Fedora has issued an advisory today (April 15):
The issue was fixed upstream in 0.40, already in Cauldron.
A CVE was requested and PoC posted here:
Patched package uploaded for Mageia 5.
Updated poppler packages fix security vulnerability:
A heap buffer overflow vulnerability was found in the poppler library. A
maliciously crafted file could cause the application to crash (fdo#93476).
Updated packages in core/updates_testing:
Mageia5 x86_64 Mate
Installed all the components before updating and used the downloaded crash.pdf file in okular and evince. Both crashed immediately.
The PoC script would not run because it needed the miniPDF python module. It probably does not matter because it looks like all it does is generate the test PDF anyway.
After updating poppler and the libraries evince and okular worked although okular required the bash command '$ export $(dbus-launch)' before it would run.
Other applications like epdfview and xournal also displayed the test file OK.
They also worked fine with other PDF documents on disk.
OK for 64bits.
Created attachment 7683 [details]
PoC test file
i586 in virtualbox Mate
okular reported a crash when reading crash.pdf but it was possible to restart the application.
evince reports that it cannot get information for the file. On x86_64 it segfaulted.
xournal segfaults, so does epdfview.
All twelve update packages installed cleanly.
None of evince, okular, epdfview, or xournal had any problem displaying crash.pdf.
This looks fine for both architectures so can be validated.
has_procedure MGA5-64-OK =>
has_procedure MGA5-64-OK MGA5-32-OKCC:
has_procedure MGA5-64-OK MGA5-32-OK =>
has_procedure advisory MGA5-64-OK MGA5-32-OK
An update for this issue has been pushed to the Mageia Updates repository.
This has been assigned CVE-2015-8868:
poppler new DoS security issue =>
poppler new DoS security issue (CVE-2015-8868)