GNU bug report logs - #27621
Poppler's replacement is ABI-incompatible with the original

Previous Next

Package: guix;

Reported by: Ben Woodcroft <donttrustben <at> gmail.com>

Date: Sat, 8 Jul 2017 16:43:02 UTC

Severity: important

Tags: patch

Done: Mark H Weaver <mhw <at> netris.org>

Bug is archived. No further changes may be made.

Full log

View this message in rfc822 format

From: Leo Famulari <leo <at> famulari.name>
To: Mark H Weaver <mhw <at> netris.org>
Cc: 27621-done <at> debbugs.gnu.org
Subject: bug#27621: Poppler's replacement is ABI-incompatible with the original
Date: Sun, 9 Jul 2017 21:48:29 -0400

[Message part 1 (text/plain, inline)]
On Sun, Jul 09, 2017 at 05:25:07PM -0400, Mark H Weaver wrote:
> They did, however, cherry-pick an upstream patch to fix a null pointer
> dereference bug in 0.52.0.  I'll look into adding this patch to our
> poppler.

Thanks! Let us know how it goes.

> FWIW, Fedora considers CVE-2017-9775 to be of low severity:
> 
>   https://access.redhat.com/security/cve/cve-2017-9775

The disclosure on the freedesktop bug tracker [0] says:

"Due to some restrictions in the lines after the bug, an attacker can't
control the values written in the stack so it unlikely this could lead
to a code execution."

So, not great but, if their estimation is right, not that bad either.

[0] https://bugs.freedesktop.org/show_bug.cgi?id=101540

[signature.asc (application/pgp-signature, inline)]
This bug report was last modified 7 years and 321 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.