Bug 24504

Summary: xpdf new security issues CVE-2018-717[3-5], CVE-2018-745[24], CVE-2018-16368
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: All Packagers <pkg-bugs>
Status: RESOLVED OLD QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: marja11, nicolas.salguero
Version: 6   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Source RPM: xpdf-3.04-7.mga7.src.rpm CVE:
Status comment: Fixed upstream in 4.01
Bug Depends on:    
Bug Blocks: 25364    

Description David Walser 2019-03-13 19:02:39 CET 
Fedora has issued an advisory on March 3:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/ANYTDA3PR32QQA3JHE5YYLMWNX5KGPOS/

It's not clear whether only 4.00 is affected by the issues or if older versions are also affected.  It would be nice to get it updated, regardless.  I looked into updating to 4.00 before and it looks like it'd be a good bit of work to sync it up with Fedora.  Hopefully someone is willing to do it, as it doesn't have a maintainer and I believe I was the last one to update it, which I don't have time to do this time around.
Comment 1 Marja Van Waes 2019-03-14 16:00:59 CET 
Assigning to all packagers collectively, since there is no registered maintainer for this package.

CC: (none) => marja11
Assignee: bugsquad => pkg-bugs

David Walser 2019-03-28 21:20:56 CET

Status comment: (none) => Fixed upstream in 4.01

Comment 2 Nicolas Salguero 2019-04-04 15:43:44 CEST 
Hi,

xpdf-4.01.01-1.mga7 should fix those issues.

Best regards,

Nico.

CC: (none) => nicolas.salguero

Comment 3 David Walser 2019-04-04 20:01:37 CEST 
Thanks!

Looking at the Debian Security Tracker, 3.04 might be affected too.  They say their 3.02 package is built against the system poppler library, which would solve the issues (Ubuntu says Poppler isn't affected).  We could do the same.

Version: Cauldron => 6

Marc Krämer 2019-10-01 18:15:14 CEST

Blocks: (none) => 25364

Comment 4 Nicolas Salguero 2019-10-03 09:24:42 CEST 
Mga 6 EOL

Resolution: (none) => WONTFIX
Status: NEW => RESOLVED

Comment 5 David Walser 2019-10-03 13:57:59 CEST 
Please use OLD for EOL.

Resolution: WONTFIX => OLD