The Cisco Talos team found a security vulnerability impacting Poppler customers. The issues are identified as TALOS-2017-0311, TALOS-2017-0319, and TALOS-2017-0321
What are we supposed to do with this information?
Probably fix the corresponding code. :) https://www.talosintelligence.com/reports/TALOS-2017-0311 https://www.talosintelligence.com/reports/TALOS-2017-0319 https://www.talosintelligence.com/reports/TALOS-2017-0321
"2017-05-16 - Vendor Disclosure" on those pages bothers me. I hope that did not refer to this bug report which included zero information that allowed fixing.
André, we were given these links before they released to the public. We fixed one of the bugs, and the other two bugs are in unmantained code... In poppler we disabled compiling with this unmantained code (unless the person compiling this ask for it explicitly). I tried contacting Ubuntu people without any luck. So these bugs are potentially harmful in Ubuntu, which should stop distributing the unmantained portions of poppler. All of this is tru as of poppler 0.56
Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.