On Sat, Jul 08, 2017 at 06:04:37PM -0400, Mark H Weaver wrote:
> Ben Woodcroft <donttrustben@gmail.com> writes:
> 
> > Currently Inkscape fails to start as the poppler shared library changes from
> > libpoppler.so.66 to libpoppler.so.67 upon grafting. Is this the correct way
> > to fix this issue?

> The problem originated with the following security update:
> 
> leo@famulari.name (Leo Famulari) writes:
> > lfam pushed a commit to branch master
> > in repository guix.
> >
> > commit 95bbaa02aa63bc5eae36f686f1ed9915663aa4cf
> > Author: Leo Famulari <leo@famulari.name>
> > Date:   Thu Jun 29 03:10:30 2017 -0400
> >
> >     gnu: poppler: Fix CVE-2017-{9775,9776}.
> >     
> >     * gnu/packages/pdf.scm (poppler)[replacement]: New field.
> >     (poppler-0.56.0): New variable.
> >     (poppler-qt4, poppler-qt5): Use 'package/inherit'.

Sorry about this mistake.

> Here's what we need to do: instead of replacing 0.52.0 with 0.56.0, we
> need to find backported fixes for poppler-0.52.0 (or possibly some newer
> version that has the same ABI as 0.52.0), and apply those as patches in
> the replacement.

I just pushed b3cc304b3050e89858c88947fbd7d76c108b5d67 which applies a
patch for CVE-2017-9776 onto the poppler 0.52.0 source code.

We'll need to write and test our own patch for CVE-2017-9775 that will
apply to the source of poppler 0.52.0, or wait for someone else to do
it and copy theirs.