[Secure-testing-team] Bug#877957: poppler: CVE-2017-14975: NULL pointer dereference in FoFiType1C::convertToType0
Source: poppler Version: 0.57.0-2 Severity: important Tags: patch security upstream Forwarded: https://bugs.freedesktop.org/show_bug.cgi?id=102653 Hi, the following vulnerability was published for poppler. CVE-2017-14975[0]: | The FoFiType1C::convertToType0 function in FoFiType1C.cc in Poppler | 0.59.0 has a NULL pointer dereference vulnerability because a data | structure is not initialized, which allows an attacker to launch a | denial of service attack. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2017-14975 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14975 [1] https://bugs.freedesktop.org/show_bug.cgi?id=102653 [2] https://cgit.freedesktop.org/poppler/poppler/commit/?id=a5e5649ecf16fa05770620dbbd4985935dc2bbff Please adjust the affected versions in the BTS as needed. Regards, Salvatore ___ Secure-testing-team mailing list Secure-testing-team@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-team
[Secure-testing-team] Bug#877954: poppler: CVE-2017-14976: heap overflow in FoFiType1C::convertToType0
Source: poppler Version: 0.57.0-2 Severity: important Tags: security patch upstream Forwarded: https://bugs.freedesktop.org/show_bug.cgi?id=102724 Hi, the following vulnerability was published for poppler. CVE-2017-14976[0]: | The FoFiType1C::convertToType0 function in FoFiType1C.cc in Poppler | 0.59.0 has a heap-based buffer over-read vulnerability if an | out-of-bounds font dictionary index is encountered, which allows an | attacker to launch a denial of service attack. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2017-14976 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14976 [1] https://bugs.freedesktop.org/show_bug.cgi?id=102724 [2] https://cgit.freedesktop.org/poppler/poppler/commit/?id=da63c35549e8852a410946ab016a3f25ac701bdf Please adjust the affected versions in the BTS as needed. Regards, Salvatore ___ Secure-testing-team mailing list Secure-testing-team@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-team
[Secure-testing-team] Bug#877952: poppler: CVE-2017-14977: NULL pointer dereference in FoFiTrueType::getCFFBlock
Source: poppler Version: 0.57.0-2 Severity: important Tags: patch security upstream Forwarded: https://bugs.freedesktop.org/show_bug.cgi?id=103045 Hi, the following vulnerability was published for poppler. CVE-2017-14977[0]: | The FoFiTrueType::getCFFBlock function in FoFiTrueType.cc in Poppler | 0.59.0 has a NULL pointer dereference vulnerability due to lack of | validation of a table pointer, which allows an attacker to launch a | denial of service attack. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2017-14977 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14977 [1] https://bugs.freedesktop.org/show_bug.cgi?id=103045 [2] https://cgit.freedesktop.org/poppler/poppler/commit/?id=19eedc6fb693a62f305e13079501e3105f869f3c Please adjust the affected versions in the BTS as needed. Regards, Salvatore ___ Secure-testing-team mailing list Secure-testing-team@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-team
[Secure-testing-team] Bug#877921: koji: CVE-2017-1002153: Possible to bypass allowed_scm blacklist
Source: koji Version: 1.10.0-1 Severity: important Tags: security upstream patch Hi, the following vulnerability was published for koji. CVE-2017-1002153[0]: | Koji 1.13.0 does not properly validate SCM paths, allowing an attacker | to work around blacklisted paths for build submission. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2017-1002153 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1002153 [1] https://pagure.io/koji/issue/563 [2] https://pagure.io/koji/c/ba7b5a3cbed11ade11c3af5e834c9a6de4f6d7c3 Regards, Salvatore ___ Secure-testing-team mailing list Secure-testing-team@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-team
