Re: poppler: CVE-2018-16646 denial-of-service via crafted file
On Thu, Nov 08, 2018 at 10:51:37AM +0000, Mike Gabriel wrote:
> Hi Moritz,
> On Di 06 Nov 2018 17:14:35 CET, Moritz Mühlenhoff wrote:
> > On Fri, Sep 28, 2018 at 08:32:25PM +0200, Markus Koschany wrote:
> > > Package: poppler
> > > X-Debbugs-CC: email@example.com
> > > Severity: important
> > > Tags: security
> > >
> > > Hi,
> > >
> > > The following vulnerability was published for poppler.
> > >
> > > CVE-2018-16646:
> > > | In Poppler 0.68.0, the Parser::getObj() function in Parser.cc may cause
> > > | infinite recursion via a crafted file. A remote attacker can leverage
> > > | this for a DoS attack.
> > For jessie the wrong patches got applied. They are based on MR 67, which
> > didn't get merged in favour of the patch from MR 91.
> > On a more general notice: This bug has virtually no security impact, it's
> > hard too see why this change was made for an LTS release to begin with,
> > but at least wait until it's applied/fixed in unstable before backporting.
> Not security, but functionality.
Of which there have been hundreds of other since the version in jessie
was released, anyway let's not digress, the point of my followup is
to notify you of regression in the security fix for CVE-2018-16646. I've
just added links to the relevant upstream commits to the security tracker.
These seem also needed in jessie.