On Sun, Jul 09, 2017 at 05:25:07PM -0400, Mark H Weaver wrote: > They did, however, cherry-pick an upstream patch to fix a null pointer > dereference bug in 0.52.0. I'll look into adding this patch to our > poppler.
Thanks! Let us know how it goes. > FWIW, Fedora considers CVE-2017-9775 to be of low severity: > > https://access.redhat.com/security/cve/cve-2017-9775 The disclosure on the freedesktop bug tracker [0] says: "Due to some restrictions in the lines after the bug, an attacker can't control the values written in the stack so it unlikely this could lead to a code execution." So, not great but, if their estimation is right, not that bad either. [0] https://bugs.freedesktop.org/show_bug.cgi?id=101540
signature.asc
Description: PGP signature
