Message ID | 20221019200051.2690977-1-fontaine.fabrice@gmail.com |
---|---|
State | Accepted |
Headers | show |
Series | [1/1] package/poppler: security bump to version 22.10.0 | expand |
>>>>> "Fabrice" == Fabrice Fontaine <fontaine.fabrice@gmail.com> writes: > - Fix CVE-2022-38784: Poppler prior to and including 22.08.0 contains an > integer overflow in the JBIG2 decoder > (JBIG2Stream::readTextRegionSeg() in JBIGStream.cc). Processing a > specially crafted PDF file or JBIG2 image could lead to a crash or the > execution of arbitrary code. This is similar to the vulnerability > described by CVE-2022-38171 in Xpdf. > - Drop patch (already in version) > https://gitlab.freedesktop.org/poppler/poppler/-/blob/poppler-22.10.0/NEWS > Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> Committed, thanks.
>>>>> "Fabrice" == Fabrice Fontaine <fontaine.fabrice@gmail.com> writes: > - Fix CVE-2022-38784: Poppler prior to and including 22.08.0 contains an > integer overflow in the JBIG2 decoder > (JBIG2Stream::readTextRegionSeg() in JBIGStream.cc). Processing a > specially crafted PDF file or JBIG2 image could lead to a crash or the > execution of arbitrary code. This is similar to the vulnerability > described by CVE-2022-38171 in Xpdf. > - Drop patch (already in version) > https://gitlab.freedesktop.org/poppler/poppler/-/blob/poppler-22.10.0/NEWS > Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> Committed to 2022.08.x and 2022.02.x, thanks.
diff --git a/package/poppler/0001-Include-setjmp-h-when-WITH_JPEG-yes-and-WITH_PNG-no.patch b/package/poppler/0001-Include-setjmp-h-when-WITH_JPEG-yes-and-WITH_PNG-no.patch deleted file mode 100644 index 40af6a2e00..0000000000 --- a/package/poppler/0001-Include-setjmp-h-when-WITH_JPEG-yes-and-WITH_PNG-no.patch +++ /dev/null @@ -1,27 +0,0 @@ -From 3ea6bca90d87d3f91556205c4e58ca425c6ac437 Mon Sep 17 00:00:00 2001 -From: Marco Genasci <fedeliallalinea@gmail.com> -Date: Sun, 12 Dec 2021 10:23:37 +0100 -Subject: [PATCH] Include setjmp.h when WITH_JPEG=yes and WITH_PNG=no - -[Retrieved from: -https://gitlab.freedesktop.org/poppler/poppler/-/commit/3ea6bca90d87d3f91556205c4e58ca425c6ac437] -Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> ---- - poppler/ImageEmbeddingUtils.cc | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/poppler/ImageEmbeddingUtils.cc b/poppler/ImageEmbeddingUtils.cc -index 5c50f1269..c26b9eb2a 100644 ---- a/poppler/ImageEmbeddingUtils.cc -+++ b/poppler/ImageEmbeddingUtils.cc -@@ -16,6 +16,7 @@ - extern "C" { - # include <jpeglib.h> - } -+# include <csetjmp> - #endif - #ifdef ENABLE_LIBPNG - # include <png.h> --- -GitLab - diff --git a/package/poppler/poppler.hash b/package/poppler/poppler.hash index cf6c537063..93681e04af 100644 --- a/package/poppler/poppler.hash +++ b/package/poppler/poppler.hash @@ -1,3 +1,3 @@ # Locally calculated -sha256 acb840c2c1ec07d07e53c57c4b3a1ff3e3ee2d888d44e1e9f2f01aaf16814de7 poppler-21.12.0.tar.xz +sha256 04e40fad924a6de62e63017a6fd4c04696c1f526dedc2ba5ef275cedf646292a poppler-22.10.0.tar.xz sha256 ab15fd526bd8dd18a9e77ebc139656bf4d33e97fc7238cd11bf60e2b9b8666c6 COPYING diff --git a/package/poppler/poppler.mk b/package/poppler/poppler.mk index db6da25d39..5524bfc420 100644 --- a/package/poppler/poppler.mk +++ b/package/poppler/poppler.mk @@ -4,7 +4,7 @@ # ################################################################################ -POPPLER_VERSION = 21.12.0 +POPPLER_VERSION = 22.10.0 POPPLER_SOURCE = poppler-$(POPPLER_VERSION).tar.xz POPPLER_SITE = https://poppler.freedesktop.org POPPLER_DEPENDENCIES = fontconfig host-pkgconf
- Fix CVE-2022-38784: Poppler prior to and including 22.08.0 contains an integer overflow in the JBIG2 decoder (JBIG2Stream::readTextRegionSeg() in JBIGStream.cc). Processing a specially crafted PDF file or JBIG2 image could lead to a crash or the execution of arbitrary code. This is similar to the vulnerability described by CVE-2022-38171 in Xpdf. - Drop patch (already in version) https://gitlab.freedesktop.org/poppler/poppler/-/blob/poppler-22.10.0/NEWS Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> --- ...h-when-WITH_JPEG-yes-and-WITH_PNG-no.patch | 27 ------------------- package/poppler/poppler.hash | 2 +- package/poppler/poppler.mk | 2 +- 3 files changed, 2 insertions(+), 29 deletions(-) delete mode 100644 package/poppler/0001-Include-setjmp-h-when-WITH_JPEG-yes-and-WITH_PNG-no.patch