From ${URL} : Description A vulnerability has been reported in Poppler, which can be exploited by malicious people to cause a DoS (Denial of Service) in an application using the library. The vulnerability is caused due to a format string error when handling extraneous bytes within a segment in the "JBIG2Stream::readSegments()" method (JBIG2Stream.cc), which can be exploited to cause a crash. Solution: Fixed in the source code repository. Provided and/or discovered by: Originally reported by xiao in okular within a KDE bug report. Original Advisory: Poppler: http://cgit.freedesktop.org/poppler/poppler/commit/?id=58e04a08afee39370283c494ee2e4e392fd3b684 xiao: https://bugs.kde.org/show_bug.cgi?id=328511 @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
According to upstream, we'll get most likely a release today or tomorrow (which contains the fix). I think that's speedy enough to avoid backporting.
This is fixed in app-text/poppler-0.24.5 Since the SONAME of libpoppler.so changed, I need to start a libreoffice-bin rebuild. Arches can start testing and subsequently stabilizing 0.24.5, but we will have to add the new lo-bin to this fast-stabilization once it's ready.
Arches, please test and mark stable: =app-text/poppler-0.24.5 Target Keywords : "alpha amd64 arm hppa ia64 ppc ppc64 spark x86"
(app-text/poppler-0.24.3::gentoo, installed) pulled in by >=app-text/poppler-0.12.3-r3:0/43= required by (app-text/texlive-core-2012-r1::gentoo, installed) app-text/poppler:0/43=[xpdf-headers(+)] required by (dev-tex/luatex-0.70.1-r2::gentoo, installed)
(In reply to Agostino Sarubbo from comment #4) > (app-text/poppler-0.24.3::gentoo, installed) pulled in by > >=app-text/poppler-0.12.3-r3:0/43= required by > (app-text/texlive-core-2012-r1::gentoo, installed) > app-text/poppler:0/43=[xpdf-headers(+)] required by > (dev-tex/luatex-0.70.1-r2::gentoo, installed) Ah please. That's called a subslot dependency. :o) Most likely we're hitting portage bug 490362 here.
(In reply to Andreas K. Hüttel from comment #5) > Ah please. That's called a subslot dependency. :o) > Most likely we're hitting portage bug 490362 here. I know. I just guess this is not ready to go to stable.
(In reply to Agostino Sarubbo from comment #6) > (In reply to Andreas K. Hüttel from comment #5) > > Ah please. That's called a subslot dependency. :o) > > Most likely we're hitting portage bug 490362 here. > > I know. > > I just guess this is not ready to go to stable. *shrug* Ago, what is exactly not ready to go stable? The subslot is already in your installed stable packages (else you would not see the :43=), it's not added in the to-be-stabilized package. (Apart from version numbers and the subslot number, which I have to change because the soversion changes, the ebuilds are identical.) The only real improvement that I can see would be to wait for a new stable portage where this is hopefully fixed, and continue with this bug afterwards.
(In reply to Andreas K. Hüttel from comment #7) > *shrug* Ago, what is exactly not ready to go stable? Err. There was a local fault here. All is fine.
Stable for HPPA.
amd64 stable
x86 stable
ppc64 stable
ppc stable
sparc stable
arm stable
alpha stable
Re-adding amd64 and x86: please additionally fast-stabilize =app-office/libreoffice-bin-4.1.3.2-r3 =app-office/libreoffice-bin-debug-4.1.3.2-r3 (same source as -r2, but rebuilt for glibc-2.7, poppler-0.24.5, and libpng-1.6.8, all stabilized in the meantime)
(In reply to Andreas K. Hüttel from comment #17) > Re-adding amd64 and x86: please additionally fast-stabilize > > =app-office/libreoffice-bin-4.1.3.2-r3 > =app-office/libreoffice-bin-debug-4.1.3.2-r3 > > (same source as -r2, but rebuilt for glibc-2.7, poppler-0.24.5, and > libpng-1.6.8, all stabilized in the meantime) I tried but checksum of -debug package always fails for me: !!! Fetched file: amd64-debug-libreoffice-4.1.3.2-r3.tar.xz VERIFY FAILED! !!! Reason: Failed on WHIRLPOOL verification !!! Got: 8bc4e005c76ef33507b54802d46e96248ad137328c52c0411b65bf1f2895c7ff3c23cf71b16bff6483988734d6958b31fec018eff8e91685630c312020691502 !!! Expected: 57d5e3233c53517b862f987851ee503b61414774426566f9d945dd42792520a062855d0319bc10dfe2a24fd5583c455142c1be4fff7c8369969b0f2578d7a62d Refetching... File renamed to '/usr/distfiles/amd64-debug-libreoffice-4.1.3.2-r3.tar.xz._checksum_failure_.jK3yCV' Apart of that, libreoffice-bin works fine for me on amd64, feel free to mark it stable on amd64 if you can fix the -debug checksum problem
(In reply to Pacho Ramos from comment #18) > I tried but checksum of -debug package always fails for me: > !!! Fetched file: amd64-debug-libreoffice-4.1.3.2-r3.tar.xz VERIFY FAILED! > !!! Reason: Failed on WHIRLPOOL verification The generation script was buggy and made bad whirlpool sums for large files. Seems noone noticed that in the past. Anyway, should be fixed now. > Apart of that, libreoffice-bin works fine for me on amd64, feel free to mark > it stable on amd64 if you can fix the -debug checksum problem Done, thanks!
ia64 stable
x86 stable. Maintainer(s), please cleanup. Security, please add it to the existing request, or file a new one.
Vulnerable version removed
Maintainer(s), Thank you for your work! CVE Request for this Bug filed but not assigned at this time: http://seclists.org/oss-sec/2014/q1/97 Added to existing GLSA Draft.
This issue was resolved and addressed in GLSA 201401-21 at http://security.gentoo.org/glsa/glsa-201401-21.xml by GLSA coordinator Sean Amoss (ackle).
