Activity log for bug #1803059

Date Who What changed Old value New value Message
2018-11-13 06:47:46 Dhiraj bug added bug
2018-11-16 20:12:20 Steve Beattie information type Private Security Public Security
2018-11-21 15:38:10 Sebastien Bacher evince (Ubuntu): importance Undecided High
2018-11-21 15:38:10 Sebastien Bacher evince (Ubuntu): status New Fix Committed
2018-11-21 15:38:18 Sebastien Bacher affects evince (Ubuntu) poppler (Ubuntu)
2018-11-23 15:04:50 Sebastien Bacher description System Info: Linux zero 4.15.0-38-generic #41-Ubuntu SMP Wed Oct 10 10:59:38 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux Evince version: GNOME Document Viewer 3.28.4 While fuzzing evince v3.28.4, on linux 4.15.0-38-generic (Ubuntu 18.04 LTS), a null-pointer dereference was observed, initially this was reported to evince but the evince team advised that the issue is in poppler, the library used by evince to render PDF, poppler version: 0.62.0-2ubuntu2.2 is vulnerable to null-pointer dereference, however the issue is already fixed in poppler 0.70, but this will still crash your evince v3.28.4 in ubuntu if poppler is not updated to v.0.70. Fuzzing result showing a very important vulnerability in a package currently shipped by a major Linux distribution is still of interest, even if that Linux distribution does not package the latest released upstream version. I think Ubuntu is still using, Source: poppler Version: 0.62.0-2ubuntu2.2 So, most of the systems will be affected to this issue. Upstream: https://gitlab.freedesktop.org/poppler/poppler/issues/664 * Impact Evince segfaults on some pdf documents * Test case Download and try to open https://bugs.freedesktop.org/attachment.cgi?id=138927 with evince, it shouldn't segfault * Regression potential Nothing special to test, make sure evince still opens pdfs without issue ----------------------------- System Info: Linux zero 4.15.0-38-generic #41-Ubuntu SMP Wed Oct 10 10:59:38 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux Evince version: GNOME Document Viewer 3.28.4 While fuzzing evince v3.28.4, on linux 4.15.0-38-generic (Ubuntu 18.04 LTS), a null-pointer dereference was observed, initially this was reported to evince but the evince team advised that the issue is in poppler, the library used by evince to render PDF, poppler version: 0.62.0-2ubuntu2.2 is vulnerable to null-pointer dereference, however the issue is already fixed in poppler 0.70, but this will still crash your evince v3.28.4 in ubuntu if poppler is not updated to v.0.70. Fuzzing result showing a very important vulnerability in a package currently shipped by a major Linux distribution is still of interest, even if that Linux distribution does not package the latest released upstream version. I think Ubuntu is still using, Source: poppler Version: 0.62.0-2ubuntu2.2 So, most of the systems will be affected to this issue. Upstream: https://gitlab.freedesktop.org/poppler/poppler/issues/664
2018-11-27 16:51:14 Brian Murray nominated for series Ubuntu Cosmic
2018-11-27 16:51:14 Brian Murray bug task added poppler (Ubuntu Cosmic)
2018-11-27 16:52:02 Brian Murray poppler (Ubuntu Cosmic): status New Fix Committed
2018-11-27 16:52:04 Brian Murray bug added subscriber Ubuntu Stable Release Updates Team
2018-11-27 16:52:06 Brian Murray bug added subscriber SRU Verification
2018-11-27 16:52:10 Brian Murray tags verification-needed verification-needed-cosmic
2018-11-27 20:34:18 Brian Murray poppler (Ubuntu Bionic): status New Fix Committed
2018-11-27 20:34:26 Brian Murray tags verification-needed verification-needed-cosmic verification-needed verification-needed-bionic verification-needed-cosmic
2018-12-04 12:09:50 Launchpad Janitor poppler (Ubuntu Bionic): status Fix Committed Fix Released
2018-12-04 12:09:50 Launchpad Janitor cve linked 2018-16646
2018-12-04 12:09:50 Launchpad Janitor cve linked 2018-19058
2018-12-04 12:09:50 Launchpad Janitor cve linked 2018-19059
2018-12-04 12:09:50 Launchpad Janitor cve linked 2018-19060
2018-12-04 12:51:21 Sebastien Bacher bug added subscriber Ubuntu Security Team
2018-12-04 13:20:55 Marc Deslauriers cve linked 2018-19149
2018-12-05 10:26:44 Sebastien Bacher poppler (Ubuntu Cosmic): status Fix Committed Fix Released
2018-12-08 12:55:41 Miguel attachment added With poppler 0.62.0-2ubuntu2.4, evince and other PDF readers will immediately crash on my system https://bugs.launchpad.net/ubuntu/+source/poppler/+bug/1803059/+attachment/5220277/+files/test_CGV_FORFAIT_hors_opt_20170308.pdf
2018-12-09 08:51:05 Miguel poppler (Ubuntu): status Fix Committed Confirmed
2018-12-11 16:34:16 Launchpad Janitor poppler (Ubuntu): status Confirmed Fix Released