Your message dated Thu, 15 Nov 2007 13:32:02 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#450628: fixed in poppler 0.6.2-1
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--- Begin Message ---
Package: poppler
Version: 0.6.1-1
Severity: grave
Tags: security
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for poppler.
CVE-2007-4352[0]:
| Array index error in the DCTStream::readProgressiveDataUnit method in
| xpdf/Stream.cc in Xpdf 3.02 with xpdf-3.02pl1.patch allows remote
| attackers to trigger memory corruption and execute arbitrary code via
| a crafted PDF file.
CVE-2007-5392[1]:
| Integer overflow in the DCTStream::reset method in
| xpdf/Stream.cc in Xpdf 3.02 with xpdf-3.02pl1.patch allows
| remote attackers to execute arbitrary code via a crafted PDF
| file, resulting in a heap-based buffer overflow.
CVE-2007-5393[2]:
| Heap-based buffer overflow in the CCITTFaxStream::lookChar
| method in xpdf/Stream.cc in Xpdf 3.02 with
| xpdf-3.02pl1.patch allows remote attackers to execute
| arbitrary code via a PDF file that contains a crafted
| CCITTFaxDecode filter.
Since poppler includes the xpdf code it should be affected.
If you fix this vulnerability please also include the CVE id
in your changelog entry.
For further information:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4352
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5392
[2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5393
Kind regards
Nico
--
Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
pgp5hC7mXqpbl.pgp
Description: PGP signature
--- End Message ---
--- Begin Message ---
Source: poppler
Source-Version: 0.6.2-1
We believe that the bug you reported is fixed in the latest version of
poppler, which is due to be installed in the Debian FTP archive:
libpoppler-dev_0.6.2-1_amd64.deb
to pool/main/p/poppler/libpoppler-dev_0.6.2-1_amd64.deb
libpoppler-glib-dev_0.6.2-1_amd64.deb
to pool/main/p/poppler/libpoppler-glib-dev_0.6.2-1_amd64.deb
libpoppler-glib2_0.6.2-1_amd64.deb
to pool/main/p/poppler/libpoppler-glib2_0.6.2-1_amd64.deb
libpoppler-qt-dev_0.6.2-1_amd64.deb
to pool/main/p/poppler/libpoppler-qt-dev_0.6.2-1_amd64.deb
libpoppler-qt2_0.6.2-1_amd64.deb
to pool/main/p/poppler/libpoppler-qt2_0.6.2-1_amd64.deb
libpoppler-qt4-2_0.6.2-1_amd64.deb
to pool/main/p/poppler/libpoppler-qt4-2_0.6.2-1_amd64.deb
libpoppler-qt4-dev_0.6.2-1_amd64.deb
to pool/main/p/poppler/libpoppler-qt4-dev_0.6.2-1_amd64.deb
libpoppler2_0.6.2-1_amd64.deb
to pool/main/p/poppler/libpoppler2_0.6.2-1_amd64.deb
poppler-utils_0.6.2-1_amd64.deb
to pool/main/p/poppler/poppler-utils_0.6.2-1_amd64.deb
poppler_0.6.2-1.diff.gz
to pool/main/p/poppler/poppler_0.6.2-1.diff.gz
poppler_0.6.2-1.dsc
to pool/main/p/poppler/poppler_0.6.2-1.dsc
poppler_0.6.2.orig.tar.gz
to pool/main/p/poppler/poppler_0.6.2.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
OndÅej Surý <[EMAIL PROTECTED]> (supplier of updated poppler package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Wed, 14 Nov 2007 11:20:07 +0100
Source: poppler
Binary: libpoppler-qt2 libpoppler-glib-dev poppler-utils libpoppler-qt4-dev
libpoppler2 libpoppler-qt4-2 libpoppler-glib2 libpoppler-dev libpoppler-qt-dev
Architecture: source amd64
Version: 0.6.2-1
Distribution: unstable
Urgency: low
Maintainer: OndÅej Surý <[EMAIL PROTECTED]>
Changed-By: OndÅej Surý <[EMAIL PROTECTED]>
Description:
libpoppler-dev - PDF rendering library -- development files
libpoppler-glib-dev - PDF rendering library -- development files (GLib
interface)
libpoppler-glib2 - PDF rendering library (GLib-based shared library)
libpoppler-qt-dev - PDF rendering library -- development files (Qt 3 interface)
libpoppler-qt2 - PDF rendering library (Qt 3 based shared library)
libpoppler-qt4-2 - PDF rendering library (Qt 4 based shared library)
libpoppler-qt4-dev - PDF rendering library -- development files (Qt 4
interface)
libpoppler2 - PDF rendering library
poppler-utils - PDF utilitites (based on libpoppler)
Closes: 347789 440936 447992 450628
Changes:
poppler (0.6.2-1) unstable; urgency=low
.
* New upstream version. (Closes: #447992)
* Dependency on xpdfrc was removed on 2007-02-25 (Closes: #347789, #440936)
* Changes since 0.6.1:
- Fix CVE-2007-4352, CVE-2007-5392 and CVE-2007-5393 (Closes: #450628)
- Fix a crash on documents with wrong CCITTFaxStream
- Fix a crash in the Cairo renderer with invalid embedded fonts
- Fix a crash with invalid TrueType fonts
- Check if font is inside the clip area before rendering
it to a temporary bitmap in the Splash renderer. Fixes crashes on
incorrect documents
- Do not use exit(1) on DCTStream errors
- Detect form fields at any depth level
- Do not generate appearance stream for radio buttons that are not active
Files:
16501525b69d7d671b715e1b921ce6a3 1082 devel optional poppler_0.6.2-1.dsc
9aa3247277f56d4ea8c045626531d19b 1289454 devel optional
poppler_0.6.2.orig.tar.gz
fd95b56351dad0c0c0e42e987297dc4b 8098 devel optional poppler_0.6.2-1.diff.gz
07294297e7aa73e9fd723fa376301c49 736596 libs optional
libpoppler2_0.6.2-1_amd64.deb
41e04035d0596b3cdddaa7117dc18983 989762 libdevel optional
libpoppler-dev_0.6.2-1_amd64.deb
e8acdd158f29207eab11bb35bb30212d 156964 libs optional
libpoppler-glib2_0.6.2-1_amd64.deb
5a92527589db8c55b5d0b57ba18c4a24 213438 libdevel optional
libpoppler-glib-dev_0.6.2-1_amd64.deb
6c222e3c75f9c8a39ff3a49df9bae394 128702 libs optional
libpoppler-qt2_0.6.2-1_amd64.deb
8aed4af87b4fa9d76acb2daec1312ca5 136192 libdevel optional
libpoppler-qt-dev_0.6.2-1_amd64.deb
9091fab2b90352ac74b9bc1315fc2114 250550 libs optional
libpoppler-qt4-2_0.6.2-1_amd64.deb
3e91ee095dc085ce84d750a1d70f516a 289612 libdevel optional
libpoppler-qt4-dev_0.6.2-1_amd64.deb
e991066fbb9047e052b32c6e1d9e2714 180902 utils optional
poppler-utils_0.6.2-1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFHPEig9OZqfMIN8nMRAo5nAJ9Iq2EqWmvvZQ2rfl7fTpxYlDsXJwCfeXoT
IMXAwBQvoYazkpPaSBzhfx4=
=bCdx
-----END PGP SIGNATURE-----
--- End Message ---