Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

poppler: CVE-2018-20662

Related Vulnerabilities: CVE-2018-20662   CVE-2018-16646   CVE-2018-20481   CVE-2018-20551   CVE-2019-7310   CVE-2019-9200   CVE-2019-9631   CVE-2019-10873  

Source

Debian Bug report logs - #918158
poppler: CVE-2018-20662

version graph

Package: src:poppler; Maintainer for src:poppler is Debian freedesktop.org maintainers <pkg-freedesktop-maintainers@lists.alioth.debian.org>;

Reported by: Salvatore Bonaccorso <carnil@debian.org>

Date: Thu, 3 Jan 2019 21:57:01 UTC

Severity: normal

Tags: security, upstream

Found in version poppler/0.69.0-2

Fixed in version poppler/0.71.0-4

Done: Moritz Muehlenhoff <jmm@debian.org>

Forwarded to https://gitlab.freedesktop.org/poppler/poppler/issues/706

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian freedesktop.org maintainers <pkg-freedesktop-maintainers@lists.alioth.debian.org>:
Bug#918158; Package src:poppler. (Thu, 03 Jan 2019 21:57:03 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian freedesktop.org maintainers <pkg-freedesktop-maintainers@lists.alioth.debian.org>. (Thu, 03 Jan 2019 21:57:03 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: poppler: CVE-2018-20662
Date: Thu, 03 Jan 2019 22:52:13 +0100
Source: poppler
Version: 0.69.0-2
Severity: normal
Tags: security upstream
Forwarded: https://gitlab.freedesktop.org/poppler/poppler/issues/706

Hi,

The following vulnerability was published for poppler.

CVE-2018-20662[0]:
| In Poppler 0.72.0, PDFDoc::setup in PDFDoc.cc allows attackers to cause
| a denial-of-service (application crash caused by Object.h SIGABRT,
| because of a wrong return value from PDFDoc::setup) by crafting a PDF
| file in which an xref data structure is mishandled during
| extractPDFSubtype processing.

Please note that the initial apporach upstream commited was reverted
again, because it caused regressions on some files.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2018-20662
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20662
[1] https://gitlab.freedesktop.org/poppler/poppler/issues/706

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Reply sent to Moritz Muehlenhoff <jmm@debian.org>:
You have taken responsibility. (Thu, 23 May 2019 21:21:10 GMT) (full text, mbox, link).

Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Thu, 23 May 2019 21:21:11 GMT) (full text, mbox, link).

Message #10 received at 918158-close@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@debian.org>
To: 918158-close@bugs.debian.org
Subject: Bug#918158: fixed in poppler 0.71.0-4
Date: Thu, 23 May 2019 21:19:55 +0000
Source: poppler
Source-Version: 0.71.0-4

We believe that the bug you reported is fixed in the latest version of
poppler, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 918158@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Moritz Muehlenhoff <jmm@debian.org> (supplier of updated poppler package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 23 May 2019 22:18:49 +0200
Source: poppler
Binary: gir1.2-poppler-0.18 libpoppler-cpp-dev libpoppler-cpp0v5 libpoppler-cpp0v5-dbgsym libpoppler-dev libpoppler-glib-dev libpoppler-glib-doc libpoppler-glib8 libpoppler-glib8-dbgsym libpoppler-private-dev libpoppler-qt5-1 libpoppler-qt5-1-dbgsym libpoppler-qt5-dev libpoppler82 libpoppler82-dbgsym poppler-utils poppler-utils-dbgsym
Architecture: source amd64 all
Version: 0.71.0-4
Distribution: unstable
Urgency: medium
Maintainer: Debian freedesktop.org maintainers <pkg-freedesktop-maintainers@lists.alioth.debian.org>
Changed-By: Moritz Muehlenhoff <jmm@debian.org>
Description:
 gir1.2-poppler-0.18 - GObject introspection data for poppler-glib
 libpoppler-cpp-dev - PDF rendering library -- development files (CPP interface)
 libpoppler-cpp0v5 - PDF rendering library (CPP shared library)
 libpoppler-dev - PDF rendering library -- development files
 libpoppler-glib-dev - PDF rendering library -- development files (GLib interface)
 libpoppler-glib-doc - PDF rendering library -- documentation for the GLib interface
 libpoppler-glib8 - PDF rendering library (GLib-based shared library)
 libpoppler-private-dev - PDF rendering library -- private development files
 libpoppler-qt5-1 - PDF rendering library (Qt 5 based shared library)
 libpoppler-qt5-dev - PDF rendering library -- development files (Qt 5 interface)
 libpoppler82 - PDF rendering library
 poppler-utils - PDF utilities (based on Poppler)
Closes: 909802 917325 917525 918158 921215 923414 926532 926673
Changes:
 poppler (0.71.0-4) unstable; urgency=medium
 .
   * CVE-2018-16646 (Closes: #909802)
   * CVE-2018-20481 (Closes: #917325)
   * CVE-2018-20551 (Closes: #917525)
   * CVE-2018-20662 (Closes: #918158)
   * CVE-2019-7310  (Closes: #921215)
   * CVE-2019-9200  (Closes: #923414)
   * CVE-2019-9631  (Closes: #926673)
   * CVE-2019-10873 (Closes: #926532)
Checksums-Sha1:
 0b8a1da69437697603f1571df256b8b7481ee611 3290 poppler_0.71.0-4.dsc
 d9f12813523b21bb0f858d6ecd75548ea6b03f85 37652 poppler_0.71.0-4.debian.tar.xz
 e5ceb3d310914c0edc81354043138c86bb66e5e9 37956 gir1.2-poppler-0.18_0.71.0-4_amd64.deb
 f61243aa63b676bed94045622fccb9a6ab3afec5 28400 libpoppler-cpp-dev_0.71.0-4_amd64.deb
 71153b9fa7e5db12b2546869e0775987cba4f6f0 804248 libpoppler-cpp0v5-dbgsym_0.71.0-4_amd64.deb
 7bd4ea8e5907eb6e6d81c9726d9278d7ec51c35e 52152 libpoppler-cpp0v5_0.71.0-4_amd64.deb
 1daf3e424e5f76ddb8306fcc122cfe846a59c792 23624 libpoppler-dev_0.71.0-4_amd64.deb
 f1fdfcd37fe177614be1980ae04e98263af842cc 68404 libpoppler-glib-dev_0.71.0-4_amd64.deb
 178edde890da3d0ae24f5dfe9efe8b699ddc6209 91400 libpoppler-glib-doc_0.71.0-4_all.deb
 7a4353c48d2dd8c202899c4465aff72814c86a74 1685844 libpoppler-glib8-dbgsym_0.71.0-4_amd64.deb
 240652663e188985a0f616a6a23525f241e20811 124280 libpoppler-glib8_0.71.0-4_amd64.deb
 8fd1b78e54f08611c8c77aec09facb96d4ea3b24 187508 libpoppler-private-dev_0.71.0-4_amd64.deb
 67d5d6fee9005f1aa8bd05d7bb31c458c20c48a7 4289704 libpoppler-qt5-1-dbgsym_0.71.0-4_amd64.deb
 788c1e09e46595e6b3f41879ec492b2456404a1f 157476 libpoppler-qt5-1_0.71.0-4_amd64.deb
 048a4c4d3c63b9c291cc48a157e03e629962ad3c 51884 libpoppler-qt5-dev_0.71.0-4_amd64.deb
 bed23d49587ac0b46d64058d92ed845a61812ea1 7795580 libpoppler82-dbgsym_0.71.0-4_amd64.deb
 358a59400a6b01ab95f4de3033541f910579b461 1507340 libpoppler82_0.71.0-4_amd64.deb
 8c072c41b2c86e1524aff9f079181e46a3a67a9e 2948548 poppler-utils-dbgsym_0.71.0-4_amd64.deb
 ac3e4b9fcb1cae312bf69e45953bd371151fdff4 184024 poppler-utils_0.71.0-4_amd64.deb
 082f6b1e2311dbd96c8c515559afe2f2adfbd3b9 18368 poppler_0.71.0-4_amd64.buildinfo
Checksums-Sha256:
 703b097fce34afb3037c4df1d2228bc600f396e310796a988a2af78128e21501 3290 poppler_0.71.0-4.dsc
 f8d5d494c9b7a945fb5462efea5547890a1f02f4c5be01d2daacdc0b5ed31cbb 37652 poppler_0.71.0-4.debian.tar.xz
 8f639482f453bf8d7f01b839497d585b1065a20fb48395cdb576b196ec4df814 37956 gir1.2-poppler-0.18_0.71.0-4_amd64.deb
 fb15afb5ca8c4e3733614974986fab35a31410385455b63ae1677554b2657ee1 28400 libpoppler-cpp-dev_0.71.0-4_amd64.deb
 326f7390082ac0c89dda51451453db5b8e26f1a113ed21757c599e9acaec8503 804248 libpoppler-cpp0v5-dbgsym_0.71.0-4_amd64.deb
 808720755f77bea4f5c5c12e68529ce76b4296ea15b03bb1013c188287919c3e 52152 libpoppler-cpp0v5_0.71.0-4_amd64.deb
 425519aeb3cd09adb2c66e79e320d3c97a0bbb6c7119f05d687f76dcf7110fb0 23624 libpoppler-dev_0.71.0-4_amd64.deb
 792ba10adcb99a5b17982db59d6b12ceb84d1cee2124187fa096f32a71d3bc91 68404 libpoppler-glib-dev_0.71.0-4_amd64.deb
 f6a5d8a410819aba8ed074948fc6bffa0f55d67b5f2a666a9d145faf8296125a 91400 libpoppler-glib-doc_0.71.0-4_all.deb
 7c6bf6018c43c554dbc0ec6917270bd606371ec2852e570e517346dd39cd4e30 1685844 libpoppler-glib8-dbgsym_0.71.0-4_amd64.deb
 16134a56bcd504bd13de95a56f0ac3ff3da81dfbdc2a08e3376952429a72e87e 124280 libpoppler-glib8_0.71.0-4_amd64.deb
 c00a289e9518b5e26455f1ceb3840fcfb723d35ee49719a99ddc9b40f00b9de3 187508 libpoppler-private-dev_0.71.0-4_amd64.deb
 43d01241841c1cde0a8881d8b1c7da75a1ad41441401189428b6337aebaa5dff 4289704 libpoppler-qt5-1-dbgsym_0.71.0-4_amd64.deb
 6ac1c0b7bbb1a1607a18164686b44369b3bfed3c926ff630acef235218256455 157476 libpoppler-qt5-1_0.71.0-4_amd64.deb
 fbb8ac3639d02e124ea40063b288be8db2dc0013a98176d34e299c4ed91b70dd 51884 libpoppler-qt5-dev_0.71.0-4_amd64.deb
 0090b9f336f1b33b92a19db2687c0ea82bdd156a6133e5ef934789aa51bc2b55 7795580 libpoppler82-dbgsym_0.71.0-4_amd64.deb
 73d588a2df23372cbb4029900f4cf23bdd35bed1c1c9081c0df22b42517b766e 1507340 libpoppler82_0.71.0-4_amd64.deb
 23304ac9545b5b008f7097ab4954664e1a2057c594527269d78bc60e2a2c396f 2948548 poppler-utils-dbgsym_0.71.0-4_amd64.deb
 9535990312277e534483e24ec481acc36f622d67d5ff32c064ece46a7beb2532 184024 poppler-utils_0.71.0-4_amd64.deb
 c58412e55244046e0e47b9ddc500a291cbe14b3b598b0bb69d0faecf618f0ff1 18368 poppler_0.71.0-4_amd64.buildinfo
Files:
 b004370db5455c1565d754ddee75f962 3290 devel optional poppler_0.71.0-4.dsc
 35fe83f7a5b79826af4956bce254f51f 37652 devel optional poppler_0.71.0-4.debian.tar.xz
 4898294981c5a6411ba3572bc61f2cec 37956 introspection optional gir1.2-poppler-0.18_0.71.0-4_amd64.deb
 10c9de86e4f8791207d3677eadf84976 28400 libdevel optional libpoppler-cpp-dev_0.71.0-4_amd64.deb
 9f5b704b855d5a771fc9c8e21f02965e 804248 debug optional libpoppler-cpp0v5-dbgsym_0.71.0-4_amd64.deb
 fdaed75260de35ce85f4395ecb645681 52152 libs optional libpoppler-cpp0v5_0.71.0-4_amd64.deb
 5881a8e9fad737243e6d782223e7c3e0 23624 libdevel optional libpoppler-dev_0.71.0-4_amd64.deb
 571415d53cb0b46d88770c99305a864c 68404 libdevel optional libpoppler-glib-dev_0.71.0-4_amd64.deb
 327f9c5e50e6cbee9153e5b71055cd9a 91400 doc optional libpoppler-glib-doc_0.71.0-4_all.deb
 9314d50a200379155b440a153f6a88c6 1685844 debug optional libpoppler-glib8-dbgsym_0.71.0-4_amd64.deb
 3fce691e26cb50fdd9273584bac13c5c 124280 libs optional libpoppler-glib8_0.71.0-4_amd64.deb
 d3447d16cb3fe5200256c3a16e9d2463 187508 libdevel optional libpoppler-private-dev_0.71.0-4_amd64.deb
 8c80a76c04b7d7fb4dd3783eab73dafa 4289704 debug optional libpoppler-qt5-1-dbgsym_0.71.0-4_amd64.deb
 a51d615ad4e7e9d57b8d3930591aac4f 157476 libs optional libpoppler-qt5-1_0.71.0-4_amd64.deb
 23ec4c5b4f66d0e7d51df848fe05c054 51884 libdevel optional libpoppler-qt5-dev_0.71.0-4_amd64.deb
 7ec6bb592942c645e37725643cf776c9 7795580 debug optional libpoppler82-dbgsym_0.71.0-4_amd64.deb
 5653cbd192cb3e9553600e2a998e67ab 1507340 libs optional libpoppler82_0.71.0-4_amd64.deb
 6f39c77a61ce246925cbb6edd985cc9e 2948548 debug optional poppler-utils-dbgsym_0.71.0-4_amd64.deb
 11e8789df37ba7a96fe7048914022d8b 184024 utils optional poppler-utils_0.71.0-4_amd64.deb
 65b3647c402c08a1e5c2441056aa5407 18368 devel optional poppler_0.71.0-4_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAlznBRQACgkQEMKTtsN8
Tja+JA//eDAJ8PRj6h4XCqk0uln9cFPMk7V2RC+KV08NhlIiG5X7dBJoyH7hTXXr
H4AB764P3UYuBiKlOWo3O24ZVWymVWraLbDT62pZR8belWD6Br9Zl6mnSZSsku1C
GP3ECtnX4BMyiLxgpnG4Hoegu0Z6A5X9rs4QGshbseeZ/Tw1RbuKayHfq4jFQZDS
Cowc4ROodvaPwHv0+RFI9MjRaWSdoPLg551I0mXCuWQd/RFd5s4NSvqwghvJPHUI
PZnOygitHtn3tneYzI3GokvS6Z1YWeyMI8t+WJmr055QsE2wXRODb8nOKRMVoo1e
nsU3Iqw6Pg0c2XirAoqFrh4T/9PsyAU2eizHMr0kZYV+UWretTfavmzn6vZ+udBi
WwsL8pxQjDyIMd0w/LWb7jr3apFpnS/1HyKMU6h4nC6nJo1UcvlrJa6CQn8zav7x
uAYGxNFZjlsNmCnpG+IZPpPn+6+zRd4JbDnlA7csNI2XmaFzzKFa4DTit/eHPk1E
MwqBPER9d4qM6mW/2DTviOmdGq/qggn2p98BxEknT6cjglsaBkf2lIT5REOz5zzG
ldbCy31BX2KgRBBDp/oCcI3+25Vqm7Uk7TI5ztKxqkCBOtOq0/jIujy8edsVWDEE
zUYWM2MWlnTTAutq29b/HrCBzry8n1VDSadzlUuboVQSeFGUI/g=
=Q6Hv
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 17:35:42 2019; Machine Name: beach

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started