From mboxrd@z Thu Jan 1 00:00:00 1970 From: Leo Famulari Subject: bug#27621: Poppler's replacement is ABI-incompatible with the original Date: Sun, 9 Jul 2017 21:48:29 -0400 Message-ID: <20170710014829.GA11826@jasmine.lan> References: <20170708110834.13972-1-donttrustben@gmail.com> <87a84ea8lm.fsf@netris.org> <20170709063049.GA31887@jasmine.lan> <87pod98frg.fsf@netris.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="RnlQjJ0d97Da+TV1" Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:43548) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dUNow-0007HW-2e for bug-guix@gnu.org; Sun, 09 Jul 2017 21:49:07 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1dUNos-00084l-Qe for bug-guix@gnu.org; Sun, 09 Jul 2017 21:49:06 -0400 Received: from debbugs.gnu.org ([208.118.235.43]:56709) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1dUNos-00084O-Er for bug-guix@gnu.org; Sun, 09 Jul 2017 21:49:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1dUNor-0004bG-Uc for bug-guix@gnu.org; Sun, 09 Jul 2017 21:49:01 -0400 Sender: "Debbugs-submit" Resent-Message-ID: Content-Disposition: inline In-Reply-To: <87pod98frg.fsf@netris.org> List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org Sender: "bug-Guix" To: Mark H Weaver Cc: 27621-done@debbugs.gnu.org --RnlQjJ0d97Da+TV1 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sun, Jul 09, 2017 at 05:25:07PM -0400, Mark H Weaver wrote: > They did, however, cherry-pick an upstream patch to fix a null pointer > dereference bug in 0.52.0. I'll look into adding this patch to our > poppler. Thanks! Let us know how it goes. > FWIW, Fedora considers CVE-2017-9775 to be of low severity: >=20 > https://access.redhat.com/security/cve/cve-2017-9775 The disclosure on the freedesktop bug tracker [0] says: "Due to some restrictions in the lines after the bug, an attacker can't control the values written in the stack so it unlikely this could lead to a code execution." So, not great but, if their estimation is right, not that bad either. [0] https://bugs.freedesktop.org/show_bug.cgi?id=3D101540 --RnlQjJ0d97Da+TV1 Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAlli3OkACgkQJkb6MLrK fwj4UA/8DBaA60VMlM0i5pevhzQrAre7vTUOQIuI7XjMpeU5u6iktsKyzMahPLaZ BO6NQXWFlaF/JDDKR+qPNYCFNGxGC6bV3iNZtQTro3nsdyvuX94888Qmye6hGRrK n5vM9hDZCC3vNxVjVdQmmxecFEJ7fXktfLN5KqKMPVJ7TOC+M+sVCPjfOimwNQPL 7+CwnrYowPBK0r/GM1ce5acv3/SreDb2UVAPQC9PBHf5l8ERx/y2fG0ei4ViV4tk cB4Hh9y/Q5HiKqxHOrunZAXFCVH0myhPNxKI7uWk9EofNsHhE+QHNAUNUTGiIqUU CXHzh4C+A+X/P9VaWzo0HVk6yDDsnVuvNyvYPaKxABYYGEOaIqSm+Y7qeTxQvvic HNm7dx/iSQ4IJAffXmgUyrArAruQ2PIxuNwdNPC30cm5yhRdwUitxwREHiIKgY20 dqRjrWIu17ZVvIWFRCcvA+Uu1/bsYn+jrrSpcH7saMsDfi1IegM9nke5iajbfbr6 9b/v6zzMo6Y2LAwsuYuZ9m5D6t5UBlh4LZy/pQj/U132nJyzYqvb9t/lAgz63sBC Bas6AqHjVinrfPBlEsu0FjxpA7H8+BEzv2zOKzHxTi9YBpCjggXtJ2lqxRdmaW95 vrAhumNGnsju4aNgKBxXVyXPdnAUXLvl6+L2EP+pklciJtlcEDU= =1orn -----END PGP SIGNATURE----- --RnlQjJ0d97Da+TV1--