On Sun, Jul 09, 2017 at 05:25:07PM -0400, Mark H Weaver wrote:
> They did, however, cherry-pick an upstream patch to fix a null pointer
> dereference bug in 0.52.0.  I'll look into adding this patch to our
> poppler.

Thanks! Let us know how it goes.

> FWIW, Fedora considers CVE-2017-9775 to be of low severity:
> 
>   https://access.redhat.com/security/cve/cve-2017-9775

The disclosure on the freedesktop bug tracker [0] says:

"Due to some restrictions in the lines after the bug, an attacker can't
control the values written in the stack so it unlikely this could lead
to a code execution."

So, not great but, if their estimation is right, not that bad either.

[0] https://bugs.freedesktop.org/show_bug.cgi?id=101540