Debian Bug report logs -
#524806
poppler: multiple vulnerabilities
Reported by: "Michael S. Gilbert" <michael.s.gilbert@gmail.com>
Date: Mon, 20 Apr 2009 02:06:01 UTC
Severity: grave
Tags: patch, security
Fixed in version 0.12.2-1
Done: Moritz Muehlenhoff <jmm@inutil.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Loic Minier <lool@dooz.org>
:
Bug#524806
; Package poppler
.
(Mon, 20 Apr 2009 02:06:03 GMT) (full text, mbox, link).
Acknowledgement sent
to "Michael S. Gilbert" <michael.s.gilbert@gmail.com>
:
New Bug report received and forwarded. Copy sent to Loic Minier <lool@dooz.org>
.
(Mon, 20 Apr 2009 02:06:03 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
package: poppler
severity: grave
tags: security
hello,
ubuntu recently patched the following poppler issues [0]:
CVE-2009-0146, CVE-2009-0147, CVE-2009-0166, CVE-2009-0799,
CVE-2009-0800, CVE-2009-1179, CVE-2009-1180, CVE-2009-1181,
CVE-2009-1182, CVE-2009-1183, CVE-2009-1187, CVE-2009-1188
these are still reserved in the CVE list, but are disclosed at NVD [1].
[0] http://www.ubuntu.com/usn/usn-759-1
[1]
http://web.nvd.nist.gov/view/vuln/detail;jsessionid=13611cd10c249e6f7ffe499725ce?execution=e1s1
Information forwarded
to debian-bugs-dist@lists.debian.org, Loic Minier <lool@dooz.org>
:
Bug#524806
; Package poppler
.
(Wed, 13 May 2009 19:36:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Marc Deslauriers <marc.deslauriers@canonical.com>
:
Extra info received and forwarded to list. Copy sent to Loic Minier <lool@dooz.org>
.
(Wed, 13 May 2009 19:36:02 GMT) (full text, mbox, link).
Message #10 received at 524806@bugs.debian.org (full text, mbox, reply):
Here are the patches Ubuntu used:
http://patches.ubuntu.com/by-release/extracted/intrepid-security/p/poppler/0.8.7-1ubuntu0.2/64_security_jbig2.patch
http://patches.ubuntu.com/by-release/extracted/hardy-security/p/poppler/0.6.4-1ubuntu3.2/104_security_jbig2.patch
http://patches.ubuntu.com/by-release/extracted/dapper-security/p/poppler/0.5.1-0ubuntu7.5/103_security_jbig2.patch
Bug reassigned from package `poppler' to `src:poppler'.
Request was from Don Armstrong <don@debian.org>
to control@bugs.debian.org
.
(Mon, 29 Jun 2009 05:30:02 GMT) (full text, mbox, link).
Bug marked as found in version 0.8.7-2.
Request was from Don Armstrong <don@debian.org>
to control@bugs.debian.org
.
(Mon, 29 Jun 2009 05:30:03 GMT) (full text, mbox, link).
Bug reassigned from package 'src:poppler' to 'poppler'.
Request was from Marco Rodrigues <gothicx@sapo.pt>
to control@bugs.debian.org
.
(Sat, 01 Aug 2009 16:45:38 GMT) (full text, mbox, link).
Bug No longer marked as found in versions 0.8.7-2.
Request was from Marco Rodrigues <gothicx@sapo.pt>
to control@bugs.debian.org
.
(Sat, 01 Aug 2009 16:45:39 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Loic Minier <lool@dooz.org>
:
Bug#524806
; Package poppler
.
(Tue, 04 Aug 2009 06:06:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Michael S Gilbert <michael.s.gilbert@gmail.com>
:
Extra info received and forwarded to list. Copy sent to Loic Minier <lool@dooz.org>
.
(Tue, 04 Aug 2009 06:06:02 GMT) (full text, mbox, link).
Message #23 received at 524806@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
tag 524806 patch
thanks
derived from ubuntu's 0.5.1 patch, here is a patch set for etch's
0.4.5. i am fairly certain all of these CVEs are addressed in this one.
note vulnerable code not present in etch for CVE-2009-0755/1188.
please test; i've done some basic testing with existing pdfs on my
system, but have by no means done extensive or robust testing.
hopefully nothings been broken.
this may be useful for the etch r9 point release (if not for a DSA)?
good night,
mike
[115_jbig2_security_update_etch.diff (text/x-diff, attachment)]
Added tag(s) patch.
Request was from Michael S Gilbert <michael.s.gilbert@gmail.com>
to control@bugs.debian.org
.
(Tue, 04 Aug 2009 06:06:03 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Loic Minier <lool@dooz.org>
:
Bug#524806
; Package poppler
.
(Thu, 27 Aug 2009 03:51:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Michael S Gilbert <michael.s.gilbert@gmail.com>
:
Extra info received and forwarded to list. Copy sent to Loic Minier <lool@dooz.org>
.
(Thu, 27 Aug 2009 03:51:03 GMT) (full text, mbox, link).
Message #30 received at 524806@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi,
A new lenny release is coming soon and there are some open security
issues in poppler that I have fixed. Attached is the debdiff of the
changes.
The package can be found on mentors.debian.net:
- URL: http://mentors.debian.net/debian/pool/main/p/poppler
- Source repository: deb-src http://mentors.debian.net/debian unstable
main contrib non-free
- dget
http://mentors.debian.net/debian/pool/main/p/poppler/poppler_0.8.7-2lenny1.dsc
I would be glad if someone uploaded this package for me.
Kind regards,
Michael Gilbert
[poppler.debdiff (application/octet-stream, attachment)]
Reply sent
to Moritz Muehlenhoff <jmm@inutil.org>
:
You have taken responsibility.
(Sun, 29 Nov 2009 20:12:10 GMT) (full text, mbox, link).
Notification sent
to "Michael S. Gilbert" <michael.s.gilbert@gmail.com>
:
Bug acknowledged by developer.
(Sun, 29 Nov 2009 20:12:10 GMT) (full text, mbox, link).
Message #35 received at 524806-done@bugs.debian.org (full text, mbox, reply):
Version: 0.12.2-1
On Sun, Apr 19, 2009 at 10:04:52PM -0400, Michael S. Gilbert wrote:
> package: poppler
> severity: grave
> tags: security
>
> hello,
>
> ubuntu recently patched the following poppler issues [0]:
>
> CVE-2009-0146, CVE-2009-0147, CVE-2009-0166, CVE-2009-0799,
> CVE-2009-0800, CVE-2009-1179, CVE-2009-1180, CVE-2009-1181,
> CVE-2009-1182, CVE-2009-1183, CVE-2009-1187, CVE-2009-1188
All these issues are fixed in unstable and Lenny.
There's only one poppler security still open, for which I'll open a separate
bug.
Cheers,
Moritz
Information forwarded
to debian-bugs-dist@lists.debian.org, Loic Minier <lool@dooz.org>
:
Bug#524806
; Package poppler
.
(Sun, 29 Nov 2009 20:48:11 GMT) (full text, mbox, link).
Acknowledgement sent
to Michael Gilbert <michael.s.gilbert@gmail.com>
:
Extra info received and forwarded to list. Copy sent to Loic Minier <lool@dooz.org>
.
(Sun, 29 Nov 2009 20:48:11 GMT) (full text, mbox, link).
Message #40 received at 524806@bugs.debian.org (full text, mbox, reply):
> This is an automatic notification regarding your Bug report
> which was filed against the poppler package:
>
> #524806: poppler: multiple vulnerabilities
>
> It has been closed by Moritz Muehlenhoff <jmm@inutil.org>.
> On Sun, Apr 19, 2009 at 10:04:52PM -0400, Michael S. Gilbert wrote:
>> package: poppler
>> severity: grave
>> tags: security
>>
>> hello,
>>
>> ubuntu recently patched the following poppler issues [0]:
>>
>> CVE-2009-0146, CVE-2009-0147, CVE-2009-0166, CVE-2009-0799,
>> CVE-2009-0800, CVE-2009-1179, CVE-2009-1180, CVE-2009-1181,
>> CVE-2009-1182, CVE-2009-1183, CVE-2009-1187, CVE-2009-1188
>
> All these issues are fixed in unstable and Lenny.
>
> There's only one poppler security still open, for which I'll open a
> separate bug.
note that CVE-2009-1187/1188 are not yet fixed in lenny (although they
are just insecure uses of gmalloc). their urgency could of course be
downgraded (medium now, but i think they could probably be no-dsa).
note that my etch patch does include the fixes for these. see
[0] for the patches.
mike
[0] http://bugs.gentoo.org/show_bug.cgi?id=263028
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Mon, 28 Dec 2009 07:27:10 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 13:54:01 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.