Your message dated Thu, 15 Nov 2007 13:32:02 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#450628: fixed in poppler 0.6.2-1
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

--- Begin Message ---
Package: poppler
Version: 0.6.1-1
Severity: grave
Tags: security

Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for poppler.

CVE-2007-4352[0]:
| Array index error in the DCTStream::readProgressiveDataUnit method in
| xpdf/Stream.cc in Xpdf 3.02 with xpdf-3.02pl1.patch allows remote
| attackers to trigger memory corruption and execute arbitrary code via
| a crafted PDF file.

CVE-2007-5392[1]:
| Integer overflow in the DCTStream::reset method in 
| xpdf/Stream.cc in Xpdf 3.02 with xpdf-3.02pl1.patch allows 
| remote attackers to execute arbitrary code via a crafted PDF 
| file, resulting in a heap-based buffer overflow.

CVE-2007-5393[2]:
| Heap-based buffer overflow in the CCITTFaxStream::lookChar 
| method in xpdf/Stream.cc in Xpdf 3.02 with 
| xpdf-3.02pl1.patch allows remote attackers to execute 
| arbitrary code via a PDF file that contains a crafted 
| CCITTFaxDecode filter.

Since poppler includes the xpdf code it should be affected.

If you fix this vulnerability please also include the CVE id
in your changelog entry.

For further information:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4352
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5392
[2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5393

Kind regards
Nico

-- 
Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.

Attachment: pgp5hC7mXqpbl.pgp
Description: PGP signature


--- End Message ---
--- Begin Message ---
Source: poppler
Source-Version: 0.6.2-1

We believe that the bug you reported is fixed in the latest version of
poppler, which is due to be installed in the Debian FTP archive:

libpoppler-dev_0.6.2-1_amd64.deb
  to pool/main/p/poppler/libpoppler-dev_0.6.2-1_amd64.deb
libpoppler-glib-dev_0.6.2-1_amd64.deb
  to pool/main/p/poppler/libpoppler-glib-dev_0.6.2-1_amd64.deb
libpoppler-glib2_0.6.2-1_amd64.deb
  to pool/main/p/poppler/libpoppler-glib2_0.6.2-1_amd64.deb
libpoppler-qt-dev_0.6.2-1_amd64.deb
  to pool/main/p/poppler/libpoppler-qt-dev_0.6.2-1_amd64.deb
libpoppler-qt2_0.6.2-1_amd64.deb
  to pool/main/p/poppler/libpoppler-qt2_0.6.2-1_amd64.deb
libpoppler-qt4-2_0.6.2-1_amd64.deb
  to pool/main/p/poppler/libpoppler-qt4-2_0.6.2-1_amd64.deb
libpoppler-qt4-dev_0.6.2-1_amd64.deb
  to pool/main/p/poppler/libpoppler-qt4-dev_0.6.2-1_amd64.deb
libpoppler2_0.6.2-1_amd64.deb
  to pool/main/p/poppler/libpoppler2_0.6.2-1_amd64.deb
poppler-utils_0.6.2-1_amd64.deb
  to pool/main/p/poppler/poppler-utils_0.6.2-1_amd64.deb
poppler_0.6.2-1.diff.gz
  to pool/main/p/poppler/poppler_0.6.2-1.diff.gz
poppler_0.6.2-1.dsc
  to pool/main/p/poppler/poppler_0.6.2-1.dsc
poppler_0.6.2.orig.tar.gz
  to pool/main/p/poppler/poppler_0.6.2.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Ondřej Surý <[EMAIL PROTECTED]> (supplier of updated poppler package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Wed, 14 Nov 2007 11:20:07 +0100
Source: poppler
Binary: libpoppler-qt2 libpoppler-glib-dev poppler-utils libpoppler-qt4-dev 
libpoppler2 libpoppler-qt4-2 libpoppler-glib2 libpoppler-dev libpoppler-qt-dev
Architecture: source amd64
Version: 0.6.2-1
Distribution: unstable
Urgency: low
Maintainer: Ondřej Surý <[EMAIL PROTECTED]>
Changed-By: Ondřej Surý <[EMAIL PROTECTED]>
Description: 
 libpoppler-dev - PDF rendering library -- development files
 libpoppler-glib-dev - PDF rendering library -- development files (GLib 
interface)
 libpoppler-glib2 - PDF rendering library (GLib-based shared library)
 libpoppler-qt-dev - PDF rendering library -- development files (Qt 3 interface)
 libpoppler-qt2 - PDF rendering library (Qt 3 based shared library)
 libpoppler-qt4-2 - PDF rendering library (Qt 4 based shared library)
 libpoppler-qt4-dev - PDF rendering library -- development files (Qt 4 
interface)
 libpoppler2 - PDF rendering library
 poppler-utils - PDF utilitites (based on libpoppler)
Closes: 347789 440936 447992 450628
Changes: 
 poppler (0.6.2-1) unstable; urgency=low
 .
   * New upstream version. (Closes: #447992)
   * Dependency on xpdfrc was removed on 2007-02-25 (Closes: #347789, #440936)
   * Changes since 0.6.1:
     - Fix CVE-2007-4352, CVE-2007-5392 and CVE-2007-5393 (Closes: #450628)
     - Fix a crash on documents with wrong CCITTFaxStream
     - Fix a crash in the Cairo renderer with invalid embedded fonts
     - Fix a crash with invalid TrueType fonts
     - Check if font is inside the clip area before rendering
       it to a temporary bitmap in the Splash renderer. Fixes crashes on
       incorrect documents
     - Do not use exit(1) on DCTStream errors
     - Detect form fields at any depth level
     - Do not generate appearance stream for radio buttons that are not active
Files: 
 16501525b69d7d671b715e1b921ce6a3 1082 devel optional poppler_0.6.2-1.dsc
 9aa3247277f56d4ea8c045626531d19b 1289454 devel optional 
poppler_0.6.2.orig.tar.gz
 fd95b56351dad0c0c0e42e987297dc4b 8098 devel optional poppler_0.6.2-1.diff.gz
 07294297e7aa73e9fd723fa376301c49 736596 libs optional 
libpoppler2_0.6.2-1_amd64.deb
 41e04035d0596b3cdddaa7117dc18983 989762 libdevel optional 
libpoppler-dev_0.6.2-1_amd64.deb
 e8acdd158f29207eab11bb35bb30212d 156964 libs optional 
libpoppler-glib2_0.6.2-1_amd64.deb
 5a92527589db8c55b5d0b57ba18c4a24 213438 libdevel optional 
libpoppler-glib-dev_0.6.2-1_amd64.deb
 6c222e3c75f9c8a39ff3a49df9bae394 128702 libs optional 
libpoppler-qt2_0.6.2-1_amd64.deb
 8aed4af87b4fa9d76acb2daec1312ca5 136192 libdevel optional 
libpoppler-qt-dev_0.6.2-1_amd64.deb
 9091fab2b90352ac74b9bc1315fc2114 250550 libs optional 
libpoppler-qt4-2_0.6.2-1_amd64.deb
 3e91ee095dc085ce84d750a1d70f516a 289612 libdevel optional 
libpoppler-qt4-dev_0.6.2-1_amd64.deb
 e991066fbb9047e052b32c6e1d9e2714 180902 utils optional 
poppler-utils_0.6.2-1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFHPEig9OZqfMIN8nMRAo5nAJ9Iq2EqWmvvZQ2rfl7fTpxYlDsXJwCfeXoT
IMXAwBQvoYazkpPaSBzhfx4=
=bCdx
-----END PGP SIGNATURE-----



--- End Message ---

Reply via email to