Fedora has issued an advisory on February 11: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/VLOYVJSM54IL6I5RY4QTJGRS7PIEG44X/ The issues are fixed upstream in 4.03. Mageia 7 and Mageia 8 are also affected.
Whiteboard: (none) => MGA8TOO, MGA7TOOStatus comment: (none) => Fixed upstream in 4.03
Hi, thanks for reporting this. As there is no maintainer for this package I added the committers in CC. (Please set the status to 'assigned' if you are working on it)
CC: (none) => jani.valimaa, joequant, nicolas.salguero, ouaurelienAssignee: bugsquad => pkg-bugs
fixed in cauldron. Fixed in mga7/8 src: - xpdf-4.03-1.mga7 - xpdf-4.03-1.mga8
Status comment: Fixed upstream in 4.03 => (none)CC: (none) => mageiaAssignee: pkg-bugs => qa-bugsVersion: Cauldron => 8Whiteboard: MGA8TOO, MGA7TOO => MGA7TOO
The following 7 packages are going to be installed: - libqt5printsupport5-5.12.6-4.mga7.i586 - libqt5svg5-5.12.6-1.mga7.i586 - poppler-0.74.0-3.4.mga7.i586 - qtsvg5-5.12.6-1.mga7.i586 - x11-font-adobe-100dpi-1.0.3-7.mga7.noarch - xpdf-4.03-1.mga7.i586 - xpdf-common-4.03-1.mga7.i586 ---- ran xpdf against a large pdf no issues pdftotext properly extracted txt pdfinfo pulled heading information. Works as designed
Whiteboard: MGA7TOO => MGA7TOO MGA7_32_OKCC: (none) => brtians1
Whiteboard: MGA7TOO MGA7_32_OK => MGA7TOO MGA7-32-OK
$ uname -a Linux localhost 5.10.16-desktop-1.mga8 #1 SMP Sat Feb 13 16:27:22 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux The following 7 packages are going to be installed: - lib64qt5printsupport5-5.15.2-4.mga8.x86_64 - lib64qt5svg5-5.15.2-1.mga8.x86_64 - poppler-20.12.1-1.mga8.x86_64 - qtsvg5-5.15.2-1.mga8.x86_64 - x11-font-adobe-100dpi-1.0.3-9.mga8.noarch - xpdf-4.03-1.mga8.x86_64 - xpdf-common-4.03-1.mga8.x86_64 repeated the processes above as mga7. Worked as designed
Whiteboard: MGA7TOO MGA7-32-OK => MGA7TOO MGA7-32-OK MGA8-64-OK
Package list: xpdf-4.03-1.mga7 xpdf-common-4.03-1.mga7 xpdf-4.03-1.mga8 xpdf-common-4.03-1.mga8
Validating.
CC: (none) => andrewsfarm, sysadmin-bugsKeywords: (none) => validated_update
Advisory: ======================== Updated xpdf packages fix security vulnerabilities: In Xpdf 4.02, SplashOutputDev::endType3Char(GfxState *state) SplashOutputDev.cc:3079 is trying to use the freed `t3GlyphStack->cache`, which causes an `heap-use-after-free` problem. The codes of a previous fix for nested Type 3 characters wasn't correctly handling the case where a Type 3 char referred to another char in the same Type 3 font (CVE-2020-25725). Xpdf 4.02 allows stack consumption because of an incorrect subroutine reference in a Type 1C font charstring, related to the FoFiType1C::getOp() function (CVE-2020-35376). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25725 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-35376 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/VLOYVJSM54IL6I5RY4QTJGRS7PIEG44X/
Advisory pushed to SVN.
Keywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0112.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED