poppler 0.4.x has a different API at least for the glib part, so this needs
testing whether 0.4.5 breaks any of the poppler dependant spells in stable
(gnustep-popplerkit, evince, epdf).

I tested poppler 0.4.5 on my stable box, and I noticed that cairo output is
disabled. The config.log says indeed it needs cairo >= 0.5... :-/

Is it planned to integrate cairo 0.5 (and thus gnome 2.12) in stable-rc ? 
I'm afraid we can't correct this otherwise.

Assuming you meant stable, not stable-rc. No such plan, we can't pull in such
big a change out-of cycle.
The only way we can fix this is by getting a patch for the security problem and
looking for a way to apply that to poppler 0.3.1.

Attachement https://bugzilla.novell.com/attachment.cgi?id=66287&action=view of
https://bugzilla.novell.com/show_bug.cgi?id=141242 has a patch that doesn't
apply cleanly to poppler-0.3.1, but it can probably be adapted.

That would be good to solve this before 0.4, but I just noticed that the release
0.4.3 includes two security fixes. Should we not apply those too ?

0.4.x is a completely different beast, so can't do anything with it.
I'd suggest we just ignore this, stable-rc has 0.5

That would be better indeed, I took a look at all these vunerabilities and that
would take some time to fix that, I even don't know if I'm able to do it. I
thought stable-rc still uses this version, that's why I was quite concerned...
Anyway even Debian stable uses 0.4.x series so it's really the time to leave 0.3.x

If the best we can do is upgrade we should go ahead and do that and integrate it
up through stable now.  Security updates should get fixed ASAP, independent of
any planned grimoire updates.  We don't know if stable-0.4 will happen on time
til it happens and we don't want to forget things like this.

It's more easy to say than to do it. ;-)
iirc switching to poppler 0.4.x series would imply a lot of updates in the
grimoire, cairo of course and a lot of gnome spells (2.10 uses 0.3 series, 2.12
>= 0.4).

Upgrading poppler requires upgrading the users of poppler, which require newer
libraries of other things, ...
Basically the choice is:
- upgrade poppler to a secure version and break everything that uses it, or
- keep poppler as it is, add a SECURITY file to it in stable

Third choice obviously is to backport the security fixes to poppler 0.3.x

If I'm not mistaken, this security problem is only in the splash output code. So
we could disable that with --disable-splash-output. At least evince should be
fine with that as it needs the cairo output anyway.

And what about the two other vulnerabilities ?

BTW, you defer a bug with RESOLVED DEFERRED not RESOLVED WONTFIX.  Typically
DEFERRED has another milestone open on the version it will be fixed in.

Of course, the easiest thing to do is just to set this bug to have its milestone
set at 0.4 (of course, it's missing that)

(In reply to comment #13)
> If I'm not mistaken, this security problem is only in the splash output code. So
> we could disable that with --disable-splash-output. At least evince should be
> fine with that as it needs the cairo output anyway.

Yeah, as noted there's at least 4 more vulnerabilities related to stream.cc that
have been fixed in the 4.x series, see http://poppler.freedesktop.org/releases.html.

It sounds like our only short-term option for stable is to put a SECURITY
warning in place and then send out a ML announcement (so those that have it
installed already get a warning).  I don't like this, but given that a new
stable is really supposed to be close, and that ledger says only 3 people have
the 0.3.x version installed, we can probably do it here.

We should also verify explicitly that the 0.5.0 version in stable-rc isn't
missing any of these fixes.

This bug existed in the stable-0.3 release

I think this is not an issue anymore, 0.5.4 is in all grimoires. Any objections 
to closing it?

upstream says that's the latest so yes please

closing fixed bugs

reassign to sm-grimoire-bugs