FEDORA-2017-21293887a2

security update in Fedora 26 for poppler

Status: obsolete

Security fix for CVE-2017-14926, CVE-2017-14927 and CVE-2017-14928.


Security fix for CVE-2017-14617


Security fix for CVE-2017-14517, CVE-2017-14518, CVE-2017-14519 and CVE-2017-14929.

Comments 15

This update has been submitted for testing by dtardon.

This update has obsoleted poppler-0.52.0-7.fc26, and has inherited its bugs and notes.

This update has been pushed to testing.

My apologies, this build happened while Qt-5.9 was temporariy a buildroot override (poppler-qt5 currently has unsatisfied dependency on Qt-5.9). 2 options: rebuild again or wait for Qt-5.9.x to land in updates (If it were me, I'd do the former, so this could go stable faster)

dtardon edited this update.

works for me

karma: +1

Updating this package and krita is impossible for me right now.

 Problem 1: cannot install the best update candidate for package poppler-qt5-0.52.0-6.fc26.x86_64
  - nothing provides libQt5Core.so.5(Qt_5.9)(64bit) needed by poppler-qt5-0.52.0-8.fc26.x86_64
 Problem 2: cannot install the best update candidate for package pykde4-4.14.3-17.fc26.x86_64
  - nothing provides sip-api(12) >= 12.2 needed by pykde4-4.14.3-18.fc26.x86_64
 Problem 3: package poppler-qt5-0.52.0-6.fc26.x86_64 requires poppler(x86-64) = 0.52.0-6.fc26, but none of the providers can be installed
  - cannot install both poppler-0.52.0-8.fc26.x86_64 and poppler-0.52.0-6.fc26.x86_64
  - problem with installed package poppler-qt5-0.52.0-6.fc26.x86_64
  - cannot install the best update candidate for package poppler-0.52.0-6.fc26.x86_64
  - nothing provides libQt5Core.so.5(Qt_5.9)(64bit) needed by poppler-qt5-0.52.0-8.fc26.x86_64
 Problem 4: package okular-part-16.12.3-1.fc26.x86_64 requires libpoppler-qt5.so.1()(64bit), but none of the providers can be installed
  - package poppler-qt5-0.52.0-6.fc26.x86_64 requires poppler(x86-64) = 0.52.0-6.fc26, but none of the providers can be installed
  - package poppler-qt5-0.52.0-5.fc26.x86_64 requires poppler(x86-64) = 0.52.0-5.fc26, but none of the providers can be installed
  - package poppler-qt5-0.52.0-2.fc26.x86_64 requires poppler(x86-64) = 0.52.0-2.fc26, but none of the providers can be installed
  - cannot install both poppler-0.52.0-8.fc26.x86_64 and poppler-0.52.0-6.fc26.x86_64
  - cannot install both poppler-0.52.0-5.fc26.x86_64 and poppler-0.52.0-8.fc26.x86_64
  - cannot install both poppler-0.52.0-2.fc26.x86_64 and poppler-0.52.0-8.fc26.x86_64
  - package poppler-glib-0.52.0-8.fc26.x86_64 requires poppler(x86-64) = 0.52.0-8.fc26, but none of the providers can be installed
  - cannot install the best update candidate for package poppler-glib-0.52.0-6.fc26.x86_64
  - cannot install the best update candidate for package okular-part-16.12.3-1.fc26.x86_64
  - nothing provides libQt5Core.so.5(Qt_5.9)(64bit) needed by poppler-qt5-0.52.0-8.fc26.x86_64
 Problem 5: package krita-3.3.1-1.fc26.x86_64 requires libpoppler-qt5.so.1()(64bit), but none of the providers can be installed
  - package poppler-qt5-0.52.0-6.fc26.x86_64 requires poppler(x86-64) = 0.52.0-6.fc26, but none of the providers can be installed
  - package poppler-qt5-0.52.0-5.fc26.x86_64 requires poppler(x86-64) = 0.52.0-5.fc26, but none of the providers can be installed
  - package poppler-qt5-0.52.0-2.fc26.x86_64 requires poppler(x86-64) = 0.52.0-2.fc26, but none of the providers can be installed
  - cannot install both poppler-0.52.0-8.fc26.x86_64 and poppler-0.52.0-6.fc26.x86_64
  - cannot install both poppler-0.52.0-5.fc26.x86_64 and poppler-0.52.0-8.fc26.x86_64
  - cannot install both poppler-0.52.0-2.fc26.x86_64 and poppler-0.52.0-8.fc26.x86_64
  - package poppler-qt-0.52.0-8.fc26.x86_64 requires poppler(x86-64) = 0.52.0-8.fc26, but none of the providers can be installed
  - cannot install the best update candidate for package poppler-qt-0.52.0-6.fc26.x86_64
  - cannot install the best update candidate for package krita-3.3.1-1.fc26.x86_64
  - nothing provides libQt5Core.so.5(Qt_5.9)(64bit) needed by poppler-qt5-0.52.0-8.fc26.x86_64
 Problem 6: package kf5-kfilemetadata-5.38.0-1.fc26.x86_64 requires libpoppler-qt5.so.1()(64bit), but none of the providers can be installed
  - package poppler-qt5-0.52.0-6.fc26.x86_64 requires poppler(x86-64) = 0.52.0-6.fc26, but none of the providers can be installed
  - package poppler-qt5-0.52.0-5.fc26.x86_64 requires poppler(x86-64) = 0.52.0-5.fc26, but none of the providers can be installed
  - package poppler-qt5-0.52.0-2.fc26.x86_64 requires poppler(x86-64) = 0.52.0-2.fc26, but none of the providers can be installed
  - cannot install both poppler-0.52.0-8.fc26.x86_64 and poppler-0.52.0-6.fc26.x86_64
  - cannot install both poppler-0.52.0-5.fc26.x86_64 and poppler-0.52.0-8.fc26.x86_64
  - cannot install both poppler-0.52.0-2.fc26.x86_64 and poppler-0.52.0-8.fc26.x86_64
  - package poppler-utils-0.52.0-8.fc26.x86_64 requires poppler(x86-64) = 0.52.0-8.fc26, but none of the providers can be installed
  - cannot install the best update candidate for package poppler-utils-0.52.0-6.fc26.x86_64
  - cannot install the best update candidate for package kf5-kfilemetadata-5.38.0-1.fc26.x86_64
  - nothing provides libQt5Core.so.5(Qt_5.9)(64bit) needed by poppler-qt5-0.52.0-8.fc26.x86_64
=======================================================================================================================================
 Package                          Arch                      Version                           Repository                          Size
=======================================================================================================================================
Skipping packages with conflicts:
(add '--best --allowerasing' to command line to force their upgrade):
 poppler                          x86_64                    0.52.0-2.fc26                     fedora                             829 k
 poppler                          x86_64                    0.52.0-5.fc26                     updates                            829 k
 poppler                          x86_64                    0.52.0-8.fc26                     updates-testing                    830 k
Skipping packages with broken dependencies:
 poppler-glib                     x86_64                    0.52.0-8.fc26                     updates-testing                    145 k
 poppler-qt                       x86_64                    0.52.0-8.fc26                     updates-testing                    172 k
 poppler-qt5                      x86_64                    0.52.0-2.fc26                     fedora                             175 k
 poppler-qt5                      x86_64                    0.52.0-5.fc26                     updates                            175 k
 poppler-qt5                      x86_64                    0.52.0-8.fc26                     updates-testing                    174 k
 poppler-utils                    x86_64                    0.52.0-8.fc26                     updates-testing                    190 k
 pykde4                           x86_64                    4.14.3-18.fc26                    updates-testing                    2.9 M

Transaction Summary
=======================================================================================================================================
Skip  10 Packages
karma: -1

Same issue here, installing this package from updates-testing using dnf is not possible as it wants to uninstall poppler-qt5. New bug report for that issue: https://bugzilla.redhat.com/show_bug.cgi?id=1502335

karma: -1 critpath: -1

The requisite qt5-qtbase package is available in a separate update, https://bodhi.fedoraproject.org/updates/FEDORA-2017-c133443edc

works for me - all the -1 becuas eof deps are nonsense, the qt packages where built but at that point in time not pushed to the repos which is normal - so keep your uneducated -1 for yourself and at least ask what that means as long dnf simply skips while other updates are properly applied

karma: +1

Works fine for me too, now, after the qt packages have been updated.

@hreindl: If the package does not install from updates-testing, it is broken. That's not about being uneducated or not.

karma: +1 critpath: +1

@genodeftest that is nonsense - then gibe a 0 karma and make a comment until you understand what is happening, giving negative karma leads to not push security updates after the issue is fixed or where where you to revert your negative karma until a few minutes ago?

my excuse not giving positive karma days ago is https://bugzilla.redhat.com/show_bug.cgi?id=1504089 but you should have reverted your negative manually per webinterface instead holding back security updates

just because it don't solve deps on your machine don't mean it wouldn't on others whout in that case gnome or server machines using poppler - hence the 0 karma with the comment option exists

pdf rendering looks fine in evince

karma: +1

This update has been obsoleted by poppler-0.52.0-9.fc26.


Add Comment & Feedback
Toggle Preview

Comment fields support Fedora-Flavored Markdown.

-1 0 +1 Feedback Guidelines
#1500322 CVE-2017-14928 poppler: NULL pointer dereference in the AnnotRichMedia::Configuration::Configuration
#1500323 CVE-2017-14926 poppler: NULL pointer dereference in the AnnotRichMedia::Content::Content
#1500324 CVE-2017-14927 poppler: NULL pointer dereference in the SplashOutputDev::type3D0() function
#1500326 CVE-2017-14926 CVE-2017-14927 CVE-2017-14928 poppler: various flaws [fedora-all]
#1499905 CVE-2017-14617 poppler: Floating point exception in the ImageStream class
#1499906 CVE-2017-14617 poppler: Floating point exception in the ImageStream class [fedora-all]
#1499162 CVE-2017-14517 poppler: NULL pointer dereference in the XRef::parseEntry() function
#1499163 CVE-2017-14518 poppler: Floating point exception in the isImageInterpolationRequired() function
#1499165 CVE-2017-14519 poppler: Memory corruption via Gfx.cc infinite loop
#1499167 CVE-2017-14929 poppler: Memory corruption via Gfx.cc infinite loop
#1499168 CVE-2017-14517 CVE-2017-14518 CVE-2017-14519 CVE-2017-14929 CVE-2017-14975 CVE-2017-14976 CVE-2017-14977 poppler: various flaws [fedora-all]
Does the system's basic functionality continue to work after this update?
Is the update generally functional?
Content Type
RPM
Status
obsolete
Submitted by
Update Type
security
Karma
+4
stable threshold: 3
unstable threshold: -3
Autopush
Disabled
Dates
submitted 2 months ago
in testing 2 months ago
modified 2 months ago

Related Bugs 11

00 #1500322 CVE-2017-14928 poppler: NULL pointer dereference in the AnnotRichMedia::Configuration::Configuration
00 #1500323 CVE-2017-14926 poppler: NULL pointer dereference in the AnnotRichMedia::Content::Content
00 #1500324 CVE-2017-14927 poppler: NULL pointer dereference in the SplashOutputDev::type3D0() function
00 #1500326 CVE-2017-14926 CVE-2017-14927 CVE-2017-14928 poppler: various flaws [fedora-all]
00 #1499905 CVE-2017-14617 poppler: Floating point exception in the ImageStream class
00 #1499906 CVE-2017-14617 poppler: Floating point exception in the ImageStream class [fedora-all]
00 #1499162 CVE-2017-14517 poppler: NULL pointer dereference in the XRef::parseEntry() function
00 #1499163 CVE-2017-14518 poppler: Floating point exception in the isImageInterpolationRequired() function
00 #1499165 CVE-2017-14519 poppler: Memory corruption via Gfx.cc infinite loop
00 #1499167 CVE-2017-14929 poppler: Memory corruption via Gfx.cc infinite loop
00 #1499168 CVE-2017-14517 CVE-2017-14518 CVE-2017-14519 CVE-2017-14929 CVE-2017-14975 CVE-2017-14976 CVE-2017-14977 poppler: various flaws [fedora-all]

Automated Test Results