfer
Sparc looks good for poppler-0.8.3-r1. However, for this to go stable, testing shows that *at least* these packages must also go stable: app-text/poppler-bindings-0.8.3 media-gfx/inkscape-0.46-r3 (and also several rebuilds besides, such as xpdf, evince, and gimp for me). So please make sure to catch everything which needs an upgrade along with poppler before making this stable. I just mentioned the ones I know about; there might be others, and I suspect they are triggered by the required poppler-bindings upgrade.
Created attachment 158999 [details] poppler 0.6.3 ebuild Blast. I'd completely forgotten that 0.8.x wasn't stable yet. Here's an ebuild for 0.6.3-r1 (fortunately, the same patch applies). Please test this one for stable instead.
0.6.3-r1 is good on sparc, too.
HPPA is OK.
ppc64 ok
x86 will go with stable
Ready for alpha. evince using stable poppler-bindings and 0.6.3-r1 of popler is able to show a pdf without any problem.
sorry for the version mess up earlier... Anyways, this is going public at 16:00 CET. It would be nice if the remaining arches could give their OK by that time too.
Adding ranger and gentoofan23 as support for the missing arches. Please test the poppler-0.6.3-r1.ebuild attached to this bug in your stable tree and report the results here.
seems ok for ppc64
ppc64 gave their ok already, ppc is still missing though (and amd64) ;-)
I'm not the amd64 security guy, but I am on the amd64 team, and I did test it on amd64. I'm not sure of the rules for sec bugs, but if that's sufficient, you can count amd64.
public via $URL printing herd/dang, please commit the relevant ebuilds poppler-0.6.3-r1 has collected the following stable keywords here already: "alpha amd64 hppa ppc64 sparc x86" removing liaisons to be added when commited: ia64 arm m68k s390 sh (ppc)
Committed. I left 0.6.3, but it (and 0.6.1-r1) should be removed when everyone has updated thier stable keywords.
thanks Daniel remaining arches, please test and stabilize =app-text/poppler-0.6.3-r1 GLSA is drafted and ready to go
ia64 stable
ppc stable
this was GLSA 200807-04.
