Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 579752 (CVE-2015-8868) - <app-text/poppler-0.42.0: heap buffer overflow
Summary: <app-text/poppler-0.42.0: heap buffer overflow
Status: RESOLVED FIXED
Alias: CVE-2015-8868
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: A2 [glsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2016-04-12 14:49 UTC by Agostino Sarubbo
Modified: 2016-11-22 11:38 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2016-04-12 14:49:35 UTC
From ${URL} :

A heap buffer overflow vulnerability was found in the poppler library. A maliciously crafted file 
could cause the application to crash.

Upstream fix:

https://cgit.freedesktop.org/poppler/poppler/commit/?id=b3425dd3261679958cd56c0f71995c15d2124433

References (reproducer attached):

http://seclists.org/oss-sec/2016/q2/56


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Agostino Sarubbo gentoo-dev 2016-04-12 14:54:47 UTC
fixed in > 0.40.0
Comment 2 Johannes Huber gentoo-dev 2016-04-13 10:43:10 UTC
Arches please stabilize =app-text/poppler-0.42.0.

Target:
          |                                 |   u        |  
          | a a   a         n   p r     s   |   n        |  
          | l m   r h i m m i   p i s   p   | e u s      | r
          | p d a m p a 6 i o p c s 3   a x | a s l      | e
          | h 6 r 6 p 6 8 p s p 6 c 9 s r 8 | p e o      | p
          | a 4 m 4 a 4 k s 2 c 4 v 0 h c 6 | i d t      | o
----------+---------------------------------+------------+-------
   0.42.0 | + + + o + + o ~ o + + o ~ ~ + + | 6 o 0/59   | gentoo
Comment 3 Andreas K. Hüttel archtester gentoo-dev 2016-04-15 22:53:13 UTC
FYI, a version of libreoffice-bin-5.1.2.2 compiled against poppler-0.42.0 (and icu-57.1) is in preparation. As soon as it is finished I'll file the corresponding stable request for libreoffice (and icu).
Comment 4 Jeroen Roovers (RETIRED) gentoo-dev 2016-04-16 17:30:25 UTC
Stable for HPPA PPC64.
Comment 5 Markus Meier gentoo-dev 2016-04-19 15:58:06 UTC
arm stable
Comment 6 Agostino Sarubbo gentoo-dev 2016-04-20 08:56:28 UTC
amd64 stable
Comment 7 Matt Turner gentoo-dev 2016-05-02 03:34:05 UTC
alpha stable
Comment 8 Pacho Ramos gentoo-dev 2016-05-07 11:52:32 UTC
x86 will be done in bug 580672 (to prevent people from needing to rebuild libreoffice multiple times)
Comment 9 Andreas K. Hüttel archtester gentoo-dev 2016-07-03 19:49:53 UTC
ia64, ppc, sparc: ping!!!
Comment 10 Agostino Sarubbo gentoo-dev 2016-07-08 07:56:40 UTC
ppc stable
Comment 11 Agostino Sarubbo gentoo-dev 2016-07-08 10:05:12 UTC
sparc stable
Comment 12 Agostino Sarubbo gentoo-dev 2016-07-08 12:04:43 UTC
ia64 stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 13 Johannes Huber gentoo-dev 2016-07-08 12:42:09 UTC
x86 is not done yet bug #580672
Comment 14 Andreas K. Hüttel archtester gentoo-dev 2016-07-28 15:23:28 UTC
(In reply to Johannes Huber from comment #13)
> x86 is not done yet bug #580672

x86 has 0.45.0 stable now; cleanup done
Comment 15 Johannes Huber gentoo-dev 2016-11-01 10:04:43 UTC
(In reply to Andreas K. Hüttel from comment #14)
> (In reply to Johannes Huber from comment #13)
> > x86 is not done yet bug #580672
> 
> x86 has 0.45.0 stable now; cleanup done

Thanks. Removing maintainers then.
Comment 16 GLSAMaker/CVETool Bot gentoo-dev 2016-11-22 11:38:54 UTC
This issue was resolved and addressed in
 GLSA 201611-15 at https://security.gentoo.org/glsa/201611-15
by GLSA coordinator Aaron Bauman (b-man).