New Debian poppler 0.48.0-2+deb9u4 fixes: This update addresses the following issues: * NULL pointer dereference in the AnnotRichMedia::Content::Content (CVE-2017-14926) * NULL pointer dereference in the AnnotRichMedia::Configuration::Configuration (CVE-2017-14928) * reachable abort in Object.h (CVE-2018-19058) * reachable Object::dictLookup assertion in FileSpec class in FileSpec.cc (CVE-2018-20650) * SIGABRT PDFDoc::setup class in PDFDoc.cc (CVE-2018-20662) * heap-based buffer over-read in XRef::getEntry in XRef.cc (CVE-2019-7310) * integer overflow in JPXStream::init function leading to memory consumption (CVE-2019-9959) * An issue was discovered in Xpdf 4.01.01. There is an FPE in the function PostScriptFunction::exec at Function.cc for the psOpIdiv case. (CVE-2019-10018) * divide-by-zero in function SplashOutputDev::tilingPatternFill in SplashOutputDev.cc (CVE-2019-14494)
--- mirror/ftp/4.4/unmaintained/4.4-6/source/poppler_0.48.0-2+deb9u3.dsc +++ apt/ucs_4.4-0-errata4.4-6/source/poppler_0.48.0-2+deb9u4.dsc @@ -1,3 +1,44 @@ +0.48.0-2+deb9u4 [Sun, 08 Nov 2020 17:12:52 +0100] Markus Koschany <apo@debian.org>: + + * Non-maintainer upload by the LTS team. + * CVE-2019-9959: + The JPXStream::init function in Poppler doesn't check for negative values + of stream length, leading to an Integer Overflow, thereby making it + possible to allocate a large memory chunk on the heap, with a size + controlled by an attacker, as demonstrated by pdftocairo. + * CVE-2019-7310: + In Poppler, a heap-based buffer over-read (due to an integer signedness + error in the XRef::getEntry function in XRef.cc) allows remote attackers to + cause a denial of service (application crash) or possibly have unspecified + other impact via a crafted PDF document, as demonstrated by pdftocairo. + * CVE-2019-14494: + There is a divide-by-zero error in the function + SplashOutputDev::tilingPatternFill at SplashOutputDev.cc. + * CVE-2019-10018: + There is an FPE in the function PostScriptFunction::exec at Function.cc for + the psOpIdiv case. + * CVE-2018-20662: + PDFDoc::setup in PDFDoc.cc allows attackers to cause a denial-of-service + (application crash caused by Object.h SIGABRT, because of a wrong return + value from PDFDoc::setup) by crafting a PDF file in which an xref data + structure is mishandled during extractPDFSubtype processing. + * CVE-2018-20650: + A reachable Object::dictLookup assertion in Poppler allows attackers to + cause a denial of service due to the lack of a check for the dict data + type, as demonstrated by use of the FileSpec class (in FileSpec.cc) in + pdfdetach. + * CVE-2018-19058: + There is a reachable abort in Object.h, which will lead to denial of + service because EmbFile::save2 in FileSpec.cc lacks a stream check before + saving an embedded file. + * CVE-2017-14928: + A NULL Pointer Dereference exists in + AnnotRichMedia::Configuration::Configuration in Annot.cc via a crafted PDF + document. + * CVE-2017-14926: + In Poppler 0.59.0, a NULL Pointer Dereference exists in + AnnotRichMedia::Content::Content in Annot.cc via a crafted PDF document. + 0.48.0-2+deb9u3 [Thu, 23 Jul 2020 10:58:44 +0200] Emilio Pozuelo Monfort <pochu@debian.org>: * CVE-2018-21009: integer overflow in Parser::makeStream. <http://10.200.17.11/4.4-6/#8808937717827543474>
OK: yaml OK: announce_errata OK: patch OK: piuparts [4.4-6] 3370b4beda Bug #52327: yaml doc/errata/staging/poppler.yaml | 35 +++++++++++++++++++++++++++++++++++ 1 file changed, 35 insertions(+)
<https://errata.software-univention.de/#/?erratum=4.4x801>