Fedora has issued an advisory today (April 15): https://lists.fedoraproject.org/pipermail/package-announce/2016-April/182399.html The issue was fixed upstream in 0.40, already in Cauldron. A CVE was requested and PoC posted here: http://seclists.org/oss-sec/2016/q2/56 Patched package uploaded for Mageia 5. Advisory: ======================== Updated poppler packages fix security vulnerability: A heap buffer overflow vulnerability was found in the poppler library. A maliciously crafted file could cause the application to crash (fdo#93476). References: https://bugs.freedesktop.org/show_bug.cgi?id=93476 https://lists.fedoraproject.org/pipermail/package-announce/2016-April/182399.html ======================== Updated packages in core/updates_testing: ======================== poppler-0.26.5-2.1.mga5 libpoppler46-0.26.5-2.1.mga5 libpoppler-devel-0.26.5-2.1.mga5 libpoppler-cpp0-0.26.5-2.1.mga5 libpoppler-qt4-devel-0.26.5-2.1.mga5 libpoppler-qt5-devel-0.26.5-2.1.mga5 libpoppler-qt4_4-0.26.5-2.1.mga5 libpoppler-qt5_1-0.26.5-2.1.mga5 libpoppler-glib8-0.26.5-2.1.mga5 libpoppler-gir0.18-0.26.5-2.1.mga5 libpoppler-glib-devel-0.26.5-2.1.mga5 libpoppler-cpp-devel-0.26.5-2.1.mga5 from poppler-0.26.5-2.1.mga5.src.rpm
Mageia5 x86_64 Mate Installed all the components before updating and used the downloaded crash.pdf file in okular and evince. Both crashed immediately. The PoC script would not run because it needed the miniPDF python module. It probably does not matter because it looks like all it does is generate the test PDF anyway. After updating poppler and the libraries evince and okular worked although okular required the bash command '$ export $(dbus-launch)' before it would run. Other applications like epdfview and xournal also displayed the test file OK. They also worked fine with other PDF documents on disk. OK for 64bits.
CC: (none) => tarazed25
Whiteboard: (none) => has_procedure MGA5-64-OK
Created attachment 7683 [details] PoC test file
i586 in virtualbox Mate Before updating: okular reported a crash when reading crash.pdf but it was possible to restart the application. evince reports that it cannot get information for the file. On x86_64 it segfaulted. xournal segfaults, so does epdfview. All twelve update packages installed cleanly. None of evince, okular, epdfview, or xournal had any problem displaying crash.pdf. This looks fine for both architectures so can be validated.
Keywords: (none) => validated_updateWhiteboard: has_procedure MGA5-64-OK => has_procedure MGA5-64-OK MGA5-32-OKCC: (none) => sysadmin-bugs
Advisory uploaded.
Whiteboard: has_procedure MGA5-64-OK MGA5-32-OK => has_procedure advisory MGA5-64-OK MGA5-32-OK
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0145.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
This has been assigned CVE-2015-8868: http://openwall.com/lists/oss-security/2016/04/24/2
Summary: poppler new DoS security issue => poppler new DoS security issue (CVE-2015-8868)