Bug 26425 - poppler new security issue CVE-2018-21009
Summary: poppler new security issue CVE-2018-21009
Status: RESOLVED INVALID
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: Jani Välimaa
QA Contact: Sec team
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2020-04-02 20:59 CEST by David Walser
Modified: 2020-04-02 21:28 CEST (History)
1 user (show)

See Also:
Source RPM: poppler-0.74.0-3.3.mga7.src.rpm
CVE:
Status comment: Fixed upstream in 0.76.0

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2020-04-02 20:59:20 CEST 
RedHat has issued an advisory on March 31:
https://access.redhat.com/errata/RHSA-2020:1074

The issue is fixed upstream in 0.76.0.
David Walser 2020-04-02 20:59:36 CEST

CC: (none) => nicolas.salguero
Status comment: (none) => Fixed upstream in 0.76.0

Comment 1 Jani Välimaa 2020-04-02 21:22:58 CEST 
The problem is that upstream changes lib major basically every time they release a new version. We should try to look if our current version can be patched.
Comment 2 David Walser 2020-04-02 21:24:35 CEST 
Yes of course, I didn't mean to imply that we update it.  I wish the upstream developers would get a clue.

The RedHat bug links an upstream commit:
https://bugzilla.redhat.com/show_bug.cgi?id=1753850
Comment 3 Nicolas Salguero 2020-04-02 21:25:14 CEST 
Hi,

In fact, the problem is fixed upstream in 0.66.0 and not in 0.76.0 so Mageia 7 is not affected by the issue.

Best regards,

Nico.
Comment 4 David Walser 2020-04-02 21:28:32 CEST 
Indeed you're right.  I was surprised to see a CVE in these RHEL 7.8 updates we hadn't addressed, since all the others I looked at were really old.  Thanks.

Resolution: (none) => INVALID
Status: NEW => RESOLVED
Note You need to log in before you can comment on or make changes to this bug.