Debian Bug report logs -
#489756
poppler: CVE-2008-2950 arbitrary code execution
Reported by: Nico Golde <nion@debian.org>
Date: Mon, 7 Jul 2008 15:33:18 UTC
Severity: grave
Tags: patch, security
Fixed in versions 0.8.2-2+lenny1, poppler/0.8.4-1.1
Done: Nico Golde <nion@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded to debian-bugs-dist@lists.debian.org, Loic Minier <lool@dooz.org>:
Bug#489756; Package libpoppler3.
(full text, mbox, link).
Acknowledgement sent to Nico Golde <nion@debian.org>:
New Bug report received and forwarded. Copy sent to Loic Minier <lool@dooz.org>.
(full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Package: libpoppler3
Severity: grave
Tags: security patch
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for poppler.
CVE-2008-2950[0]:
| The poppler PDF rendering library suffers a memory management bug which leads
| to arbitrary code execution.
|
| The vulnerability is present in the Page class constructor/destructor. The
| pageWidgets object is not initialized in the Page constructor if specific
| conditions are met, but it is deleted afterwards in the destructor regardless
| of its initialization.
|
| Specific PDF files can be crafted which allocate arbitrary memory to trigger
| the vulnerability.
This is not yet on the mitre site, in the meantime check out:
http://www.ocert.org/advisories/ocert-2008-007.html
The patch is also available on this website.
A new upstream release to fix this is scheduled on July 30th according
to the maintainer. Please don't wait until then to upload a fixed package.
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2950
http://security-tracker.debian.net/tracker/CVE-2008-2950
--
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]
Bug marked as fixed in version 0.8.2-2+lenny1.
Request was from Nico Golde <nion@debian.org>
to control@bugs.debian.org.
(Mon, 07 Jul 2008 15:39:08 GMT) (full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org, Loic Minier <lool@dooz.org>:
Bug#489756; Package libpoppler3.
(full text, mbox, link).
Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Loic Minier <lool@dooz.org>.
(full text, mbox, link).
Message #12 received at 489756@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi,
I intent to upload an NMU to fix this bug.
debdiff attached and archived on:
http://people.debian.org/~nion/nmu-diff/poppler-0.8.4-1_0.8.4-1.1.patch
Cheers
Nico
--
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[poppler-0.8.4-1_0.8.4-1.1.patch (text/x-diff, attachment)]
[Message part 3 (application/pgp-signature, inline)]
Information forwarded to debian-bugs-dist@lists.debian.org, Loic Minier <lool@dooz.org>:
Bug#489756; Package libpoppler3.
(full text, mbox, link).
Acknowledgement sent to Wichert Akkerman <wichert@wiggy.net>:
Extra info received and forwarded to list. Copy sent to Loic Minier <lool@dooz.org>.
(full text, mbox, link).
Message #17 received at 489756@bugs.debian.org (full text, mbox, reply):
I see CVE-2008-2960 reported in the BTS as #489756 but I see no mention
of a fix for stable. Is someone working on a DSA for stable?
Wichert.
--
Wichert Akkerman <wichert@wiggy.net> It is simple to make things.
http://www.wiggy.net/ It is hard to make things simple.
Information forwarded to debian-bugs-dist@lists.debian.org, Loic Minier <lool@dooz.org>:
Bug#489756; Package libpoppler3.
(full text, mbox, link).
Acknowledgement sent to Steve Kemp <skx@debian.org>:
Extra info received and forwarded to list. Copy sent to Loic Minier <lool@dooz.org>.
(full text, mbox, link).
Message #22 received at 489756@bugs.debian.org (full text, mbox, reply):
On Wed Jul 09, 2008 at 12:04:01 +0200, Wichert Akkerman wrote:
> I see CVE-2008-2960 reported in the BTS as #489756 but I see no mention
> of a fix for stable. Is someone working on a DSA for stable?
There isn't one in progress. Tonight there will be a release of
an update to handle CVE-2008-1693. I guess that will be the next
one.
Steve
--
Information forwarded to debian-bugs-dist@lists.debian.org, Loic Minier <lool@dooz.org>:
Bug#489756; Package libpoppler3.
(full text, mbox, link).
Acknowledgement sent to Wichert Akkerman <wichert@wiggy.net>:
Extra info received and forwarded to list. Copy sent to Loic Minier <lool@dooz.org>.
(full text, mbox, link).
Message #27 received at 489756@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi Steve,
Steve Kemp wrote:
> On Wed Jul 09, 2008 at 12:04:01 +0200, Wichert Akkerman wrote:
>
>> I see CVE-2008-2960 reported in the BTS as #489756 but I see no mention
>> of a fix for stable. Is someone working on a DSA for stable?
>>
>
> There isn't one in progress. Tonight there will be a release of
> an update to handle CVE-2008-1693. I guess that will be the next
> one.
>
thanks for the update. I'll (im)patiently await the CVE-2008-2960 DSA.
Wichert.
--
Wichert Akkerman <wichert@wiggy.net> It is simple to make things.
http://www.wiggy.net/ It is hard to make things simple.
[Message part 2 (text/html, inline)]
Information forwarded to debian-bugs-dist@lists.debian.org, Loic Minier <lool@dooz.org>:
Bug#489756; Package libpoppler3.
(full text, mbox, link).
Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Loic Minier <lool@dooz.org>.
(full text, mbox, link).
Message #32 received at 489756@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi Wichert,
* Wichert Akkerman <wichert@wiggy.net> [2008-07-09 13:12]:
> Steve Kemp wrote:
> >On Wed Jul 09, 2008 at 12:04:01 +0200, Wichert Akkerman wrote:
> >
> >>I see CVE-2008-2960 reported in the BTS as #489756 but I see no mention of a
> >>fix for stable. Is someone working on a DSA for stable?
> >>
> >
> > There isn't one in progress. Tonight there will be a release of
> > an update to handle CVE-2008-1693. I guess that will be the next
> > one.
>
> thanks for the update. I'll (im)patiently await the CVE-2008-2960 DSA.
As far as I know white already uploaded a DSA build which
just waits to get checked & released.
Cheers
Nico
--
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]
Reply sent to Nico Golde <nion@debian.org>:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Nico Golde <nion@debian.org>:
Bug acknowledged by developer.
(full text, mbox, link).
Message #37 received at 489756-close@bugs.debian.org (full text, mbox, reply):
Source: poppler
Source-Version: 0.8.4-1.1
We believe that the bug you reported is fixed in the latest version of
poppler, which is due to be installed in the Debian FTP archive:
libpoppler-dev_0.8.4-1.1_amd64.deb
to pool/main/p/poppler/libpoppler-dev_0.8.4-1.1_amd64.deb
libpoppler-glib-dev_0.8.4-1.1_amd64.deb
to pool/main/p/poppler/libpoppler-glib-dev_0.8.4-1.1_amd64.deb
libpoppler-glib3_0.8.4-1.1_amd64.deb
to pool/main/p/poppler/libpoppler-glib3_0.8.4-1.1_amd64.deb
libpoppler-qt-dev_0.8.4-1.1_amd64.deb
to pool/main/p/poppler/libpoppler-qt-dev_0.8.4-1.1_amd64.deb
libpoppler-qt2_0.8.4-1.1_amd64.deb
to pool/main/p/poppler/libpoppler-qt2_0.8.4-1.1_amd64.deb
libpoppler-qt4-3_0.8.4-1.1_amd64.deb
to pool/main/p/poppler/libpoppler-qt4-3_0.8.4-1.1_amd64.deb
libpoppler-qt4-dev_0.8.4-1.1_amd64.deb
to pool/main/p/poppler/libpoppler-qt4-dev_0.8.4-1.1_amd64.deb
libpoppler3_0.8.4-1.1_amd64.deb
to pool/main/p/poppler/libpoppler3_0.8.4-1.1_amd64.deb
poppler-dbg_0.8.4-1.1_amd64.deb
to pool/main/p/poppler/poppler-dbg_0.8.4-1.1_amd64.deb
poppler-utils_0.8.4-1.1_amd64.deb
to pool/main/p/poppler/poppler-utils_0.8.4-1.1_amd64.deb
poppler_0.8.4-1.1.diff.gz
to pool/main/p/poppler/poppler_0.8.4-1.1.diff.gz
poppler_0.8.4-1.1.dsc
to pool/main/p/poppler/poppler_0.8.4-1.1.dsc
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 489756@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Nico Golde <nion@debian.org> (supplier of updated poppler package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Wed, 09 Jul 2008 00:09:10 +0200
Source: poppler
Binary: libpoppler3 libpoppler-dev libpoppler-glib3 libpoppler-glib-dev libpoppler-qt2 libpoppler-qt-dev libpoppler-qt4-3 libpoppler-qt4-dev poppler-utils poppler-dbg
Architecture: source amd64
Version: 0.8.4-1.1
Distribution: unstable
Urgency: high
Maintainer: Loic Minier <lool@dooz.org>
Changed-By: Nico Golde <nion@debian.org>
Description:
libpoppler-dev - PDF rendering library -- development files
libpoppler-glib-dev - PDF rendering library -- development files (GLib interface)
libpoppler-glib3 - PDF rendering library (GLib-based shared library)
libpoppler-qt-dev - PDF rendering library -- development files (Qt 3 interface)
libpoppler-qt2 - PDF rendering library (Qt 3 based shared library)
libpoppler-qt4-3 - PDF rendering library (Qt 4 based shared library)
libpoppler-qt4-dev - PDF rendering library -- development files (Qt 4 interface)
libpoppler3 - PDF rendering library
poppler-dbg - PDF rendering library - detached debugging symbols
poppler-utils - PDF utilitites (based on libpoppler)
Closes: 489756
Changes:
poppler (0.8.4-1.1) unstable; urgency=high
.
* Non-maintainer upload by the Security Team.
* Fix missing pageWidgets object initialization that could lead to arbitrary
code execution by a crafted PDF file when the Page destructor deletes
the object which has not been initialized before
(CVE-2008-2950.patch; Closes: #489756).
Checksums-Sha1:
74dc53bb9b4d2020ff5d03c904d9eedbf5289d9d 1463 poppler_0.8.4-1.1.dsc
b8f31a71bfc87cb7d0b5a8c9a2ad5deacb7fc8f6 9126 poppler_0.8.4-1.1.diff.gz
b670001d2bf7b8ac4ddc6255084f50c9a166d3ac 834586 libpoppler3_0.8.4-1.1_amd64.deb
7be959b875e32cf62bc217e793588107ec3de2a2 1113998 libpoppler-dev_0.8.4-1.1_amd64.deb
158d14f2d16f6e23900cb95d2b5a49fc0dddba8f 213554 libpoppler-glib3_0.8.4-1.1_amd64.deb
84bea7d76f6aa85b40089f47d90cd54cc349bb9d 273486 libpoppler-glib-dev_0.8.4-1.1_amd64.deb
0ec7b586bbb9a966fc02a1bf0365f148c8f34afe 174522 libpoppler-qt2_0.8.4-1.1_amd64.deb
378957aeeab01f6b8e266b860dc06d938c5da580 180960 libpoppler-qt-dev_0.8.4-1.1_amd64.deb
0130beac092bbd259a9a0ac8ba864de19f392fd9 309920 libpoppler-qt4-3_0.8.4-1.1_amd64.deb
0aa6b1c1d3d43f5eae31eac143204be46a2aa1f0 353876 libpoppler-qt4-dev_0.8.4-1.1_amd64.deb
99844d980eda11c2afac3110e30a93e5949f9e99 226548 poppler-utils_0.8.4-1.1_amd64.deb
db12acb4786d4965849a9e5cf06b1ab6cfbe148f 3146928 poppler-dbg_0.8.4-1.1_amd64.deb
Checksums-Sha256:
54ef7d9ec133a05f4255ab9c1859bed66923ba61a331cb2d5c8c39c1ecff06f7 1463 poppler_0.8.4-1.1.dsc
6902f8a20d63cb09e7b9ecb29e197b29b1378b78546a0431713b489563676042 9126 poppler_0.8.4-1.1.diff.gz
4f5651935a25df26818ac063ffc06216d12c49030875fa635d2b0385c3b2fb56 834586 libpoppler3_0.8.4-1.1_amd64.deb
43a9d48308cef1af589c290351aece5316d3d901be70992a62c0395a58b6a48e 1113998 libpoppler-dev_0.8.4-1.1_amd64.deb
d3f3473c54096dfb6910b0c27b86bf24eb47b04dd8a1f8413f1e8bf8fbc9d963 213554 libpoppler-glib3_0.8.4-1.1_amd64.deb
b6a52fe63e3bd91c731a8e92dc73d4ac0bafb75a379c7c1d7688bc16d6cd0948 273486 libpoppler-glib-dev_0.8.4-1.1_amd64.deb
e96e099f106cf20de236de9d6ffd194a1ffe54aa5e6b9c9de95e66a8ff109ddd 174522 libpoppler-qt2_0.8.4-1.1_amd64.deb
14f34e180705724e9504b8de39f32eae2b8293999cf6161a14d6569757edf03c 180960 libpoppler-qt-dev_0.8.4-1.1_amd64.deb
b602ce9489ef1a5877d6836155296fe57715193281cefa4531c52173a8ca4058 309920 libpoppler-qt4-3_0.8.4-1.1_amd64.deb
e927f75a63711392bd165f77eb39eadaf0457385d44535fc2a0a4663697be96c 353876 libpoppler-qt4-dev_0.8.4-1.1_amd64.deb
25f03610d04d080aadcd5ff0593dc77c708814fa2f487074ec3760a03cb2ace6 226548 poppler-utils_0.8.4-1.1_amd64.deb
835b0a237281759277ff2a4827e3f0ca0aecca23ad30aebc58a62e89e333be77 3146928 poppler-dbg_0.8.4-1.1_amd64.deb
Files:
b39a789e6e08252cae5f48bef211d393 1463 devel optional poppler_0.8.4-1.1.dsc
8a38ba24d506a72cbbd29aebfc4a184b 9126 devel optional poppler_0.8.4-1.1.diff.gz
ededcc754776994736afc44f1229f230 834586 libs optional libpoppler3_0.8.4-1.1_amd64.deb
47da6a0424406d196388400fd242a068 1113998 libdevel optional libpoppler-dev_0.8.4-1.1_amd64.deb
00de8240ec51d13b9e902db94fe99586 213554 libs optional libpoppler-glib3_0.8.4-1.1_amd64.deb
e6d8e7777ec33b0d964ba246ffdade48 273486 libdevel optional libpoppler-glib-dev_0.8.4-1.1_amd64.deb
1b01578f970f232f32445dd09439c257 174522 libs optional libpoppler-qt2_0.8.4-1.1_amd64.deb
38b62a876c997bd79103ea4c60705411 180960 libdevel optional libpoppler-qt-dev_0.8.4-1.1_amd64.deb
14a56a4566f99c465a9448aa4e552d75 309920 libs optional libpoppler-qt4-3_0.8.4-1.1_amd64.deb
7660b4b78fda557d125442ab25ce6b08 353876 libdevel optional libpoppler-qt4-dev_0.8.4-1.1_amd64.deb
ce6eae85595a6c25e725771feb8cb5f3 226548 utils optional poppler-utils_0.8.4-1.1_amd64.deb
e915cdb80b015003419fc74d50781cd9 3146928 libs extra poppler-dbg_0.8.4-1.1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkh0m2cACgkQHYflSXNkfP+9EwCgseGWHr1QNpvX/Qvdf81W5MaT
GHgAn2gZJO9MxvLRLIdIryQ40OrPkZD1
=bW0p
-----END PGP SIGNATURE-----
Information forwarded to debian-bugs-dist@lists.debian.org, Loic Minier <lool@dooz.org>:
Bug#489756; Package libpoppler3.
(full text, mbox, link).
Acknowledgement sent to Steffen Joeris <steffen.joeris@skolelinux.de>:
Extra info received and forwarded to list. Copy sent to Loic Minier <lool@dooz.org>.
(full text, mbox, link).
Message #42 received at 489756@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi
Sorry for the delay, but I was relocating to Australia, which unfortunately
takes some time :/
> > On Wed Jul 09, 2008 at 12:04:01 +0200, Wichert Akkerman wrote:
> >> I see CVE-2008-2960 reported in the BTS as #489756 but I see no mention
> >> of a fix for stable. Is someone working on a DSA for stable?
> >
> > There isn't one in progress. Tonight there will be a release of
> > an update to handle CVE-2008-1693. I guess that will be the next
> > one.
>
> thanks for the update. I'll (im)patiently await the CVE-2008-2960 DSA.
etch is not affected by this vulnerability, thus I didn't include it in the
latest DSA upload. The DTSA was prepared, because it was vulnerable in lenny
and the issue was embargoed, thus no fix could be uploaded to unstable yet.
I have now marked it in the tracker accordingly.
Hope this information helps.
Cheers
Steffen
[signature.asc (application/pgp-signature, inline)]
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Wed, 20 Aug 2008 07:32:09 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 14:15:42 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon