<html>
    <head>
      <base href="https://bugs.freedesktop.org/" />
    </head>
    <body><table border="1" cellspacing="0" cellpadding="8">
        <tr>
          <th>Bug ID</th>
          <td><a class="bz_bug_link 
          bz_status_NEW "
   title="NEW - Vulnerabilities report on libpoppler 0.18.4"
   href="https://bugs.freedesktop.org/show_bug.cgi?id=91414">91414</a>
          </td>
        </tr>

        <tr>
          <th>Summary</th>
          <td>Vulnerabilities report on libpoppler 0.18.4
          </td>
        </tr>

        <tr>
          <th>Product</th>
          <td>poppler
          </td>
        </tr>

        <tr>
          <th>Version</th>
          <td>unspecified
          </td>
        </tr>

        <tr>
          <th>Hardware</th>
          <td>All
          </td>
        </tr>

        <tr>
          <th>OS</th>
          <td>All
          </td>
        </tr>

        <tr>
          <th>Status</th>
          <td>NEW
          </td>
        </tr>

        <tr>
          <th>Severity</th>
          <td>normal
          </td>
        </tr>

        <tr>
          <th>Priority</th>
          <td>medium
          </td>
        </tr>

        <tr>
          <th>Component</th>
          <td>general
          </td>
        </tr>

        <tr>
          <th>Assignee</th>
          <td>poppler-bugs@lists.freedesktop.org
          </td>
        </tr>

        <tr>
          <th>Reporter</th>
          <td>vulns.bfs@ssi.gouv.fr
          </td>
        </tr></table>
      <p>
        <div>
        <pre>Created <span class=""><a href="attachment.cgi?id=117276" name="attach_117276" title="detailed vulnerabilities report and proof of concept files">attachment 117276</a> <a href="attachment.cgi?id=117276&action=edit" title="detailed vulnerabilities report and proof of concept files">[details]</a></span>
detailed vulnerabilities report and proof of concept files

Hi,

On behalf of the CERT-FR (CERT of the ANSSI, French Network and Information
Security Agency), I'd like to report several vulnerabilities or defects on
libpoppler. These problems were identified by Guillaume Endignoux during his
internship at the ANSSI, under the supervision of Olivier Levillain.

Guillaume has crafted several PDF files from the specification
(sample-pdf-files.tgz in poppler-report.zip). When opened with Evince, specific
files will cause a crash or an infinite loop. We did not investigate further to
determine if the crashes were exploitable.

As we think that these problems lie in libpoppler, we thought that it would be
more useful to contact you directly instead of Evince's maintainer.

If you can confirm to us that the defects described in
20150716_Vulnerability_Evince_export_v1.pdf will handled as vulnerabilities
from your side, we will then contact the MITRE to request CVE identifiers.

Do not hesitate to get back to me if you need further information on this
report.


Best regards,
--
Julien Perrot
Vulnerabilities and signatures unit
ANSSI</pre>
        </div>
      </p>
      <hr>
      <span>You are receiving this mail because:</span>
      
      <ul>
          <li>You are the assignee for the bug.</li>
      </ul>
    </body>
</html>