[Touch-packages] [Bug 1989515] Re: "goo/GooCheckedOps.h" is missing in 0.62.0-2ubuntu2.13 on Ubuntu Bionic

Wed, 14 Sep 2022 16:25:37 -0700 

This bug was fixed in the package poppler - 0.62.0-2ubuntu2.14

---------------
poppler (0.62.0-2ubuntu2.14) bionic-security; urgency=medium

  * SECURITY REGRESSION: Adding missing install header
    - debian/patches/0001-Install-goo-GooCheckedOps.h.patch:
      this add goo/GooCheckedOps.h to the CMakeLists.txt in order
      to it be distributed in the libpoppler-private-dev that was
      missing in the previous fix for CVE-2022-38784. (LP: #1989515)

 -- Leonidas Da Silva Barbosa <[email protected]>  Wed, 14 Sep
2022 13:46:18 -0300

** Changed in: poppler (Ubuntu)
       Status: In Progress => Fix Released

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-38784

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to poppler in Ubuntu.
https://bugs.launchpad.net/bugs/1989515

Title:
  "goo/GooCheckedOps.h" is missing in 0.62.0-2ubuntu2.13 on Ubuntu
  Bionic

Status in poppler package in Ubuntu:
  Fix Released

Bug description:
  Somehow "goo/GooCheckedOps.h" is missing in 0.62.0-2ubuntu2.13 on
  Ubuntu Bionic but "goo/gmem.h" still has the statement `#include
  "GooCheckedOps.h"`. As a result, a compile error will happen when
  compiling code that uses poppler:

  /usr/include/poppler/goo/gmem.h:31:11: fatal error: GooCheckedOps.h:
  No such file or directory

  I'm using Ubuntu 18.04 and currently having 0.62.0-2ubuntu2.12 (the
  previous version) installed. I confirmed that "goo/gmem.h" doesn't
  have the `#include "GooCheckedOps.h"` statement.

  I found this issue when I was compiling gdal on my Docker container.
  The Docker container was installed the problematic version
  0.62.0-2ubuntu2.13 and I ran into the "No such file or directory"
  error.

  I compiled on both Amd64 and AArch64 and I ran into the same error on
  both platforms.

  By reading the diff between 2.12 and 2.13
  
(https://launchpadlibrarian.net/622079418/poppler_0.62.0-2ubuntu2.12_0.62.0-2ubuntu2.13.diff.gz),
  the patch looks quite right. But when I examined the contents of the
  built `.deb` packages, I didn't find the file "goo/GooCheckedOps.h".

  Kind of weird, because the problem seems to be caused by applying
  "CVE-2022-38784-pre.patch" in half: the first part that creates
  "goo/GooCheckedOps.h" was not applied during the build process and the
  second part that modifies "goo/gmem.h" was applied.

  Any thoughts? Ideas?

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/poppler/+bug/1989515/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to     : [email protected]
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

Reply via email to