[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
bug#27621: Poppler's replacement is ABI-incompatible with the original
From: |
Mark H Weaver |
Subject: |
bug#27621: Poppler's replacement is ABI-incompatible with the original |
Date: |
Sun, 09 Jul 2017 17:25:07 -0400 |
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/25.2 (gnu/linux) |
Leo Famulari <address@hidden> writes:
> On Sat, Jul 08, 2017 at 06:04:37PM -0400, Mark H Weaver wrote:
>> Here's what we need to do: instead of replacing 0.52.0 with 0.56.0, we
>> need to find backported fixes for poppler-0.52.0 (or possibly some newer
>> version that has the same ABI as 0.52.0), and apply those as patches in
>> the replacement.
>
> I just pushed b3cc304b3050e89858c88947fbd7d76c108b5d67 which applies a
> patch for CVE-2017-9776 onto the poppler 0.52.0 source code.
Thank you! :)
> We'll need to write and test our own patch for CVE-2017-9775 that will
> apply to the source of poppler 0.52.0, or wait for someone else to do
> it and copy theirs.
I looked, but backporting the fix to 0.52.0 seems non-trivial. Fedora
26 uses poppler-0.52.0, but I see that they have not yet fixed either of
these CVEs.
http://pkgs.fedoraproject.org/cgit/rpms/poppler.git/log/?h=f26
They did, however, cherry-pick an upstream patch to fix a null pointer
dereference bug in 0.52.0. I'll look into adding this patch to our
poppler.
FWIW, Fedora considers CVE-2017-9775 to be of low severity:
https://access.redhat.com/security/cve/cve-2017-9775
Anyway, I'm closing this bug now. Thanks again for your tireless
efforts to keep us safe, Leo!
Mark