CVEs have been allocated for a few security issues in poppler:
There is also CVE-2013-4472 which also affects xpdf, but we'll have to handle that later as there is not a fix available for it yet.
CVE-2013-4473 was fixed in 0.24.2 (already in Cauldron) here:
CVE-2013-4474 was fixed in 0.24.3 here:
Steps to Reproduce:
Fixed with poppler-0.22.1-1.1.mga3 but the patch needs to be ported to poppler-0.18.4 in mga2
And for cauldron, either submit the latest version or patch it to fix CVE-2013-4474.
Hopefully we'll get a backported patch for 0.18.x from another distro.
Oden has also requested a freeze push for 0.24.3 for Cauldron.
Uploaded for Mageia 3:
poppler-0.24.3-1.mga4 has been uploaded for Cauldron.
Fedora has issued an advisory for this on November 1:
Fedora issued an update for Fedora 18 with poppler 0.20.2, so backporting the patches from there to 0.18.4 was easy. The CVE-2013-4473 patch applied cleanly, and the CVE-2013-4474 patch only needed a minor change.
Assigning to QA now.
Updated poppler packages fix security vulnerabilities:
Poppler is found to be affected by a stack based buffer overflow vulnerability
in the pdfseparate utility. Successfully exploiting this issue could allow
remote attackers to execute arbitrary code in the context of the affected
application. Failed exploits may result in denial-of-service conditions
Poppler was found to have a user controlled format string vulnerability because
it fails to sanitize user-supplied input. An attacker may exploit this issue to
execute arbitrary code in the context of the vulnerable application. Failed
exploit attempts will likely result in a denial-of-service condition
Updated packages in core/updates_testing:
Advisory uploaded. Please remove 'advisory' tag from whiteboard if anything changes.
Testing complete mga2 32
Testing complete mga2 64
Testing complete mga3 32 & 64
Could sysadmin please push from 2&3 core/updates_testing to updates