diff --git a/poppler-0.63.0-negative-object-number.patch b/poppler-0.63.0-negative-object-number.patch new file mode 100644 index 0000000..bc2fd6a --- /dev/null +++ b/poppler-0.63.0-negative-object-number.patch @@ -0,0 +1,25 @@ +From 004e3c10df0abda214f0c293f9e269fdd979c5ee Mon Sep 17 00:00:00 2001 +From: Albert Astals Cid +Date: Wed, 18 Jul 2018 20:31:27 +0200 +Subject: Fix crash when Object has negative number + +Spec says object number has to be > 0 and gen has to be >= 0 + +Reported by email + +diff --git a/poppler/Parser.cc b/poppler/Parser.cc +index 39c9a967..8b0093e3 100644 +--- a/poppler/Parser.cc ++++ b/poppler/Parser.cc +@@ -154,6 +154,11 @@ Object Parser::getObj(GBool simpleOnly, + const int gen = buf1.getInt(); + shift(); + shift(); ++ ++ if (unlikely(num <= 0 || gen < 0)) { ++ return Object(); ++ } ++ + return Object(num, gen); + } else { + return Object(num); diff --git a/poppler.spec b/poppler.spec index 5056820..87066b2 100644 --- a/poppler.spec +++ b/poppler.spec @@ -4,7 +4,7 @@ Summary: PDF rendering library Name: poppler Version: 0.63.0 -Release: 4%{?dist} +Release: 5%{?dist} License: (GPLv2 or GPLv3) and GPLv2+ and LGPLv2+ and MIT URL: http://poppler.freedesktop.org/ Source0: http://poppler.freedesktop.org/poppler-%{version}.tar.xz @@ -20,6 +20,9 @@ Patch3: CVE-2017-18267.patch Patch4: poppler-0.63.0-python3.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=1602838 +Patch5: poppler-0.63.0-negative-object-number.patch + BuildRequires: cmake BuildRequires: gcc-c++ BuildRequires: gettext-devel @@ -250,6 +253,10 @@ test "$(pkg-config --modversion poppler-splash)" = "%{version}" %{_mandir}/man1/* %changelog +* Thu Jul 26 2018 Marek Kasik - 0.63.0-5 +- Fix crash when Object has negative number (CVE-2018-13988) +- Resolves: #1607461 + * Mon Jul 23 2018 Marek Kasik - 0.63.0-4 - Use /usr/bin/python3 explicitly - https://fedoraproject.org/wiki/FinalizingFedoraSwitchtoPython3#Transition_Steps