bug-guix
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

bug#27621: Poppler's replacement is ABI-incompatible with the original

From: Mark H Weaver
Subject: bug#27621: Poppler's replacement is ABI-incompatible with the original
Date: Sun, 09 Jul 2017 17:25:07 -0400
User-agent: Gnus/5.13 (Gnus v5.13) Emacs/25.2 (gnu/linux) 
Leo Famulari <address@hidden> writes:

> On Sat, Jul 08, 2017 at 06:04:37PM -0400, Mark H Weaver wrote:
>> Here's what we need to do: instead of replacing 0.52.0 with 0.56.0, we
>> need to find backported fixes for poppler-0.52.0 (or possibly some newer
>> version that has the same ABI as 0.52.0), and apply those as patches in
>> the replacement.
>
> I just pushed b3cc304b3050e89858c88947fbd7d76c108b5d67 which applies a
> patch for CVE-2017-9776 onto the poppler 0.52.0 source code.

Thank you! :)

> We'll need to write and test our own patch for CVE-2017-9775 that will
> apply to the source of poppler 0.52.0, or wait for someone else to do
> it and copy theirs.

I looked, but backporting the fix to 0.52.0 seems non-trivial.  Fedora
26 uses poppler-0.52.0, but I see that they have not yet fixed either of
these CVEs.

  http://pkgs.fedoraproject.org/cgit/rpms/poppler.git/log/?h=f26

They did, however, cherry-pick an upstream patch to fix a null pointer
dereference bug in 0.52.0.  I'll look into adding this patch to our
poppler.

FWIW, Fedora considers CVE-2017-9775 to be of low severity:

  https://access.redhat.com/security/cve/cve-2017-9775

Anyway, I'm closing this bug now.  Thanks again for your tireless
efforts to keep us safe, Leo!

      Mark
reply via email to
[Prev in Thread] Current Thread [Next in Thread]