Fedora has issued an advisory on March 5: http://lists.fedoraproject.org/pipermail/package-announce/2013-March/100090.html There were three CVEs (CVE-2013-1788, CVE-2013-1789, CVE-2013-1790) fixed upstream in 0.22.1, which we have in Cauldron. There are reproducer PDFs for these bugs, but I don't know if they are publicly available. If they are, they can be used as PoC's, and it'd be nice to check if CVE-2013-1789 affects 0.18.4 as Fedora didn't add a patch for that one. There is also another bug that Fedora fixed that I haven't, but I could: https://bugzilla.redhat.com/show_bug.cgi?id=817378 Advisory: ======================== Updated poppler packages fix security vulnerabilities: Invalid memory access flaws in poppler before 0.22.1 (CVE-2013-1788). An uninitialized memory read flaw in poppler before 0.22.1 (CVE-2013-1790). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1788 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1790 http://lists.fedoraproject.org/pipermail/package-announce/2013-March/100090.html ======================== Updated packages in core/updates_testing: ======================== poppler-0.18.4-2.1.mga2 libpoppler19-0.18.4-2.1.mga2 libpoppler-devel-0.18.4-2.1.mga2 libpoppler-cpp0-0.18.4-2.1.mga2 libpoppler-qt4-devel-0.18.4-2.1.mga2 libpoppler-qt4-3-0.18.4-2.1.mga2 libpoppler-glib8-0.18.4-2.1.mga2 libpoppler-gir0.18-0.18.4-2.1.mga2 libpoppler-glib-devel-0.18.4-2.1.mga2 libpoppler-cpp-devel-0.18.4-2.1.mga2 from poppler-0.18.4-2.1.mga2.src.rpm Reproducible: Steps to Reproduce:
Testing i586 with commands found with urpmf poppler | grep bin
Whiteboard: (none) => has_procedure
Testing some the backends by opening pdf's in okular, evince, epdfview
Testing complete mga2 32 $ pdffonts example.pdf name type emb sub uni object ID ------------------------------------ ----------------- --- --- --- --------- Courier-Bold Type 1 no no no 4293 0 Courier-Oblique Type 1 no no no 4294 0 Times-Roman Type 1 no no no 4295 0 Times-BoldItalic Type 1 no no no 4296 0 Courier Type 1 no no no 4297 0 Times-Italic Type 1 no no no 4298 0 Times-Bold Type 1 no no no 4299 0 $ pdfimages -f 1 -l 10 example.pdf examplepdf $ ls examplepdf* examplepdf-000.ppm $ gwenview examplepdf-000.ppm $ pdfinfo example.pdf Shows pdf info $ pdftohtml -s -f 1 -l 10 example.pdf examplepdf Page-1 Page-2 link to page 7 link to page 7 link to page 8 link to page 8 link to page 9 link to page 9 link to page 10 link to page 10 link to page 12 link to page 12 link to page 15 link to page 15 link to page 16 link to page 16 link to page 23 link to page 23 link to page 26 etc.. $ ls examplepdf* examplepdf-000.ppm examplepdf004.png examplepdf008.png examplepdf-html.html examplepdf001.png examplepdf005.png examplepdf009.png examplepdfs.html examplepdf002.png examplepdf006.png examplepdf010.png examplepdf003.png examplepdf007.png examplepdf-10_1.png $ konqueror examplepdf-html.html $ okular example.pdf $ evince example.pdf $ epdfview example.pdf
Whiteboard: has_procedure => has_procedure mga2-32-ok
No PoC's btw
Testing x86_64 Carolyn
CC: (none) => isolde
Similar tests to Claire's on 64-bit, no problems found. Testing complete. Update validated. See description for advisory and SRPM. Could sysadmin please push from core/updates_testing to core/updates. Thank you. Carolyn
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugsWhiteboard: has_procedure mga2-32-ok => has_procedure mga2-32-ok mga2-64-OK
Update pushed: https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0095
Status: NEW => RESOLVEDCC: (none) => dmorganecResolution: (none) => FIXED