FEDORA-2017-21293887a2

security update in Fedora 26 for poppler

Status: testing 8 days ago

Security fix for CVE-2017-14926, CVE-2017-14927 and CVE-2017-14928.


Security fix for CVE-2017-14617


Security fix for CVE-2017-14517, CVE-2017-14518, CVE-2017-14519 and CVE-2017-14929.

Comments 10

This update has been submitted for testing by dtardon.

This update has obsoleted poppler-0.52.0-7.fc26, and has inherited its bugs and notes.

This update has been pushed to testing.

My apologies, this build happened while Qt-5.9 was temporariy a buildroot override (poppler-qt5 currently has unsatisfied dependency on Qt-5.9). 2 options: rebuild again or wait for Qt-5.9.x to land in updates (If it were me, I'd do the former, so this could go stable faster)

dtardon edited this update.

works for me

karma: +1

Updating this package and krita is impossible for me right now.

 Problem 1: cannot install the best update candidate for package poppler-qt5-0.52.0-6.fc26.x86_64
  - nothing provides libQt5Core.so.5(Qt_5.9)(64bit) needed by poppler-qt5-0.52.0-8.fc26.x86_64
 Problem 2: cannot install the best update candidate for package pykde4-4.14.3-17.fc26.x86_64
  - nothing provides sip-api(12) >= 12.2 needed by pykde4-4.14.3-18.fc26.x86_64
 Problem 3: package poppler-qt5-0.52.0-6.fc26.x86_64 requires poppler(x86-64) = 0.52.0-6.fc26, but none of the providers can be installed
  - cannot install both poppler-0.52.0-8.fc26.x86_64 and poppler-0.52.0-6.fc26.x86_64
  - problem with installed package poppler-qt5-0.52.0-6.fc26.x86_64
  - cannot install the best update candidate for package poppler-0.52.0-6.fc26.x86_64
  - nothing provides libQt5Core.so.5(Qt_5.9)(64bit) needed by poppler-qt5-0.52.0-8.fc26.x86_64
 Problem 4: package okular-part-16.12.3-1.fc26.x86_64 requires libpoppler-qt5.so.1()(64bit), but none of the providers can be installed
  - package poppler-qt5-0.52.0-6.fc26.x86_64 requires poppler(x86-64) = 0.52.0-6.fc26, but none of the providers can be installed
  - package poppler-qt5-0.52.0-5.fc26.x86_64 requires poppler(x86-64) = 0.52.0-5.fc26, but none of the providers can be installed
  - package poppler-qt5-0.52.0-2.fc26.x86_64 requires poppler(x86-64) = 0.52.0-2.fc26, but none of the providers can be installed
  - cannot install both poppler-0.52.0-8.fc26.x86_64 and poppler-0.52.0-6.fc26.x86_64
  - cannot install both poppler-0.52.0-5.fc26.x86_64 and poppler-0.52.0-8.fc26.x86_64
  - cannot install both poppler-0.52.0-2.fc26.x86_64 and poppler-0.52.0-8.fc26.x86_64
  - package poppler-glib-0.52.0-8.fc26.x86_64 requires poppler(x86-64) = 0.52.0-8.fc26, but none of the providers can be installed
  - cannot install the best update candidate for package poppler-glib-0.52.0-6.fc26.x86_64
  - cannot install the best update candidate for package okular-part-16.12.3-1.fc26.x86_64
  - nothing provides libQt5Core.so.5(Qt_5.9)(64bit) needed by poppler-qt5-0.52.0-8.fc26.x86_64
 Problem 5: package krita-3.3.1-1.fc26.x86_64 requires libpoppler-qt5.so.1()(64bit), but none of the providers can be installed
  - package poppler-qt5-0.52.0-6.fc26.x86_64 requires poppler(x86-64) = 0.52.0-6.fc26, but none of the providers can be installed
  - package poppler-qt5-0.52.0-5.fc26.x86_64 requires poppler(x86-64) = 0.52.0-5.fc26, but none of the providers can be installed
  - package poppler-qt5-0.52.0-2.fc26.x86_64 requires poppler(x86-64) = 0.52.0-2.fc26, but none of the providers can be installed
  - cannot install both poppler-0.52.0-8.fc26.x86_64 and poppler-0.52.0-6.fc26.x86_64
  - cannot install both poppler-0.52.0-5.fc26.x86_64 and poppler-0.52.0-8.fc26.x86_64
  - cannot install both poppler-0.52.0-2.fc26.x86_64 and poppler-0.52.0-8.fc26.x86_64
  - package poppler-qt-0.52.0-8.fc26.x86_64 requires poppler(x86-64) = 0.52.0-8.fc26, but none of the providers can be installed
  - cannot install the best update candidate for package poppler-qt-0.52.0-6.fc26.x86_64
  - cannot install the best update candidate for package krita-3.3.1-1.fc26.x86_64
  - nothing provides libQt5Core.so.5(Qt_5.9)(64bit) needed by poppler-qt5-0.52.0-8.fc26.x86_64
 Problem 6: package kf5-kfilemetadata-5.38.0-1.fc26.x86_64 requires libpoppler-qt5.so.1()(64bit), but none of the providers can be installed
  - package poppler-qt5-0.52.0-6.fc26.x86_64 requires poppler(x86-64) = 0.52.0-6.fc26, but none of the providers can be installed
  - package poppler-qt5-0.52.0-5.fc26.x86_64 requires poppler(x86-64) = 0.52.0-5.fc26, but none of the providers can be installed
  - package poppler-qt5-0.52.0-2.fc26.x86_64 requires poppler(x86-64) = 0.52.0-2.fc26, but none of the providers can be installed
  - cannot install both poppler-0.52.0-8.fc26.x86_64 and poppler-0.52.0-6.fc26.x86_64
  - cannot install both poppler-0.52.0-5.fc26.x86_64 and poppler-0.52.0-8.fc26.x86_64
  - cannot install both poppler-0.52.0-2.fc26.x86_64 and poppler-0.52.0-8.fc26.x86_64
  - package poppler-utils-0.52.0-8.fc26.x86_64 requires poppler(x86-64) = 0.52.0-8.fc26, but none of the providers can be installed
  - cannot install the best update candidate for package poppler-utils-0.52.0-6.fc26.x86_64
  - cannot install the best update candidate for package kf5-kfilemetadata-5.38.0-1.fc26.x86_64
  - nothing provides libQt5Core.so.5(Qt_5.9)(64bit) needed by poppler-qt5-0.52.0-8.fc26.x86_64
=======================================================================================================================================
 Package                          Arch                      Version                           Repository                          Size
=======================================================================================================================================
Skipping packages with conflicts:
(add '--best --allowerasing' to command line to force their upgrade):
 poppler                          x86_64                    0.52.0-2.fc26                     fedora                             829 k
 poppler                          x86_64                    0.52.0-5.fc26                     updates                            829 k
 poppler                          x86_64                    0.52.0-8.fc26                     updates-testing                    830 k
Skipping packages with broken dependencies:
 poppler-glib                     x86_64                    0.52.0-8.fc26                     updates-testing                    145 k
 poppler-qt                       x86_64                    0.52.0-8.fc26                     updates-testing                    172 k
 poppler-qt5                      x86_64                    0.52.0-2.fc26                     fedora                             175 k
 poppler-qt5                      x86_64                    0.52.0-5.fc26                     updates                            175 k
 poppler-qt5                      x86_64                    0.52.0-8.fc26                     updates-testing                    174 k
 poppler-utils                    x86_64                    0.52.0-8.fc26                     updates-testing                    190 k
 pykde4                           x86_64                    4.14.3-18.fc26                    updates-testing                    2.9 M

Transaction Summary
=======================================================================================================================================
Skip  10 Packages
karma: -1

Same issue here, installing this package from updates-testing using dnf is not possible as it wants to uninstall poppler-qt5. New bug report for that issue: https://bugzilla.redhat.com/show_bug.cgi?id=1502335

karma: -1 critpath: -1

The requisite qt5-qtbase package is available in a separate update, https://bodhi.fedoraproject.org/updates/FEDORA-2017-c133443edc

Works

karma: +1

Add Comment & Feedback
Toggle Preview

Comment fields support Fedora-Flavored Markdown.

-1 0 +1 Feedback Guidelines
#1500322 CVE-2017-14928 poppler: NULL pointer dereference in the AnnotRichMedia::Configuration::Configuration
#1500323 CVE-2017-14926 poppler: NULL pointer dereference in the AnnotRichMedia::Content::Content
#1500324 CVE-2017-14927 poppler: NULL pointer dereference in the SplashOutputDev::type3D0() function
#1500326 CVE-2017-14926 CVE-2017-14927 CVE-2017-14928 poppler: various flaws [fedora-all]
#1499905 CVE-2017-14617 poppler: Floating point exception in the ImageStream class
#1499906 CVE-2017-14617 poppler: Floating point exception in the ImageStream class [fedora-all]
#1499162 CVE-2017-14517 poppler: NULL pointer dereference in the XRef::parseEntry() function
#1499163 CVE-2017-14518 poppler: Floating point exception in the isImageInterpolationRequired() function
#1499165 CVE-2017-14519 poppler: Memory corruption via Gfx.cc infinite loop
#1499167 CVE-2017-14929 poppler: Memory corruption via Gfx.cc infinite loop
#1499168 CVE-2017-14517 CVE-2017-14518 CVE-2017-14519 CVE-2017-14929 CVE-2017-14975 CVE-2017-14976 CVE-2017-14977 poppler: various flaws [fedora-all]
Does the system's basic functionality continue to work after this update?
Is the update generally functional?
Content Type
RPM
Status
testing
Submitted by
Update Type
security
Karma
0
stable threshold: 3
unstable threshold: -3
Autopush
Disabled
Dates
submitted 8 days ago
in testing 8 days ago
days to stable 6
modified 7 days ago

Related Bugs 11

00 #1500322 CVE-2017-14928 poppler: NULL pointer dereference in the AnnotRichMedia::Configuration::Configuration
00 #1500323 CVE-2017-14926 poppler: NULL pointer dereference in the AnnotRichMedia::Content::Content
00 #1500324 CVE-2017-14927 poppler: NULL pointer dereference in the SplashOutputDev::type3D0() function
00 #1500326 CVE-2017-14926 CVE-2017-14927 CVE-2017-14928 poppler: various flaws [fedora-all]
00 #1499905 CVE-2017-14617 poppler: Floating point exception in the ImageStream class
00 #1499906 CVE-2017-14617 poppler: Floating point exception in the ImageStream class [fedora-all]
00 #1499162 CVE-2017-14517 poppler: NULL pointer dereference in the XRef::parseEntry() function
00 #1499163 CVE-2017-14518 poppler: Floating point exception in the isImageInterpolationRequired() function
00 #1499165 CVE-2017-14519 poppler: Memory corruption via Gfx.cc infinite loop
00 #1499167 CVE-2017-14929 poppler: Memory corruption via Gfx.cc infinite loop
00 #1499168 CVE-2017-14517 CVE-2017-14518 CVE-2017-14519 CVE-2017-14929 CVE-2017-14975 CVE-2017-14976 CVE-2017-14977 poppler: various flaws [fedora-all]

Automated Test Results