Debian Bug report logs -
#864009
poppler: CVE-2017-9408: memory leak in Object::initArray
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Loic Minier <lool@dooz.org>:
Bug#864009; Package src:poppler.
(Sat, 03 Jun 2017 03:09:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Loic Minier <lool@dooz.org>.
(Sat, 03 Jun 2017 03:09:03 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: poppler
Version: 0.48.0-2
Severity: important
Tags: patch security upstream fixed-upstream
Forwarded: https://bugs.freedesktop.org/show_bug.cgi?id=100776
Hi,
the following vulnerability was published for poppler.
CVE-2017-9408[0]:
| In Poppler 0.54.0, a memory leak vulnerability was found in the
| function Object::initArray in Object.cc, which allows attackers to
| cause a denial of service via a crafted file.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-9408
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9408
[1] https://bugs.freedesktop.org/show_bug.cgi?id=100776
[2] https://cgit.freedesktop.org/poppler/poppler/commit/?id=b21b041f7948680c03109f0c404400a9dbc4544c
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Marked as found in versions poppler/0.26.5-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sun, 04 Jun 2017 03:30:02 GMT) (full text, mbox, link).
Added tag(s) pending.
Request was from Emilio Pozuelo Monfort <pochu@debian.org>
to control@bugs.debian.org.
(Mon, 14 Aug 2017 21:00:13 GMT) (full text, mbox, link).
Message sent on
to Salvatore Bonaccorso <carnil@debian.org>:
Bug#864009.
(Mon, 14 Aug 2017 21:00:26 GMT) (full text, mbox, link).
Message #12 received at 864009-submitter@bugs.debian.org (full text, mbox, reply):
tag 864009 pending
thanks
Hello,
Bug #864009 reported by you has been fixed in the Git repository. You can
see the changelog below, and you can check the diff of the fix at:
https://anonscm.debian.org/cgit/pkg-freedesktop/poppler.git/commit/?id=16577b1
---
commit 16577b16095e5b7d94d88b17995549c661b8a95c
Author: Emilio Pozuelo Monfort <pochu@debian.org>
Date: Mon Aug 14 22:12:11 2017 +0200
Add changelog entries for security fixes
diff --git a/debian/changelog b/debian/changelog
index 68de67f..f013520 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -8,6 +8,16 @@ poppler (0.57.0-1) UNRELEASED; urgency=medium
[ Emilio Pozuelo Monfort ]
* New upstream release. Closes: #860955.
+ * Fixes:
+ CVE-2017-9406: memory leak parsing XRef entries. Closes: #864010.
+ CVE-2017-9408: memory leak in Object::initArray. Closes: #864009.
+ CVE-2017-9775: stack buffer overflow in GfxState.cc. Closes: #865680.
+ CVE-2017-9776: integer overflow leading to heap buffer overflow
+ in JBIG2Stream.cc. Closes: #865679.
+ CVE-2017-9865: stack buffer overflow in GfxImageColorMap::getGray.
+ Closes: #867477.
+ CVE-2017-7511: pdfunite denial of service due to null pointer
+ dereference. Closes: #863759.
* debian/patches/upstream_pdfseparate-remove-extra-in-error-message.patch:
+ Dropped, fixed upstream.
* Update symbols files.
Reply sent
to Emilio Pozuelo Monfort <pochu@debian.org>:
You have taken responsibility.
(Tue, 15 Aug 2017 23:03:08 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Tue, 15 Aug 2017 23:03:08 GMT) (full text, mbox, link).
Message #17 received at 864009-close@bugs.debian.org (full text, mbox, reply):
Source: poppler
Source-Version: 0.57.0-1
We believe that the bug you reported is fixed in the latest version of
poppler, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 864009@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Emilio Pozuelo Monfort <pochu@debian.org> (supplier of updated poppler package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Mon, 14 Aug 2017 22:19:15 +0200
Source: poppler
Binary: libpoppler68 libpoppler-dev libpoppler-private-dev libpoppler-glib8 libpoppler-glib-dev libpoppler-glib-doc gir1.2-poppler-0.18 libpoppler-qt4-4 libpoppler-qt4-dev libpoppler-qt5-1 libpoppler-qt5-dev libpoppler-cpp0v5 libpoppler-cpp-dev poppler-utils
Architecture: source amd64 all
Version: 0.57.0-1
Distribution: experimental
Urgency: medium
Maintainer: Debian freedesktop.org maintainers <pkg-freedesktop-maintainers@lists.alioth.debian.org>
Changed-By: Emilio Pozuelo Monfort <pochu@debian.org>
Description:
gir1.2-poppler-0.18 - GObject introspection data for poppler-glib
libpoppler-cpp-dev - PDF rendering library -- development files (CPP interface)
libpoppler-cpp0v5 - PDF rendering library (CPP shared library)
libpoppler-dev - PDF rendering library -- development files
libpoppler-glib-dev - PDF rendering library -- development files (GLib interface)
libpoppler-glib-doc - PDF rendering library -- documentation for the GLib interface
libpoppler-glib8 - PDF rendering library (GLib-based shared library)
libpoppler-private-dev - PDF rendering library -- private development files
libpoppler-qt4-4 - PDF rendering library (Qt 4 based shared library)
libpoppler-qt4-dev - PDF rendering library -- development files (Qt 4 interface)
libpoppler-qt5-1 - PDF rendering library (Qt 5 based shared library)
libpoppler-qt5-dev - PDF rendering library -- development files (Qt 5 interface)
libpoppler68 - PDF rendering library
poppler-utils - PDF utilities (based on Poppler)
Closes: 860955 863759 864009 864010 865679 865680 867477
Changes:
poppler (0.57.0-1) experimental; urgency=medium
.
[ Pino Toscano ]
* Update Vcs-* fields.
* Add a lintian override for the "breaks-without-version xpdf-common" in
poppler-utils, as it is making sure to clean up xpdf-common for upgrades
to Buster.
.
[ Emilio Pozuelo Monfort ]
* New upstream release. Closes: #860955.
* Fixes:
CVE-2017-9406: memory leak parsing XRef entries. Closes: #864010.
CVE-2017-9408: memory leak in Object::initArray. Closes: #864009.
CVE-2017-9775: stack buffer overflow in GfxState.cc. Closes: #865680.
CVE-2017-9776: integer overflow leading to heap buffer overflow
in JBIG2Stream.cc. Closes: #865679.
CVE-2017-9865: stack buffer overflow in GfxImageColorMap::getGray.
Closes: #867477.
CVE-2017-7511: pdfunite denial of service due to null pointer
dereference. Closes: #863759.
* debian/patches/upstream_pdfseparate-remove-extra-in-error-message.patch:
+ Dropped, fixed upstream.
* Update symbols files.
* libpoppler64 -> libpoppler68.
* Re-enable PIE. Looks like Qt5 got fixed.
* Bump debhelper compat to 10.
+ debhelper now defaults to --with autoreconf.
+ It also defaults to --parallel.
* Switch to -dbgsym packages.
* Set the team as maintainer.
* Add myself to uploaders.
Checksums-Sha1:
4701e44c9e0fef054c3e492dff49bdde87a63782 3437 poppler_0.57.0-1.dsc
128f175a81a7c25c4c67b353391b8cae506db2ae 1703300 poppler_0.57.0.orig.tar.xz
63f02bec72158bec7a12e18cef1a4d8d5a0a683c 31136 poppler_0.57.0-1.debian.tar.xz
6e8ce23a4c482180beeb5f7c1b411543f75dfbaf 35084 gir1.2-poppler-0.18_0.57.0-1_amd64.deb
4241bccea9587713db0d3fda79a0a50f5a8a78d7 48496 libpoppler-cpp-dev_0.57.0-1_amd64.deb
d15f5a4f48bd9ee5c34eee0534e602470ca91147 449370 libpoppler-cpp0v5-dbgsym_0.57.0-1_amd64.deb
fe11e8189014b846b06cd6fd228e06618b6d10ab 44998 libpoppler-cpp0v5_0.57.0-1_amd64.deb
f5c3d4df4f4af285cf76151b3edefd8abfc510f7 777416 libpoppler-dev_0.57.0-1_amd64.deb
24909c4b39b60e906450bd777f87f6e973f5fbef 166772 libpoppler-glib-dev_0.57.0-1_amd64.deb
6db3e3ad5d7406d7fc4c5f67075ded7c66c78053 88178 libpoppler-glib-doc_0.57.0-1_all.deb
02bf74f73980996f9d02a7ae9dbc633cc0f2f3b4 858956 libpoppler-glib8-dbgsym_0.57.0-1_amd64.deb
e5e6b0a5df340c6e725b93f84f3072f64184a325 126190 libpoppler-glib8_0.57.0-1_amd64.deb
1f8d700739fa5db1564146c817c6f7bd5ee05950 184314 libpoppler-private-dev_0.57.0-1_amd64.deb
c392d0c02d073b3b56b53979c8043d30293f1c0f 1889484 libpoppler-qt4-4-dbgsym_0.57.0-1_amd64.deb
e9d6cb4e93cfa439c70dc68a27e217fa664468ee 138300 libpoppler-qt4-4_0.57.0-1_amd64.deb
32597cb026ff9b6a037b3227b487a59e8a279889 167866 libpoppler-qt4-dev_0.57.0-1_amd64.deb
66aadfdeb1a3825d77a90a1fe02e4f32dcfe8f29 2657402 libpoppler-qt5-1-dbgsym_0.57.0-1_amd64.deb
fbc16581fb4f36b3c8eb16b0d0bb193764a62746 145790 libpoppler-qt5-1_0.57.0-1_amd64.deb
e1ff1ea3a3da0803f060baa5835d13febdbc6abb 181610 libpoppler-qt5-dev_0.57.0-1_amd64.deb
dec4459dd0c03c12dba4f6359bca88d3385a5aed 2897146 libpoppler68-dbgsym_0.57.0-1_amd64.deb
746b4a375ee48c893e3b3ecd781e785e307a7297 1309754 libpoppler68_0.57.0-1_amd64.deb
6e30922a1ff574b45386858b612076f2dcae1f04 1103326 poppler-utils-dbgsym_0.57.0-1_amd64.deb
1d9aade3131999127da199a711cc188261a99d62 156372 poppler-utils_0.57.0-1_amd64.deb
a330f884cbb310aa9861ad49515ce81495306741 18350 poppler_0.57.0-1_amd64.buildinfo
Checksums-Sha256:
c567022f671ae93506971d23155828f276cc3901179d3a70130dc13a4765899a 3437 poppler_0.57.0-1.dsc
0ea37de71b7db78212ebc79df59f99b66409a29c2eac4d882dae9f2397fe44d8 1703300 poppler_0.57.0.orig.tar.xz
4f5986d155c13b70d8c29e162c4126f0d28e690686acf94e22c6825242ab878b 31136 poppler_0.57.0-1.debian.tar.xz
4e2c6039a38f5504aa0bcc16647ede4a0110ff67ceab92d72d56d84ea1539884 35084 gir1.2-poppler-0.18_0.57.0-1_amd64.deb
73984a9dc5d4d5b92fd0fbfce67b6ff69ec22146aca62adc1ed164dc3bf1e10e 48496 libpoppler-cpp-dev_0.57.0-1_amd64.deb
a5cb5de6c73436cf05a19a3fb94897862947bd53bbffc2327da081e590101043 449370 libpoppler-cpp0v5-dbgsym_0.57.0-1_amd64.deb
84201ba61644a6ee5d8213d085027ca57f65da2410134fbd2476ac4144ed3e85 44998 libpoppler-cpp0v5_0.57.0-1_amd64.deb
49051911e2d06d129eacd4ef80f9e08270b68751b488e9c00c44e5dc324d5d4c 777416 libpoppler-dev_0.57.0-1_amd64.deb
1e6dc1c186412f084b67a48a6f6eb003dccff7733fc04030ba2320f74b3b35a0 166772 libpoppler-glib-dev_0.57.0-1_amd64.deb
570d1cb9042ddbd16f2e3a9815c1981372c1b97b5465b866e169b39ff4cad8d6 88178 libpoppler-glib-doc_0.57.0-1_all.deb
6a9b50637e2c9eb356f379061fabce12b8ffab19cc7b4aeddc8ec760e1eb845e 858956 libpoppler-glib8-dbgsym_0.57.0-1_amd64.deb
f2236ce933ebe15addb6d8d13a0512f3153d956975c415a7837f0f90e09305ba 126190 libpoppler-glib8_0.57.0-1_amd64.deb
b1fb4a9e3559e82680897788b63d9fb0b7681f50ebbcb9746d464e325a582713 184314 libpoppler-private-dev_0.57.0-1_amd64.deb
0b62d6abff1e7b0e07962e7cd532399596f0a3e53355aab47d4dde7c7466367b 1889484 libpoppler-qt4-4-dbgsym_0.57.0-1_amd64.deb
4b9126b07785ce7c12eeec30b07cf7797999961e513a74fe21e90a6cb21030c0 138300 libpoppler-qt4-4_0.57.0-1_amd64.deb
518d316a441884eb2332cb87c5f97bc64731b1d03948b84d0efcd157197c188f 167866 libpoppler-qt4-dev_0.57.0-1_amd64.deb
6d882036251e7c325101d511fec03249f79f9995fa132a827c63838b3c76b312 2657402 libpoppler-qt5-1-dbgsym_0.57.0-1_amd64.deb
870efd99699d40a3a702324bc03a05b61b7145b2e42e7272382d6492ed803ca6 145790 libpoppler-qt5-1_0.57.0-1_amd64.deb
b5adffc8f464f31b7e337b5f21a62c0a4b00c4ff595bac3fa4c7da42132c3559 181610 libpoppler-qt5-dev_0.57.0-1_amd64.deb
33a3e1f383c735c9601d1f06976e55dbd06dc79dfd007e6f1cf629e1aeff0e7f 2897146 libpoppler68-dbgsym_0.57.0-1_amd64.deb
4d4ebda125247eace23e2acde4a3d5cca99d4e1563be3ec3ba56df2ba8b05811 1309754 libpoppler68_0.57.0-1_amd64.deb
a100ba4fb7c68d55a16229897f49784d585846e9116aaefa46cf7cff0bba1974 1103326 poppler-utils-dbgsym_0.57.0-1_amd64.deb
bef750de1bc4179d93408dcb9533d079735afdf1d822541e7216d0e76d05b393 156372 poppler-utils_0.57.0-1_amd64.deb
b83fc2680e2a2ca5962550555d6cbe61fabf46d780dbfa95c8670727ddddfc09 18350 poppler_0.57.0-1_amd64.buildinfo
Files:
07f0a3f8bac3f10fada0153b74631bb7 3437 devel optional poppler_0.57.0-1.dsc
bc5a191741604552c90d484103229374 1703300 devel optional poppler_0.57.0.orig.tar.xz
36ba7dac29789a42efdf98313a5b316c 31136 devel optional poppler_0.57.0-1.debian.tar.xz
858e99304da54e056cea7a6bb3e56bcf 35084 introspection optional gir1.2-poppler-0.18_0.57.0-1_amd64.deb
916a04e3304a6f9b6300eacd286df7f3 48496 libdevel optional libpoppler-cpp-dev_0.57.0-1_amd64.deb
04b104c07ffee179fe3fd770bb3982f3 449370 debug extra libpoppler-cpp0v5-dbgsym_0.57.0-1_amd64.deb
eaa4ffff97d4411f5d36146cdebcf157 44998 libs optional libpoppler-cpp0v5_0.57.0-1_amd64.deb
518312e6cd722f06acebc6b98f940562 777416 libdevel optional libpoppler-dev_0.57.0-1_amd64.deb
e74f4d97befefd5f8f2566df06d7bd06 166772 libdevel optional libpoppler-glib-dev_0.57.0-1_amd64.deb
5430729bb89ea31d93ca1b76af16bec6 88178 doc optional libpoppler-glib-doc_0.57.0-1_all.deb
000c75c305b7017448631318a6f85986 858956 debug extra libpoppler-glib8-dbgsym_0.57.0-1_amd64.deb
76d389f261aec599da43202ffe412caa 126190 libs optional libpoppler-glib8_0.57.0-1_amd64.deb
0d1a849c5eb4f99378b7a5f88d107557 184314 libdevel optional libpoppler-private-dev_0.57.0-1_amd64.deb
2cb3b95d6cc12e923d2a9bc9255e0042 1889484 debug extra libpoppler-qt4-4-dbgsym_0.57.0-1_amd64.deb
b619d29b576eb7847d664e04c748b723 138300 libs optional libpoppler-qt4-4_0.57.0-1_amd64.deb
50dce1622638fd3940ce32b3dd37d0cb 167866 libdevel optional libpoppler-qt4-dev_0.57.0-1_amd64.deb
2b76351d03a0605b37e430db5dbd7f32 2657402 debug extra libpoppler-qt5-1-dbgsym_0.57.0-1_amd64.deb
5186e87c499228a79fe35d37a0e3a838 145790 libs optional libpoppler-qt5-1_0.57.0-1_amd64.deb
157a320f7336f2e21684e116be604897 181610 libdevel optional libpoppler-qt5-dev_0.57.0-1_amd64.deb
9587aede0643d45c75b5420a8c7efabe 2897146 debug extra libpoppler68-dbgsym_0.57.0-1_amd64.deb
3bbe2df742aa80eae1bf3edeeca3477c 1309754 libs optional libpoppler68_0.57.0-1_amd64.deb
2976092ea99ce04833ac94ab60145605 1103326 debug extra poppler-utils-dbgsym_0.57.0-1_amd64.deb
3cb0250a6b82b2f304292e2a8112c2b8 156372 utils optional poppler-utils_0.57.0-1_amd64.deb
a7ef271b4dcb10f190b73047edc826b7 18350 devel optional poppler_0.57.0-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEcJymx+vmJZxd92Q+nUbEiOQ2gwIFAlmSC7sACgkQnUbEiOQ2
gwKSoBAAt493Vnwyknr5rKixoTRX2KymrSsIOE1QaQ6zxsYq0VdhMSKkjRT+dIsx
GVjV9c6bsJiQXELcfFxEB+lLjRuT3qw5hLu7H4m38U8Yz05uJnXZC4AKULDpfH8+
t5Qm4WBlPxPoxmiW8eiSJSOZblC5zNyyT2Svnv1DqTm81X32od9HWijb4/lpboSG
B6agTAaN4aGPemrmp011r3jkJU40OuKOPtLA53w3R6nEBgihD9eletsgxZlvmLhB
gXrhZ2HA0pcWkO5uAVO++SsyoLLqj3kA3QOtLT0WnuT1OE3tQBm1DPUyCoMpTsrC
HhQao5GNTIIZgtW7Ktoh0usopNkZBPio2DdtxqrX7RDZCjNJPYLbrgQu/pBZLB3M
2e8WiqJytoc2RZsQYtAcxG4Ccs7OAF/4TwYA6igEklIS8BqvNe0dYZY04BPW/kQX
00fWEmt9MjQHI8fb1+WT07yKTzW/HXVVv4tIsErCBHCazYGfVa3csTI27+/F5Qr1
EUO+m0r6wrpJis7FgLEDK70uVj6qVM/uB+4aRmHDzp7NFAAyozDOr6jayVqPk4Gp
RKJUo/a9yE2GLaXsjzkSy4W+BlDjRCRuqFh4q6pvIcveTiVuPu42GSJoJlfEA7Ua
SMCUM8L0EketXC7UDh5UwpjLBv5++4TYQg2PIxz+JNDjZFsLKIA=
=DAFT
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Wed, 13 Sep 2017 07:24:47 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 19:17:55 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon