Maybe now we can get a decent version of poppler in Fedora 9...
https://admin.fedoraproject.org/updates/F9/pending/poppler-0.8.1-2.fc9 Feel free to test... (Btw, it does not affect all versions, problem was only introduced in 0.5.x or 0.6.x ;).
(In reply to comment #1) > https://admin.fedoraproject.org/updates/F9/pending/poppler-0.8.1-2.fc9 > > Feel free to test... > > > (Btw, it does not affect all versions, problem was only introduced in 0.5.x or > 0.6.x ;). Not much point in getting just some of the 0.8.5 "new features". Core: * Fix crash on PDF that define a page thumbnail but it's not a Stream * Fix crash when Annots object is not of the desired type * Fix crash when obtaining fonts in PDF where XObjects link themselves in loops * Fix crash on documents with an IRT object * Saving should work much better now * Plug some memory leaks in Annotation handling Utils: * pdftohtml: Don't crash on documents that specify an invalid named dest for a link
Vasile, primary purpose of the update request mentioned in comment #1 was to address CVE-2008-2950, exactly what you have complained about in this bug report. I also decided to include fixes for the crasher bugs encountered by Fedora users (one of them seem to have been reported by you). As I'm not package (co-)owner, I'm not going to do larger changes, like move to newer upstream version, for no good reason. (In reply to comment #2) > Not much point in getting just some of the 0.8.5 "new features". My aim was to include fixes important bugs users really faced and reported, along with security fix.
(In reply to comment #3) > Vasile, primary purpose of the update request mentioned in comment #1 was to > address CVE-2008-2950, exactly what you have complained about in this bug > report. > > I also decided to include fixes for the crasher bugs encountered by Fedora > users (one of them seem to have been reported by you). As I'm not package > (co-)owner, I'm not going to do larger changes, like move to newer upstream > version, for no good reason. > > (In reply to comment #2) > > Not much point in getting just some of the 0.8.5 "new features". > > My aim was to include fixes important bugs users really faced and reported, > along with security fix. I wasn't complaining to you; it was a general rant against the state of poppler in the vane hope that the package owner would read it ;)
For whatever it's worth: http://www.cs.umd.edu/~gaburici/poppler-0.8.5-0.1.fc9.src.rpm
poppler-0.8.1-2.fc9 has been pushed to the Fedora 9 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update poppler'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F9/FEDORA-2008-7012
This bug report should be propagated to RHEL 5 too.
(In reply to comment #7) > This bug report should be propagated to RHEL 5 too. Can you possibly clarify this? What exactly should be propagated to RHEL5? CVE-2008-2950 did not affect poppler version in RHEL5 (see bug #454277). Please file separate bug against Red Hat Enterprise Linux product for the issues you are experiencing with RHEL version of poppler. Thank you!
There is no rationalization for the conclusion in bug #454277#c5, and I would say that statement is wrong. All versions of poppler < 0.8.5 (at least for the 0.8.x series) are affected as you can see in http://www.ocert.org/advisories/ocert-2008-007.html . If you compare the code for Page.cc in poppler-0.8.0: Page::Page(XRef *xrefA, int numA, Dict *pageDict, PageAttrs *attrsA, Form *form) { Object tmp; ok = gTrue; xref = xrefA; you can see the initialization of pageWidgets to NULL is also missing there. Also see the comments in http://www.milw0rm.com/exploits/6032 .
I did read oCERT-2008-007 before. And I'm still convinced that the statement is correct. Problem occurs when pageWidgets is freed in Page::~Page. As you can easily check, that does not happen in poppler version before 0.6 (or so), including 0.5.4 as shipped in Red Hat Enterprise Linux 5. pageWidgets only occur in poppler sources in 0.6.x and later.
Excuse my reference to poppler-0.8.0 which is of course a modification I worked on last week trying to get Inkscape to work. Since the start of the constructors Page::Page() for versions 0.5.4 & 0.8.4 look very similar I drew the conclusion that the RHEL 5 version *might* be vulnerable too. Checking the wrong version (0.8.0) today made me draw an incorrect conclusion. Sorry for the mixup. I checked the destructor and see that you are right.
No problem. Please make sure to file bugs against Red Hat Enterprise Linux product, or, in case of security issue, contact Security Response Team directly via mail: http://www.redhat.com/security/team/contact/ if you have doubts whether some issue is fixed or not, to make sure it's not missed accidentally.
poppler-0.8.1-2.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.