Leo Famulari <[email protected]> writes: > On Sat, Jul 08, 2017 at 06:04:37PM -0400, Mark H Weaver wrote: >> Here's what we need to do: instead of replacing 0.52.0 with 0.56.0, we >> need to find backported fixes for poppler-0.52.0 (or possibly some newer >> version that has the same ABI as 0.52.0), and apply those as patches in >> the replacement. > > I just pushed b3cc304b3050e89858c88947fbd7d76c108b5d67 which applies a > patch for CVE-2017-9776 onto the poppler 0.52.0 source code.
Thank you! :) > We'll need to write and test our own patch for CVE-2017-9775 that will > apply to the source of poppler 0.52.0, or wait for someone else to do > it and copy theirs. I looked, but backporting the fix to 0.52.0 seems non-trivial. Fedora 26 uses poppler-0.52.0, but I see that they have not yet fixed either of these CVEs. http://pkgs.fedoraproject.org/cgit/rpms/poppler.git/log/?h=f26 They did, however, cherry-pick an upstream patch to fix a null pointer dereference bug in 0.52.0. I'll look into adding this patch to our poppler. FWIW, Fedora considers CVE-2017-9775 to be of low severity: https://access.redhat.com/security/cve/cve-2017-9775 Anyway, I'm closing this bug now. Thanks again for your tireless efforts to keep us safe, Leo! Mark
