Assigning to all packagers collectively, since there is no registered maintainer for this package.
CC'ing some committers.

CC: (none) => geiger.david68210, marja11, nicolas.salguero, smelror
Assignee: bugsquad => pkg-bugs

Suggested advisory:
========================

The updated packages fix a security vulnerability:

Poppler through 0.62 contains an out of bounds read vulnerability due to an incorrect memory access that is not mapped in its memory space, as demonstrated by pdfunite. This can result in memory corruption and denial of service. This may be exploitable when a victim opens a specially crafted PDF file. (CVE-2018-13988)

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-13988
========================

Updated packages in core/updates_testing:
========================
poppler-0.52.0-3.8.mga6
lib(64)poppler66-0.52.0-3.8.mga6
lib(64)poppler-devel-0.52.0-3.8.mga6
lib(64)poppler-cpp0-0.52.0-3.8.mga6
lib(64)poppler-qt4-devel-0.52.0-3.8.mga6
lib(64)poppler-qt5-devel-0.52.0-3.8.mga6
lib(64)poppler-qt4_4-0.52.0-3.8.mga6
lib(64)poppler-qt5_1-0.52.0-3.8.mga6
lib(64)poppler-glib8-0.52.0-3.8.mga6
lib(64)poppler-gir0.18-0.52.0-3.8.mga6
lib(64)poppler-glib-devel-0.52.0-3.8.mga6
lib(64)poppler-cpp-devel-0.52.0-3.8.mga6

from SRPMS:
poppler-0.52.0-3.8.mga6.src.rpm

Whiteboard: MGA6TOO => (none)
Source RPM: poppler-0.63.0-3.mga7.src.rpm => poppler-0.52.0-3.7.mga6.src.rpm
CVE: (none) => CVE-2018-13988
Version: Cauldron => 6
Status: NEW => ASSIGNED
Assignee: pkg-bugs => qa-bugs

Mageia 6, x86_64

CVE-2018-13988
The vulnerability is awaiting analysis, therefore no reproducer available.

Updated the 12 packages.
Followed leads in earlier bug reports like https://bugs.mageia.org/show_bug.cgi?id=23183
Ran some of the utilities on PDF files in my docs/books directory.

$ pdffonts PythonCrashCourse.pdf
Syntax Warning: Invalid Font Weight
name                                 type              encoding         emb sub uni object ID
------------------------------------ ----------------- ---------------- --- --- --- ---------
MFSDXQ+Futura-Book                   CID Type 0C       Identity-H       yes yes yes   5031  0
MMKCRQ+DogmaBold                     Type 1C           WinAnsi          yes yes no    5024  0
[...]

$ pdfimages -png pragpub-2013-04.pdf test
$ ls test*
test-000.png  test-007.png  test-014.png  test-021.png  test-028.png
test-001.png  test-008.png  test-015.png  test-022.png  test-029.png
test-002.png  test-009.png  test-016.png  test-023.png  test-030.png
test-003.png  test-010.png  test-017.png  test-024.png
test-004.png  test-011.png  test-018.png  test-025.png
test-005.png  test-012.png  test-019.png  test-026.png
test-006.png  test-013.png  test-020.png  test-027.png
$ eom test*.png
All images looked correct.

This generated a large number of image files pr<number>.{png|jpg} and two HTML files.
$ ll pr*.html
-rw-r--r-- 1 lcl lcl 7790514 Aug 27 19:10 pr-html.html
-rw-r--r-- 1 lcl lcl   20218 Aug 27 19:10 prs.html
$ firefox file:///home/lcl/docs/books/prs.html
This opened a web page with the document outline which looked like a hyperlink list of contents but clicking the links showed an index number in the address bar.  However
$ firefox file:///home/lcl/docs/books/pr-html.html
Brought up an okular style web page which allowed scrolling through the pages.  Clicking on hyperlinks in the text raised the document outline page which did not help much.  Looks like the hyperlink functionality has not been implemented very well.  External site links work perfectly though.  Be that as it may, the web document contains all the information from the PDF and the images display inline.

$ pdfseparate -f 8 -l 15 StatisticsDoneWrong.pdf stats_%d
$ ll stats*
-rw-r--r-- 1 lcl lcl 3660564 Aug 27 19:54 stats_10
-rw-r--r-- 1 lcl lcl 3660722 Aug 27 19:54 stats_11
-rw-r--r-- 1 lcl lcl 3660562 Aug 27 19:54 stats_12
-rw-r--r-- 1 lcl lcl 3660838 Aug 27 19:54 stats_13
-rw-r--r-- 1 lcl lcl 3660869 Aug 27 19:54 stats_14
-rw-r--r-- 1 lcl lcl 3660829 Aug 27 19:54 stats_15
-rw-r--r-- 1 lcl lcl 3660562 Aug 27 19:54 stats_8
-rw-r--r-- 1 lcl lcl 3660560 Aug 27 19:54 stats_9

All display as separate pages of the original, pages 8 to 15.
$ pdftops stats_11 stats11.ps
$ gs stats11.ps
This displayed the Brief Contents page from the original pdf file.

$ pdftoppm stats_11 abc
$ ls abc*
abc-1.ppm
$ display abc-1.ppm
That displayed Brief Contents also.

$ pdftocairo -jpeg stats_14 stats14
$ ls *.jpg
stats14-1.jpg
The image displayed fine.

As noted before, several more utilities are missing, like pdfunite.

Good for 64-bits.

CC: (none) => tarazed25
Whiteboard: (none) => MGA6-64-OK

Len's tests look sufficient to me. Validating. Suggested advisory in Comment 2.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0358.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED