[tex-live] libpoppler security `fix' breaks PDF processing of many documents

Ken Moffat zarniwhoop at ntlworld.com
Sat Mar 24 03:00:14 CET 2018


On Fri, Mar 23, 2018 at 07:09:22PM -0600, Nelson H. F. Beebe wrote:
> The Devuan (Dng at lists.dyne.org) developer list today contains several
> reports that recent system updates to libpoppler have broken PDF
> processing of many documents, in multiple viewers, including okular,
> evince, and xpdf.  The symptom is blank pages and/or missing font
> characters.
> 
> There are two postings at
> 
> 	https://bugs.debian.org/886798
> 	https://bugs.debian.org/890826
> 
> They suggest that a recent libpoppler security `fix' is itself broken.
> 
> Thus, we need to watch for new libpoppler source updates that really
> fix the problem, and incorporate those into the TeX Live 2018 source
> tree.  Alternatively, if that does not happen soon enough,
> backtracking to an older less buggy version of the library may be
> called for.
> 
>From a quick look at those two bugs, they are for poppler-0.26
series (libpoppler-0.46).  Is that not already very old ?

Earlier this week I built recent 2018 source against poppler-0.62 -
I see that my libpoppler version is now 73.

I take my hat off to people who manage to maintain older versions of
packages when vulnerabilities sometimes come to light years after a
particular version is released, but from time to time a fix breaks
things.  Meanwhile, the version of libpoppler in texlive from a few
days ago seems to be 0.63 (from reading configure.ac) so I think the
problem will only impact linux distros who build against system
poppler *and* use that old version.

ĸen
-- 
Truth, in front of her huge walk-in wardrobe, selected black leather
boots with stiletto heels for such a barefaced truth.
                                     - Unseen Academicals


More information about the tex-live mailing list