Your message dated Tue, 15 Aug 2017 23:00:12 +0000
with message-id <[email protected]>
and subject line Bug#865679: fixed in poppler 0.57.0-1
has caused the Debian Bug report #865679,
regarding poppler: CVE-2017-9776: integer overflow leading to heap buffer
overflow in JBIG2Stream.cc via a crafted PDF document
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
865679: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=865679
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: poppler
Version: 0.26.5-2
Severity: important
Tags: security patch upstream
Forwarded: https://bugs.freedesktop.org/show_bug.cgi?id=101541
Hi,
the following vulnerability was published for poppler.
CVE-2017-9776[0]:
| Integer overflow leading to Heap buffer overflow in JBIG2Stream.cc in
| pdftocairo in Poppler before 0.56 allows remote attackers to cause a
| denial of service (application crash) or possibly have unspecified
| other impact via a crafted PDF document.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-9776
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9776
[1] https://bugs.freedesktop.org/show_bug.cgi?id=101541
[2]
https://cgit.freedesktop.org/poppler/poppler/commit/?id=a3a98a6d83dfbf49f565f5aa2d7c07153a7f62fc
Please adjust the affected versions in the BTS as needed, afaics a
proper check is as well missing in the jessie version.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: poppler
Source-Version: 0.57.0-1
We believe that the bug you reported is fixed in the latest version of
poppler, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Emilio Pozuelo Monfort <[email protected]> (supplier of updated poppler package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Mon, 14 Aug 2017 22:19:15 +0200
Source: poppler
Binary: libpoppler68 libpoppler-dev libpoppler-private-dev libpoppler-glib8
libpoppler-glib-dev libpoppler-glib-doc gir1.2-poppler-0.18 libpoppler-qt4-4
libpoppler-qt4-dev libpoppler-qt5-1 libpoppler-qt5-dev libpoppler-cpp0v5
libpoppler-cpp-dev poppler-utils
Architecture: source amd64 all
Version: 0.57.0-1
Distribution: experimental
Urgency: medium
Maintainer: Debian freedesktop.org maintainers
<[email protected]>
Changed-By: Emilio Pozuelo Monfort <[email protected]>
Description:
gir1.2-poppler-0.18 - GObject introspection data for poppler-glib
libpoppler-cpp-dev - PDF rendering library -- development files (CPP interface)
libpoppler-cpp0v5 - PDF rendering library (CPP shared library)
libpoppler-dev - PDF rendering library -- development files
libpoppler-glib-dev - PDF rendering library -- development files (GLib
interface)
libpoppler-glib-doc - PDF rendering library -- documentation for the GLib
interface
libpoppler-glib8 - PDF rendering library (GLib-based shared library)
libpoppler-private-dev - PDF rendering library -- private development files
libpoppler-qt4-4 - PDF rendering library (Qt 4 based shared library)
libpoppler-qt4-dev - PDF rendering library -- development files (Qt 4
interface)
libpoppler-qt5-1 - PDF rendering library (Qt 5 based shared library)
libpoppler-qt5-dev - PDF rendering library -- development files (Qt 5
interface)
libpoppler68 - PDF rendering library
poppler-utils - PDF utilities (based on Poppler)
Closes: 860955 863759 864009 864010 865679 865680 867477
Changes:
poppler (0.57.0-1) experimental; urgency=medium
.
[ Pino Toscano ]
* Update Vcs-* fields.
* Add a lintian override for the "breaks-without-version xpdf-common" in
poppler-utils, as it is making sure to clean up xpdf-common for upgrades
to Buster.
.
[ Emilio Pozuelo Monfort ]
* New upstream release. Closes: #860955.
* Fixes:
CVE-2017-9406: memory leak parsing XRef entries. Closes: #864010.
CVE-2017-9408: memory leak in Object::initArray. Closes: #864009.
CVE-2017-9775: stack buffer overflow in GfxState.cc. Closes: #865680.
CVE-2017-9776: integer overflow leading to heap buffer overflow
in JBIG2Stream.cc. Closes: #865679.
CVE-2017-9865: stack buffer overflow in GfxImageColorMap::getGray.
Closes: #867477.
CVE-2017-7511: pdfunite denial of service due to null pointer
dereference. Closes: #863759.
* debian/patches/upstream_pdfseparate-remove-extra-in-error-message.patch:
+ Dropped, fixed upstream.
* Update symbols files.
* libpoppler64 -> libpoppler68.
* Re-enable PIE. Looks like Qt5 got fixed.
* Bump debhelper compat to 10.
+ debhelper now defaults to --with autoreconf.
+ It also defaults to --parallel.
* Switch to -dbgsym packages.
* Set the team as maintainer.
* Add myself to uploaders.
Checksums-Sha1:
4701e44c9e0fef054c3e492dff49bdde87a63782 3437 poppler_0.57.0-1.dsc
128f175a81a7c25c4c67b353391b8cae506db2ae 1703300 poppler_0.57.0.orig.tar.xz
63f02bec72158bec7a12e18cef1a4d8d5a0a683c 31136 poppler_0.57.0-1.debian.tar.xz
6e8ce23a4c482180beeb5f7c1b411543f75dfbaf 35084
gir1.2-poppler-0.18_0.57.0-1_amd64.deb
4241bccea9587713db0d3fda79a0a50f5a8a78d7 48496
libpoppler-cpp-dev_0.57.0-1_amd64.deb
d15f5a4f48bd9ee5c34eee0534e602470ca91147 449370
libpoppler-cpp0v5-dbgsym_0.57.0-1_amd64.deb
fe11e8189014b846b06cd6fd228e06618b6d10ab 44998
libpoppler-cpp0v5_0.57.0-1_amd64.deb
f5c3d4df4f4af285cf76151b3edefd8abfc510f7 777416
libpoppler-dev_0.57.0-1_amd64.deb
24909c4b39b60e906450bd777f87f6e973f5fbef 166772
libpoppler-glib-dev_0.57.0-1_amd64.deb
6db3e3ad5d7406d7fc4c5f67075ded7c66c78053 88178
libpoppler-glib-doc_0.57.0-1_all.deb
02bf74f73980996f9d02a7ae9dbc633cc0f2f3b4 858956
libpoppler-glib8-dbgsym_0.57.0-1_amd64.deb
e5e6b0a5df340c6e725b93f84f3072f64184a325 126190
libpoppler-glib8_0.57.0-1_amd64.deb
1f8d700739fa5db1564146c817c6f7bd5ee05950 184314
libpoppler-private-dev_0.57.0-1_amd64.deb
c392d0c02d073b3b56b53979c8043d30293f1c0f 1889484
libpoppler-qt4-4-dbgsym_0.57.0-1_amd64.deb
e9d6cb4e93cfa439c70dc68a27e217fa664468ee 138300
libpoppler-qt4-4_0.57.0-1_amd64.deb
32597cb026ff9b6a037b3227b487a59e8a279889 167866
libpoppler-qt4-dev_0.57.0-1_amd64.deb
66aadfdeb1a3825d77a90a1fe02e4f32dcfe8f29 2657402
libpoppler-qt5-1-dbgsym_0.57.0-1_amd64.deb
fbc16581fb4f36b3c8eb16b0d0bb193764a62746 145790
libpoppler-qt5-1_0.57.0-1_amd64.deb
e1ff1ea3a3da0803f060baa5835d13febdbc6abb 181610
libpoppler-qt5-dev_0.57.0-1_amd64.deb
dec4459dd0c03c12dba4f6359bca88d3385a5aed 2897146
libpoppler68-dbgsym_0.57.0-1_amd64.deb
746b4a375ee48c893e3b3ecd781e785e307a7297 1309754
libpoppler68_0.57.0-1_amd64.deb
6e30922a1ff574b45386858b612076f2dcae1f04 1103326
poppler-utils-dbgsym_0.57.0-1_amd64.deb
1d9aade3131999127da199a711cc188261a99d62 156372
poppler-utils_0.57.0-1_amd64.deb
a330f884cbb310aa9861ad49515ce81495306741 18350 poppler_0.57.0-1_amd64.buildinfo
Checksums-Sha256:
c567022f671ae93506971d23155828f276cc3901179d3a70130dc13a4765899a 3437
poppler_0.57.0-1.dsc
0ea37de71b7db78212ebc79df59f99b66409a29c2eac4d882dae9f2397fe44d8 1703300
poppler_0.57.0.orig.tar.xz
4f5986d155c13b70d8c29e162c4126f0d28e690686acf94e22c6825242ab878b 31136
poppler_0.57.0-1.debian.tar.xz
4e2c6039a38f5504aa0bcc16647ede4a0110ff67ceab92d72d56d84ea1539884 35084
gir1.2-poppler-0.18_0.57.0-1_amd64.deb
73984a9dc5d4d5b92fd0fbfce67b6ff69ec22146aca62adc1ed164dc3bf1e10e 48496
libpoppler-cpp-dev_0.57.0-1_amd64.deb
a5cb5de6c73436cf05a19a3fb94897862947bd53bbffc2327da081e590101043 449370
libpoppler-cpp0v5-dbgsym_0.57.0-1_amd64.deb
84201ba61644a6ee5d8213d085027ca57f65da2410134fbd2476ac4144ed3e85 44998
libpoppler-cpp0v5_0.57.0-1_amd64.deb
49051911e2d06d129eacd4ef80f9e08270b68751b488e9c00c44e5dc324d5d4c 777416
libpoppler-dev_0.57.0-1_amd64.deb
1e6dc1c186412f084b67a48a6f6eb003dccff7733fc04030ba2320f74b3b35a0 166772
libpoppler-glib-dev_0.57.0-1_amd64.deb
570d1cb9042ddbd16f2e3a9815c1981372c1b97b5465b866e169b39ff4cad8d6 88178
libpoppler-glib-doc_0.57.0-1_all.deb
6a9b50637e2c9eb356f379061fabce12b8ffab19cc7b4aeddc8ec760e1eb845e 858956
libpoppler-glib8-dbgsym_0.57.0-1_amd64.deb
f2236ce933ebe15addb6d8d13a0512f3153d956975c415a7837f0f90e09305ba 126190
libpoppler-glib8_0.57.0-1_amd64.deb
b1fb4a9e3559e82680897788b63d9fb0b7681f50ebbcb9746d464e325a582713 184314
libpoppler-private-dev_0.57.0-1_amd64.deb
0b62d6abff1e7b0e07962e7cd532399596f0a3e53355aab47d4dde7c7466367b 1889484
libpoppler-qt4-4-dbgsym_0.57.0-1_amd64.deb
4b9126b07785ce7c12eeec30b07cf7797999961e513a74fe21e90a6cb21030c0 138300
libpoppler-qt4-4_0.57.0-1_amd64.deb
518d316a441884eb2332cb87c5f97bc64731b1d03948b84d0efcd157197c188f 167866
libpoppler-qt4-dev_0.57.0-1_amd64.deb
6d882036251e7c325101d511fec03249f79f9995fa132a827c63838b3c76b312 2657402
libpoppler-qt5-1-dbgsym_0.57.0-1_amd64.deb
870efd99699d40a3a702324bc03a05b61b7145b2e42e7272382d6492ed803ca6 145790
libpoppler-qt5-1_0.57.0-1_amd64.deb
b5adffc8f464f31b7e337b5f21a62c0a4b00c4ff595bac3fa4c7da42132c3559 181610
libpoppler-qt5-dev_0.57.0-1_amd64.deb
33a3e1f383c735c9601d1f06976e55dbd06dc79dfd007e6f1cf629e1aeff0e7f 2897146
libpoppler68-dbgsym_0.57.0-1_amd64.deb
4d4ebda125247eace23e2acde4a3d5cca99d4e1563be3ec3ba56df2ba8b05811 1309754
libpoppler68_0.57.0-1_amd64.deb
a100ba4fb7c68d55a16229897f49784d585846e9116aaefa46cf7cff0bba1974 1103326
poppler-utils-dbgsym_0.57.0-1_amd64.deb
bef750de1bc4179d93408dcb9533d079735afdf1d822541e7216d0e76d05b393 156372
poppler-utils_0.57.0-1_amd64.deb
b83fc2680e2a2ca5962550555d6cbe61fabf46d780dbfa95c8670727ddddfc09 18350
poppler_0.57.0-1_amd64.buildinfo
Files:
07f0a3f8bac3f10fada0153b74631bb7 3437 devel optional poppler_0.57.0-1.dsc
bc5a191741604552c90d484103229374 1703300 devel optional
poppler_0.57.0.orig.tar.xz
36ba7dac29789a42efdf98313a5b316c 31136 devel optional
poppler_0.57.0-1.debian.tar.xz
858e99304da54e056cea7a6bb3e56bcf 35084 introspection optional
gir1.2-poppler-0.18_0.57.0-1_amd64.deb
916a04e3304a6f9b6300eacd286df7f3 48496 libdevel optional
libpoppler-cpp-dev_0.57.0-1_amd64.deb
04b104c07ffee179fe3fd770bb3982f3 449370 debug extra
libpoppler-cpp0v5-dbgsym_0.57.0-1_amd64.deb
eaa4ffff97d4411f5d36146cdebcf157 44998 libs optional
libpoppler-cpp0v5_0.57.0-1_amd64.deb
518312e6cd722f06acebc6b98f940562 777416 libdevel optional
libpoppler-dev_0.57.0-1_amd64.deb
e74f4d97befefd5f8f2566df06d7bd06 166772 libdevel optional
libpoppler-glib-dev_0.57.0-1_amd64.deb
5430729bb89ea31d93ca1b76af16bec6 88178 doc optional
libpoppler-glib-doc_0.57.0-1_all.deb
000c75c305b7017448631318a6f85986 858956 debug extra
libpoppler-glib8-dbgsym_0.57.0-1_amd64.deb
76d389f261aec599da43202ffe412caa 126190 libs optional
libpoppler-glib8_0.57.0-1_amd64.deb
0d1a849c5eb4f99378b7a5f88d107557 184314 libdevel optional
libpoppler-private-dev_0.57.0-1_amd64.deb
2cb3b95d6cc12e923d2a9bc9255e0042 1889484 debug extra
libpoppler-qt4-4-dbgsym_0.57.0-1_amd64.deb
b619d29b576eb7847d664e04c748b723 138300 libs optional
libpoppler-qt4-4_0.57.0-1_amd64.deb
50dce1622638fd3940ce32b3dd37d0cb 167866 libdevel optional
libpoppler-qt4-dev_0.57.0-1_amd64.deb
2b76351d03a0605b37e430db5dbd7f32 2657402 debug extra
libpoppler-qt5-1-dbgsym_0.57.0-1_amd64.deb
5186e87c499228a79fe35d37a0e3a838 145790 libs optional
libpoppler-qt5-1_0.57.0-1_amd64.deb
157a320f7336f2e21684e116be604897 181610 libdevel optional
libpoppler-qt5-dev_0.57.0-1_amd64.deb
9587aede0643d45c75b5420a8c7efabe 2897146 debug extra
libpoppler68-dbgsym_0.57.0-1_amd64.deb
3bbe2df742aa80eae1bf3edeeca3477c 1309754 libs optional
libpoppler68_0.57.0-1_amd64.deb
2976092ea99ce04833ac94ab60145605 1103326 debug extra
poppler-utils-dbgsym_0.57.0-1_amd64.deb
3cb0250a6b82b2f304292e2a8112c2b8 156372 utils optional
poppler-utils_0.57.0-1_amd64.deb
a7ef271b4dcb10f190b73047edc826b7 18350 devel optional
poppler_0.57.0-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEcJymx+vmJZxd92Q+nUbEiOQ2gwIFAlmSC7sACgkQnUbEiOQ2
gwKSoBAAt493Vnwyknr5rKixoTRX2KymrSsIOE1QaQ6zxsYq0VdhMSKkjRT+dIsx
GVjV9c6bsJiQXELcfFxEB+lLjRuT3qw5hLu7H4m38U8Yz05uJnXZC4AKULDpfH8+
t5Qm4WBlPxPoxmiW8eiSJSOZblC5zNyyT2Svnv1DqTm81X32od9HWijb4/lpboSG
B6agTAaN4aGPemrmp011r3jkJU40OuKOPtLA53w3R6nEBgihD9eletsgxZlvmLhB
gXrhZ2HA0pcWkO5uAVO++SsyoLLqj3kA3QOtLT0WnuT1OE3tQBm1DPUyCoMpTsrC
HhQao5GNTIIZgtW7Ktoh0usopNkZBPio2DdtxqrX7RDZCjNJPYLbrgQu/pBZLB3M
2e8WiqJytoc2RZsQYtAcxG4Ccs7OAF/4TwYA6igEklIS8BqvNe0dYZY04BPW/kQX
00fWEmt9MjQHI8fb1+WT07yKTzW/HXVVv4tIsErCBHCazYGfVa3csTI27+/F5Qr1
EUO+m0r6wrpJis7FgLEDK70uVj6qVM/uB+4aRmHDzp7NFAAyozDOr6jayVqPk4Gp
RKJUo/a9yE2GLaXsjzkSy4W+BlDjRCRuqFh1q6pvIcveTiVuPu42GSJoJlfEA7Ua
SMCUM8L0EketXC7UDh5UwpjLBv5++4TYQg2PIxz+JNDjZFsLKIA=
=DAFT
-----END PGP SIGNATURE-----
--- End Message ---
