poppler: New integer overflows [CVE-2005-3624, CVE-2005-3625, CVE-2005-3627]

Message-ID: <email address hidden>
Date: Thu, 5 Jan 2006 14:03:16 +0100
From: Martin Pitt <email address hidden>
To: Debian BTS Submit <email address hidden>
Cc: <email address hidden>
Subject: poppler: New integer overflows [CVE-2005-3624, CVE-2005-3625, CVE-2005-3627]

--1SQmhf2mF2YjsYvc
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Package: poppler
Version: 0.4.3-1
Severity: critical
Tags: security patch

Hi!

Chris Evans found some more integer overflows in the xpdf code [1]
which affect poppler as well. [1] also has demo exploit PDFs for patch
checking.

In addition, upstream used a slightly wrong patch for CVE-2005-3192, I
reported that as [2] and included the fix in the latest Ubuntu
version.

See [4] for the Ubuntu debdiff. I also forwarded the patch upstream [3].

Thanks,

Martin

[1] http://scary.beasts.org/security/b0dfca810501f2da/CESA-2005-003.txt
[2] https://bugs.freedesktop.org/show_bug.cgi?id=3D5514
[3] https://bugs.freedesktop.org/show_bug.cgi?id=3D5516
[4] http://patches.ubuntu.com/patches/poppler.CVE-2005-3624_5_7.diff

--=20
Martin Pitt http://www.piware.de
Ubuntu Developer http://www.ubuntu.com
Debian Developer http://www.debian.org

In a world without walls and fences, who needs Windows and Gates?

--1SQmhf2mF2YjsYvc
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iD8DBQFDvRkUDecnbV4Fd/IRAhu0AKCsHpFzc1iVaN+NbpIHjNawX/wTJQCeIZ8F
wxxZLNPaqS5D6XgpdiSKmsc=
=ojuz
-----END PGP SIGNATURE-----

--1SQmhf2mF2YjsYvc--

Already fixed in Dapper, stables fix pending.

Message-Id: <email address hidden>
Date: Thu, 05 Jan 2006 06:17:24 -0800
From: =?utf-8?b?T25kxZllaiBTdXLDvQ==?= <email address hidden>
To: <email address hidden>
Subject: Bug#346076: fixed in poppler 0.4.3-2

Source: poppler
Source-Version: 0.4.3-2

We believe that the bug you reported is fixed in the latest version of
poppler, which is due to be installed in the Debian FTP archive:

libpoppler-dev_0.4.3-2_i386.deb
  to pool/main/p/poppler/libpoppler-dev_0.4.3-2_i386.deb
libpoppler-glib-dev_0.4.3-2_i386.deb
  to pool/main/p/poppler/libpoppler-glib-dev_0.4.3-2_i386.deb
libpoppler-qt-dev_0.4.3-2_i386.deb
  to pool/main/p/poppler/libpoppler-qt-dev_0.4.3-2_i386.deb
libpoppler0c2-glib_0.4.3-2_i386.deb
  to pool/main/p/poppler/libpoppler0c2-glib_0.4.3-2_i386.deb
libpoppler0c2-qt_0.4.3-2_i386.deb
  to pool/main/p/poppler/libpoppler0c2-qt_0.4.3-2_i386.deb
libpoppler0c2_0.4.3-2_i386.deb
  to pool/main/p/poppler/libpoppler0c2_0.4.3-2_i386.deb
poppler-utils_0.4.3-2_i386.deb
  to pool/main/p/poppler/poppler-utils_0.4.3-2_i386.deb
poppler_0.4.3-2.diff.gz
  to pool/main/p/poppler/poppler_0.4.3-2.diff.gz
poppler_0.4.3-2.dsc
  to pool/main/p/poppler/poppler_0.4.3-2.dsc

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to <email address hidden>,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Ondřej Surý <email address hidden> (supplier of updated poppler package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing <email address hidden>)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Thu, 5 Jan 2006 14:54:44 +0100
Source: poppler
Binary: libpoppler-glib-dev poppler-utils libpoppler0c2-qt libpoppler-qt-dev libpoppler-dev libpoppler0c2-glib libpoppler0c2
Architecture: source i386
Version: 0.4.3-2
Distribution: unstable
Urgency: high
Maintainer: Ondřej Surý <email address hidden>
Changed-By: Ondřej Surý <email address hidden>
Description:
 libpoppler-dev - PDF rendering library -- development files
 libpoppler-glib-dev - PDF rendering library -- development files (GLib interface)
 libpoppler-qt-dev - PDF rendering library -- development files (Qt interface)
 libpoppler0c2 - PDF rendering library
 libpoppler0c2-glib - PDF rendering library (GLib-based shared library)
 libpoppler0c2-qt - PDF rendering library (Qt-based shared library)
 poppler-utils - PDF utilitites (based on libpoppler)
Closes: 346076
Changes:
 poppler (0.4.3-2) unstable; urgency=high
 .
   [ Martin Pitt ]
   * SECURITY UPDATE: Multiple integer/buffer overflows.
   * Add debian/patches/003-CVE-2005-3624_5_7.patch:
     - poppler/Stream.cc, CCITTFaxStream::CCITTFaxStream():
       + Check columns for negative or large values.
       + CVE-2005-3624
     - poppler/Stream.cc, numComps checks introduced in CVE-2005-3191 patch:
       + Reset numComps to 0 since it's a global variable that is used later.
       + CVE-2005-3627
     - poppler/Stream.cc, DCTStream::re...

breezy fixed in usn-236-1, dapper fixed as well.