Thread-safety bugs in package libpoppler-glib8

Bug #1857902 reported by Michal
260
This bug affects 1 person
Affects Status Importance Assigned to Milestone
poppler (Ubuntu)
Triaged
Low
Unassigned

Bug Description

There are these bugs in libpoppler-glib8:

https://gitlab.freedesktop.org/poppler/poppler/issues/845
https://gitlab.freedesktop.org/poppler/poppler/issues/846

The first is about sharing cairo_font_face_t instances in multiple threads which is not thread-safe. The second is about accessing global linked list struct without proper synchronisation mechanism.

Due to these two bugs poppler+cairo cannot be used for rendering multiple documents in multiple threads.

The second may be potentially security vulnerability for applications that use poppler+cairo in multiple threads due to writes to potentially uninitialised pointer.

I noticed that poppler source package contains a lot of patches from ubuntu updates. Would be possible to add patch to this problem to ubuntu (and also debian) updates?

Tags: patch
Revision history for this message
Michal (misosud) wrote :
Revision history for this message
Seth Arnold (seth-arnold) wrote :

Hello, I don't see much progress on the upstream bugs; do you know if progress has been reported elsewhere?

Thanks

information type: Private Security → Public Security
Revision history for this message
Ubuntu Foundations Team Bug Bot (crichton) wrote :

The attachment "460.diff" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.]

tags: added: patch
Changed in poppler (Ubuntu):
importance: Undecided → Low
status: New → Triaged
Revision history for this message
Michal (misosud) wrote :
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Patches