Bug 1470138 (CVE-2017-2820)
Summary: | CVE-2017-2820 poppler: Integer overflow in the JPEG 2000 image parsing functionality | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Andrej Nemec <anemec> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED NOTABUG | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | caolanm, feborges, manisandro, mkasik, rdieter |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2017-08-22 05:50:30 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 1470140 |
Description
Andrej Nemec
2017-07-12 12:34:11 UTC
As per upstream advisory: "Poppler is a popular open source PDF parser library. It is used by default in many open source PDF viewers. The library itself implements a decoder for JPEG 2000 encoded images instead of relying on a more complete implementation (such as OpenJPEG), although it does warn about this at compile time and strongly suggests OpenJPEG be used. By default, this internal implementation will be used by applications. " However the versions of poppler library shipped with Red Hat Enterprise Linux and Fedora use the system libopenjpeg library, therefore they are not affected by this flaw. |