poppler: multiple vulnerabilities

Debian Bug report logs - #524806
poppler: multiple vulnerabilities

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: "Michael S. Gilbert" <michael.s.gilbert@gmail.com>

To: submit@bugs.debian.org

Subject: poppler: multiple vulnerabilities

Date: Sun, 19 Apr 2009 22:04:52 -0400

package: poppler
severity: grave
tags: security

hello,

ubuntu recently patched the following poppler issues [0]:

CVE-2009-0146, CVE-2009-0147, CVE-2009-0166, CVE-2009-0799,
CVE-2009-0800, CVE-2009-1179, CVE-2009-1180, CVE-2009-1181,
CVE-2009-1182, CVE-2009-1183, CVE-2009-1187, CVE-2009-1188

these are still reserved in the CVE list, but are disclosed at NVD [1].

[0] http://www.ubuntu.com/usn/usn-759-1
[1] 
http://web.nvd.nist.gov/view/vuln/detail;jsessionid=13611cd10c249e6f7ffe499725ce?execution=e1s1

Message #10 received at 524806@bugs.debian.org (full text, mbox, reply):

From: Marc Deslauriers <marc.deslauriers@canonical.com>

To: 524806@bugs.debian.org

Subject: Re: poppler: multiple vulnerabilities

Date: Wed, 13 May 2009 15:32:34 -0400

Here are the patches Ubuntu used:

http://patches.ubuntu.com/by-release/extracted/intrepid-security/p/poppler/0.8.7-1ubuntu0.2/64_security_jbig2.patch
http://patches.ubuntu.com/by-release/extracted/hardy-security/p/poppler/0.6.4-1ubuntu3.2/104_security_jbig2.patch
http://patches.ubuntu.com/by-release/extracted/dapper-security/p/poppler/0.5.1-0ubuntu7.5/103_security_jbig2.patch

Message #23 received at 524806@bugs.debian.org (full text, mbox, reply):

From: Michael S Gilbert <michael.s.gilbert@gmail.com>

To: 524806@bugs.debian.org, control <control@bugs.debian.org>

Subject: Fwd: etch patch for CVE-2009-0146/147/0166/0799/0800/1179/1180/1181/1182/1183/1187

Date: Tue, 4 Aug 2009 02:03:02 -0400

[Message part 1 (text/plain, inline)]

tag 524806 patch
thanks

derived from ubuntu's 0.5.1 patch, here is a patch set for etch's
0.4.5.  i am fairly certain all of these CVEs are addressed in this one.

note vulnerable code not present in etch for CVE-2009-0755/1188.

please test; i've done some basic testing with existing pdfs on my
system, but have by no means done extensive or robust testing.
hopefully nothings been broken.

this may be useful for the etch r9 point release (if not for a DSA)?

good night,
mike

[115_jbig2_security_update_etch.diff (text/x-diff, attachment)]

Message #30 received at 524806@bugs.debian.org (full text, mbox, reply):

From: Michael S Gilbert <michael.s.gilbert@gmail.com>

To: 524806@bugs.debian.org

Subject: RFS: sponsor for poppler stable point release

Date: Wed, 26 Aug 2009 23:42:08 -0400

[Message part 1 (text/plain, inline)]

Hi,

A new lenny release is coming soon and there are some open security
issues in poppler that I have fixed.  Attached is the debdiff of the
changes.

The package can be found on mentors.debian.net:
- URL: http://mentors.debian.net/debian/pool/main/p/poppler
- Source repository: deb-src http://mentors.debian.net/debian unstable
main contrib non-free
- dget
http://mentors.debian.net/debian/pool/main/p/poppler/poppler_0.8.7-2lenny1.dsc

I would be glad if someone uploaded this package for me.

Kind regards,
Michael Gilbert

[poppler.debdiff (application/octet-stream, attachment)]

Message #35 received at 524806-done@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@inutil.org>

To: 524806-done@bugs.debian.org

Subject: Re: poppler: multiple vulnerabilities

Date: Sun, 29 Nov 2009 21:07:46 +0100

Version: 0.12.2-1

On Sun, Apr 19, 2009 at 10:04:52PM -0400, Michael S. Gilbert wrote:
> package: poppler
> severity: grave
> tags: security
> 
> hello,
> 
> ubuntu recently patched the following poppler issues [0]:
> 
> CVE-2009-0146, CVE-2009-0147, CVE-2009-0166, CVE-2009-0799,
> CVE-2009-0800, CVE-2009-1179, CVE-2009-1180, CVE-2009-1181,
> CVE-2009-1182, CVE-2009-1183, CVE-2009-1187, CVE-2009-1188

All these issues are fixed in unstable and Lenny.

There's only one poppler security still open, for which I'll open a separate
bug.

Cheers,
        Moritz

Message #40 received at 524806@bugs.debian.org (full text, mbox, reply):

From: Michael Gilbert <michael.s.gilbert@gmail.com>

To: 524806@bugs.debian.org, secure-testing-team@lists.alioth.debian.org

Subject: Re: Bug#524806 closed by Moritz Muehlenhoff <jmm@inutil.org> (Re: poppler: multiple vulnerabilities)

Date: Sun, 29 Nov 2009 15:43:01 -0500

> This is an automatic notification regarding your Bug report
> which was filed against the poppler package:
>
> #524806: poppler: multiple vulnerabilities
>
> It has been closed by Moritz Muehlenhoff <jmm@inutil.org>.
> On Sun, Apr 19, 2009 at 10:04:52PM -0400, Michael S. Gilbert wrote:
>> package: poppler
>> severity: grave
>> tags: security
>> 
>> hello,
>> 
>> ubuntu recently patched the following poppler issues [0]:
>> 
>> CVE-2009-0146, CVE-2009-0147, CVE-2009-0166, CVE-2009-0799,
>> CVE-2009-0800, CVE-2009-1179, CVE-2009-1180, CVE-2009-1181,
>> CVE-2009-1182, CVE-2009-1183, CVE-2009-1187, CVE-2009-1188
>
> All these issues are fixed in unstable and Lenny.
>
> There's only one poppler security still open, for which I'll open a
> separate bug.

note that CVE-2009-1187/1188 are not yet fixed in lenny (although they
are just insecure uses of gmalloc).  their urgency could of course be
downgraded (medium now, but i think they could probably be no-dsa).
note that my etch patch does include the fixes for these.  see
[0] for the patches.

mike

[0] http://bugs.gentoo.org/show_bug.cgi?id=263028

Send a report that this bug log contains spam.