Message-ID: <email address hidden> Date: Thu, 5 Jan 2006 14:03:16 +0100 From: Martin Pitt <email address hidden> To: Debian BTS Submit <email address hidden> Cc: <email address hidden> Subject: poppler: New integer overflows [CVE-2005-3624, CVE-2005-3625, CVE-2005-3627]
--1SQmhf2mF2YjsYvc Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable
Package: poppler Version: 0.4.3-1 Severity: critical Tags: security patch
Hi!
Chris Evans found some more integer overflows in the xpdf code [1] which affect poppler as well. [1] also has demo exploit PDFs for patch checking.
In addition, upstream used a slightly wrong patch for CVE-2005-3192, I reported that as [2] and included the fix in the latest Ubuntu version.
See [4] for the Ubuntu debdiff. I also forwarded the patch upstream [3].
Thanks,
Martin
[1] http://scary.beasts.org/security/b0dfca810501f2da/CESA-2005-003.txt [2] https://bugs.freedesktop.org/show_bug.cgi?id=3D5514 [3] https://bugs.freedesktop.org/show_bug.cgi?id=3D5516 [4] http://patches.ubuntu.com/patches/poppler.CVE-2005-3624_5_7.diff
--=20 Martin Pitt http://www.piware.de Ubuntu Developer http://www.ubuntu.com Debian Developer http://www.debian.org
In a world without walls and fences, who needs Windows and Gates?
--1SQmhf2mF2YjsYvc Content-Type: application/pgp-signature; name="signature.asc" Content-Description: Digital signature Content-Disposition: inline
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) iD8DBQFDvRkUDecnbV4Fd/IRAhu0AKCsHpFzc1iVaN+NbpIHjNawX/wTJQCeIZ8F wxxZLNPaqS5D6XgpdiSKmsc= =ojuz -----END PGP SIGNATURE-----
--1SQmhf2mF2YjsYvc--
Message-ID: <email address hidden>
Date: Thu, 5 Jan 2006 14:03:16 +0100
From: Martin Pitt <email address hidden>
To: Debian BTS Submit <email address hidden>
Cc: <email address hidden>
Subject: poppler: New integer overflows [CVE-2005-3624, CVE-2005-3625, CVE-2005-3627]
--1SQmhf2mF2YjsYvc Disposition: inline Transfer- Encoding: quoted-printable
Content-Type: text/plain; charset=us-ascii
Content-
Content-
Package: poppler
Version: 0.4.3-1
Severity: critical
Tags: security patch
Hi!
Chris Evans found some more integer overflows in the xpdf code [1]
which affect poppler as well. [1] also has demo exploit PDFs for patch
checking.
In addition, upstream used a slightly wrong patch for CVE-2005-3192, I
reported that as [2] and included the fix in the latest Ubuntu
version.
See [4] for the Ubuntu debdiff. I also forwarded the patch upstream [3].
Thanks,
Martin
[1] http:// scary.beasts. org/security/ b0dfca810501f2d a/CESA- 2005-003. txt /bugs.freedeskt op.org/ show_bug. cgi?id= 3D5514 /bugs.freedeskt op.org/ show_bug. cgi?id= 3D5516 patches. ubuntu. com/patches/ poppler. CVE-2005- 3624_5_ 7.diff
[2] https:/
[3] https:/
[4] http://
--=20 www.piware. de www.ubuntu. com www.debian. org
Martin Pitt http://
Ubuntu Developer http://
Debian Developer http://
In a world without walls and fences, who needs Windows and Gates?
--1SQmhf2mF2YjsYvc pgp-signature; name="signature .asc" Description: Digital signature Disposition: inline
Content-Type: application/
Content-
Content-
-----BEGIN PGP SIGNATURE-----
nbV4Fd/ IRAhu0AKCsHpFzc 1iVaN+NbpIHjNaw X/wTJQCeIZ8F pdiSKmsc=
Version: GnuPG v1.4.2 (GNU/Linux)
iD8DBQFDvRkUDec
wxxZLNPaqS5D6Xg
=ojuz
-----END PGP SIGNATURE-----
--1SQmhf2mF2Yjs Yvc--