Bug 26425

Summary: poppler new security issue CVE-2018-21009
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: Jani Välimaa <jani.valimaa>
Status: RESOLVED INVALID QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: nicolas.salguero
Version: 7   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Source RPM: poppler-0.74.0-3.3.mga7.src.rpm CVE:
Status comment: Fixed upstream in 0.76.0

Description David Walser 2020-04-02 20:59:20 CEST 
RedHat has issued an advisory on March 31:
https://access.redhat.com/errata/RHSA-2020:1074

The issue is fixed upstream in 0.76.0.
David Walser 2020-04-02 20:59:36 CEST

CC: (none) => nicolas.salguero
Status comment: (none) => Fixed upstream in 0.76.0

Comment 1 Jani Välimaa 2020-04-02 21:22:58 CEST 
The problem is that upstream changes lib major basically every time they release a new version. We should try to look if our current version can be patched.
Comment 2 David Walser 2020-04-02 21:24:35 CEST 
Yes of course, I didn't mean to imply that we update it.  I wish the upstream developers would get a clue.

The RedHat bug links an upstream commit:
https://bugzilla.redhat.com/show_bug.cgi?id=1753850
Comment 3 Nicolas Salguero 2020-04-02 21:25:14 CEST 
Hi,

In fact, the problem is fixed upstream in 0.66.0 and not in 0.76.0 so Mageia 7 is not affected by the issue.

Best regards,

Nico.
Comment 4 David Walser 2020-04-02 21:28:32 CEST 
Indeed you're right.  I was surprised to see a CVE in these RHEL 7.8 updates we hadn't addressed, since all the others I looked at were really old.  Thanks.

Resolution: (none) => INVALID
Status: NEW => RESOLVED