100855 – Poppler vulnerabilities

Bug 100855 - Poppler vulnerabilities

Summary: Poppler vulnerabilities

Status:	RESOLVED INVALID

Alias:	None

Product:	poppler
Classification:	Unclassified
Component:	general (show other bugs)
Version:	unspecified
Hardware:	Other All

Importance:	medium normal
Assignee:	poppler-bugs
QA Contact:

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2017-04-27 17:17 UTC by regiwils
Modified:	2017-08-14 21:54 UTC (History)
CC List:	2 users (show)

See Also:
i915 platform:
i915 features:

Attachments

Description regiwils 2017-04-27 17:17:11 UTC

The Cisco Talos team found a security vulnerability impacting Poppler customers. The issues are identified as TALOS-2017-0311, TALOS-2017-0319, and TALOS-2017-0321

Comment 1 Albert Astals Cid 2017-04-28 09:36:18 UTC

What are we supposed to do with this information?

Comment 2 Andre Klapper 2017-08-14 19:44:57 UTC

Probably fix the corresponding code. :)

https://www.talosintelligence.com/reports/TALOS-2017-0311
https://www.talosintelligence.com/reports/TALOS-2017-0319
https://www.talosintelligence.com/reports/TALOS-2017-0321

Comment 3 Andre Klapper 2017-08-14 19:49:07 UTC

"2017-05-16 - Vendor Disclosure" on those pages bothers me. I hope that did not refer to this bug report which included zero information that allowed fixing.

Comment 4 Jose Aliste 2017-08-14 20:21:18 UTC

André, we were given these links before they released to the public. We fixed one of the bugs, and the other two bugs are in unmantained code... In poppler we  disabled compiling with this unmantained code (unless the person compiling this ask for it explicitly). I tried contacting Ubuntu people without any luck. So these bugs are potentially harmful in Ubuntu, which should stop distributing the unmantained portions of poppler. All of this is tru as of poppler 0.56

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.