CVE-2007-4352, CVE-2007-5392, CVE-2007-5393 multiple vulnerabilities leading to arbitrary code execution

Debian Bug report logs - #450628
CVE-2007-4352, CVE-2007-5392, CVE-2007-5393 multiple vulnerabilities leading to arbitrary code execution

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Nico Golde <nion@debian.org>

To: submit@bugs.debian.org

Subject: CVE-2007-4352, CVE-2007-5392, CVE-2007-5393 multiple vulnerabilities leading to arbitrary code execution

Date: Thu, 8 Nov 2007 18:19:29 +0100

[Message part 1 (text/plain, inline)]

Package: poppler
Version: 0.6.1-1
Severity: grave
Tags: security

Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for poppler.

CVE-2007-4352[0]:
| Array index error in the DCTStream::readProgressiveDataUnit method in
| xpdf/Stream.cc in Xpdf 3.02 with xpdf-3.02pl1.patch allows remote
| attackers to trigger memory corruption and execute arbitrary code via
| a crafted PDF file.

CVE-2007-5392[1]:
| Integer overflow in the DCTStream::reset method in 
| xpdf/Stream.cc in Xpdf 3.02 with xpdf-3.02pl1.patch allows 
| remote attackers to execute arbitrary code via a crafted PDF 
| file, resulting in a heap-based buffer overflow.

CVE-2007-5393[2]:
| Heap-based buffer overflow in the CCITTFaxStream::lookChar 
| method in xpdf/Stream.cc in Xpdf 3.02 with 
| xpdf-3.02pl1.patch allows remote attackers to execute 
| arbitrary code via a PDF file that contains a crafted 
| CCITTFaxDecode filter.

Since poppler includes the xpdf code it should be affected.

If you fix this vulnerability please also include the CVE id
in your changelog entry.

For further information:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4352
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5392
[2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5393

Kind regards
Nico

-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.

[Message part 2 (application/pgp-signature, inline)]

Message #12 received at 450628-close@bugs.debian.org (full text, mbox, reply):

From: Ondřej Surý <ondrej@debian.org>

To: 450628-close@bugs.debian.org

Subject: Bug#450628: fixed in poppler 0.6.2-1

Date: Thu, 15 Nov 2007 13:32:02 +0000

Source: poppler
Source-Version: 0.6.2-1

We believe that the bug you reported is fixed in the latest version of
poppler, which is due to be installed in the Debian FTP archive:

libpoppler-dev_0.6.2-1_amd64.deb
  to pool/main/p/poppler/libpoppler-dev_0.6.2-1_amd64.deb
libpoppler-glib-dev_0.6.2-1_amd64.deb
  to pool/main/p/poppler/libpoppler-glib-dev_0.6.2-1_amd64.deb
libpoppler-glib2_0.6.2-1_amd64.deb
  to pool/main/p/poppler/libpoppler-glib2_0.6.2-1_amd64.deb
libpoppler-qt-dev_0.6.2-1_amd64.deb
  to pool/main/p/poppler/libpoppler-qt-dev_0.6.2-1_amd64.deb
libpoppler-qt2_0.6.2-1_amd64.deb
  to pool/main/p/poppler/libpoppler-qt2_0.6.2-1_amd64.deb
libpoppler-qt4-2_0.6.2-1_amd64.deb
  to pool/main/p/poppler/libpoppler-qt4-2_0.6.2-1_amd64.deb
libpoppler-qt4-dev_0.6.2-1_amd64.deb
  to pool/main/p/poppler/libpoppler-qt4-dev_0.6.2-1_amd64.deb
libpoppler2_0.6.2-1_amd64.deb
  to pool/main/p/poppler/libpoppler2_0.6.2-1_amd64.deb
poppler-utils_0.6.2-1_amd64.deb
  to pool/main/p/poppler/poppler-utils_0.6.2-1_amd64.deb
poppler_0.6.2-1.diff.gz
  to pool/main/p/poppler/poppler_0.6.2-1.diff.gz
poppler_0.6.2-1.dsc
  to pool/main/p/poppler/poppler_0.6.2-1.dsc
poppler_0.6.2.orig.tar.gz
  to pool/main/p/poppler/poppler_0.6.2.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 450628@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Ondřej Surý <ondrej@debian.org> (supplier of updated poppler package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Wed, 14 Nov 2007 11:20:07 +0100
Source: poppler
Binary: libpoppler-qt2 libpoppler-glib-dev poppler-utils libpoppler-qt4-dev libpoppler2 libpoppler-qt4-2 libpoppler-glib2 libpoppler-dev libpoppler-qt-dev
Architecture: source amd64
Version: 0.6.2-1
Distribution: unstable
Urgency: low
Maintainer: Ondřej Surý <ondrej@debian.org>
Changed-By: Ondřej Surý <ondrej@debian.org>
Description: 
 libpoppler-dev - PDF rendering library -- development files
 libpoppler-glib-dev - PDF rendering library -- development files (GLib interface)
 libpoppler-glib2 - PDF rendering library (GLib-based shared library)
 libpoppler-qt-dev - PDF rendering library -- development files (Qt 3 interface)
 libpoppler-qt2 - PDF rendering library (Qt 3 based shared library)
 libpoppler-qt4-2 - PDF rendering library (Qt 4 based shared library)
 libpoppler-qt4-dev - PDF rendering library -- development files (Qt 4 interface)
 libpoppler2 - PDF rendering library
 poppler-utils - PDF utilitites (based on libpoppler)
Closes: 347789 440936 447992 450628
Changes: 
 poppler (0.6.2-1) unstable; urgency=low
 .
   * New upstream version. (Closes: #447992)
   * Dependency on xpdfrc was removed on 2007-02-25 (Closes: #347789, #440936)
   * Changes since 0.6.1:
     - Fix CVE-2007-4352, CVE-2007-5392 and CVE-2007-5393 (Closes: #450628)
     - Fix a crash on documents with wrong CCITTFaxStream
     - Fix a crash in the Cairo renderer with invalid embedded fonts
     - Fix a crash with invalid TrueType fonts
     - Check if font is inside the clip area before rendering
       it to a temporary bitmap in the Splash renderer. Fixes crashes on
       incorrect documents
     - Do not use exit(1) on DCTStream errors
     - Detect form fields at any depth level
     - Do not generate appearance stream for radio buttons that are not active
Files: 
 16501525b69d7d671b715e1b921ce6a3 1082 devel optional poppler_0.6.2-1.dsc
 9aa3247277f56d4ea8c045626531d19b 1289454 devel optional poppler_0.6.2.orig.tar.gz
 fd95b56351dad0c0c0e42e987297dc4b 8098 devel optional poppler_0.6.2-1.diff.gz
 07294297e7aa73e9fd723fa376301c49 736596 libs optional libpoppler2_0.6.2-1_amd64.deb
 41e04035d0596b3cdddaa7117dc18983 989762 libdevel optional libpoppler-dev_0.6.2-1_amd64.deb
 e8acdd158f29207eab11bb35bb30212d 156964 libs optional libpoppler-glib2_0.6.2-1_amd64.deb
 5a92527589db8c55b5d0b57ba18c4a24 213438 libdevel optional libpoppler-glib-dev_0.6.2-1_amd64.deb
 6c222e3c75f9c8a39ff3a49df9bae394 128702 libs optional libpoppler-qt2_0.6.2-1_amd64.deb
 8aed4af87b4fa9d76acb2daec1312ca5 136192 libdevel optional libpoppler-qt-dev_0.6.2-1_amd64.deb
 9091fab2b90352ac74b9bc1315fc2114 250550 libs optional libpoppler-qt4-2_0.6.2-1_amd64.deb
 3e91ee095dc085ce84d750a1d70f516a 289612 libdevel optional libpoppler-qt4-dev_0.6.2-1_amd64.deb
 e991066fbb9047e052b32c6e1d9e2714 180902 utils optional poppler-utils_0.6.2-1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFHPEig9OZqfMIN8nMRAo5nAJ9Iq2EqWmvvZQ2rfl7fTpxYlDsXJwCfeXoT
IMXAwBQvoYazkpPaSBzhfx4=
=bCdx
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.