GNU bug report logs - #27621
Poppler's replacement is ABI-incompatible with the original

Previous Next

Full log

Message #23 received at 27621-done <at> debbugs.gnu.org (full text, mbox):

From: Mark H Weaver <mhw <at> netris.org>
To: Leo Famulari <leo <at> famulari.name>
Cc: Ben Woodcroft <donttrustben <at> gmail.com>, 27621-done <at> debbugs.gnu.org
Subject: Re: bug#27621: Poppler's replacement is ABI-incompatible with the
 original
Date: Sun, 09 Jul 2017 17:25:07 -0400

Leo Famulari <leo <at> famulari.name> writes:

> On Sat, Jul 08, 2017 at 06:04:37PM -0400, Mark H Weaver wrote:
>> Here's what we need to do: instead of replacing 0.52.0 with 0.56.0, we
>> need to find backported fixes for poppler-0.52.0 (or possibly some newer
>> version that has the same ABI as 0.52.0), and apply those as patches in
>> the replacement.
>
> I just pushed b3cc304b3050e89858c88947fbd7d76c108b5d67 which applies a
> patch for CVE-2017-9776 onto the poppler 0.52.0 source code.

Thank you! :)

> We'll need to write and test our own patch for CVE-2017-9775 that will
> apply to the source of poppler 0.52.0, or wait for someone else to do
> it and copy theirs.

I looked, but backporting the fix to 0.52.0 seems non-trivial.  Fedora
26 uses poppler-0.52.0, but I see that they have not yet fixed either of
these CVEs.

  http://pkgs.fedoraproject.org/cgit/rpms/poppler.git/log/?h=f26

They did, however, cherry-pick an upstream patch to fix a null pointer
dereference bug in 0.52.0.  I'll look into adding this patch to our
poppler.

FWIW, Fedora considers CVE-2017-9775 to be of low severity:

  https://access.redhat.com/security/cve/cve-2017-9775

Anyway, I'm closing this bug now.  Thanks again for your tireless
efforts to keep us safe, Leo!

      Mark

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.