Discussion:
libpoppler security `fix' breaks PDF processing of many documents
(too old to reply)
Nelson H. F. Beebe
2018-03-24 01:09:22 UTC
Permalink
Raw Message
The Devuan (***@lists.dyne.org) developer list today contains several
reports that recent system updates to libpoppler have broken PDF
processing of many documents, in multiple viewers, including okular,
evince, and xpdf. The symptom is blank pages and/or missing font
characters.

There are two postings at

https://bugs.debian.org/886798
https://bugs.debian.org/890826

They suggest that a recent libpoppler security `fix' is itself broken.

Thus, we need to watch for new libpoppler source updates that really
fix the problem, and incorporate those into the TeX Live 2018 source
tree. Alternatively, if that does not happen soon enough,
backtracking to an older less buggy version of the library may be
called for.

-------------------------------------------------------------------------------
- Nelson H. F. Beebe Tel: +1 801 581 5254 -
- University of Utah FAX: +1 801 581 4148 -
- Department of Mathematics, 110 LCB Internet e-mail: ***@math.utah.edu -
- 155 S 1400 E RM 233 ***@acm.org ***@computer.org -
- Salt Lake City, UT 84112-0090, USA URL: http://www.math.utah.edu/~beebe/ -
-------------------------------------------------------------------------------
Ken Moffat
2018-03-24 02:00:14 UTC
Permalink
Raw Message
Post by Nelson H. F. Beebe
reports that recent system updates to libpoppler have broken PDF
processing of many documents, in multiple viewers, including okular,
evince, and xpdf. The symptom is blank pages and/or missing font
characters.
There are two postings at
https://bugs.debian.org/886798
https://bugs.debian.org/890826
They suggest that a recent libpoppler security `fix' is itself broken.
Thus, we need to watch for new libpoppler source updates that really
fix the problem, and incorporate those into the TeX Live 2018 source
tree. Alternatively, if that does not happen soon enough,
backtracking to an older less buggy version of the library may be
called for.
From a quick look at those two bugs, they are for poppler-0.26
series (libpoppler-0.46). Is that not already very old ?

Earlier this week I built recent 2018 source against poppler-0.62 -
I see that my libpoppler version is now 73.

I take my hat off to people who manage to maintain older versions of
packages when vulnerabilities sometimes come to light years after a
particular version is released, but from time to time a fix breaks
things. Meanwhile, the version of libpoppler in texlive from a few
days ago seems to be 0.63 (from reading configure.ac) so I think the
problem will only impact linux distros who build against system
poppler *and* use that old version.

ĸen
--
Truth, in front of her huge walk-in wardrobe, selected black leather
boots with stiletto heels for such a barefaced truth.
- Unseen Academicals
Loading...