Bug 46153 - poppler: Multiple issues (4.2)
poppler: Multiple issues (4.2)
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: Security updates
UCS 4.2
Other Linux
: P5 normal (vote)
: UCS 4.2-3-errata
Assigned To: Philipp Hahn
Arvid Requate
http://metadata.ftp-master.debian.org...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2018-01-24 20:59 CET by Philipp Hahn
Modified: 2018-05-08 14:56 CEST (History)
1 user (show)

See Also:
What kind of report is it?: Security Issue
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score: 7.3 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Philipp Hahn univentionstaff 2018-01-24 20:59:15 CET
poppler (0.26.5-2+deb8u2)

* CVE-2017-9406 poppler: Memory leak in the gmalloc function in gmem.cc
* CVE-2017-9408 poppler: Memory leak in the Object::initArray function
* CVE-2017-9775 poppler: Stack-buffer overflow in GfxState.cc
* CVE-2017-9776 poppler: Integer overflow in JBIG2Stream.cc
* CVE-2017-9865 poppler: Buffer over-read in the GfxImageColorMap::getGray function
* CVE-2017-14517 poppler: NULL pointer dereference in the XRef::parseEntry() function
* CVE-2017-14518 poppler: Floating point exception in the isImageInterpolationRequired() function
* CVE-2017-14519 poppler: Memory corruption via Gfx.cc infinite loop
* CVE-2017-14520 poppler: Floating point exception in Splash::scaleImageYuXd() function in Splash.cc
* CVE-2017-14617 poppler: Floating point exception in the ImageStream class
* CVE-2017-14975 poppler: NULL pointer dereference in the FoFiType1C::convertToType0 function
* CVE-2017-14976 poppler: Heap-based buffer over-read in the FoFiType1C::convertToType0 function
* CVE-2017-14977 poppler: NULL pointer dereference in the FoFiTrueType::getCFFBlock function
* CVE-2017-15565 poppler: NULL pointer dereference in the GfxImageColorMap::getGrayLine() function
Comment 1 Philipp Hahn univentionstaff 2018-01-25 10:59:31 CET
Mass-import from Debian-Security:
  python -m univention.repong.^Cbmirror -s jessie -r 4.2-3 --override=$HOME/REPOS/repo-ng/mirror/update_ucs42_mirror_from_debian.yml --errata=doc/errata --sql --process=ALL -vvvv --now=201801211553

YAML: git:bd6159834a..449aa5a7cf
Comment 2 Philipp Hahn univentionstaff 2018-01-25 14:53:53 CET
0.26.5-2+deb8u3 

* Fix regression in fix for CVE-2017-14519
* CVE-2017-14929 poppler: Memory corruption via Gfx.cc infinite loop
* CVE-2017-1000456 poppler: Invalid read in TextPool::addWord() causes crash and can lead to overflow in subsequent calculations

* CVE-2017-1000456
* CVE-2017-14929

34fd59e804 Bug #46153: poppler
Comment 3 Philipp Hahn univentionstaff 2018-04-16 16:09:01 CEST
[4.2-3] 8dd8ff40c5 Bug #46153: poppler 0.26.5-2+deb8u4
 Regression fix
Comment 4 Quality Assurance univentionstaff 2018-05-04 16:58:10 CEST
--- mirror/ftp/4.2/unmaintained/4.2-0/source/poppler_0.26.5-2+deb8u1.dsc
+++ apt/ucs_4.2-0-errata4.2-3/source/poppler_0.26.5-2+deb8u4.dsc
@@ -1,3 +1,51 @@
+0.26.5-2+deb8u4 [Thu, 12 Apr 2018 11:19:50 +0200] Salvatore Bonaccorso <carnil@debian.org>:
+
+  * Non-maintainer upload by the Security Team.
+  * Correct patch for CVE-2017-9776.
+    Fixes "[regression] Broken rendering of scan PDF from Xerox WorkCentre
+    5945". (Closes: #890826)
+
+0.26.5-2+deb8u3 [Tue, 22 Jan 2018 23:45:05 +0100] Moritz Muehlenhoff <jmm@debian.org>:
+
+  * Fix regression in fix for CVE-2017-14519
+  * CVE-2017-1000456
+  * CVE-2017-14929
+
+0.26.5-2+deb8u2 [Sat, 02 Dec 2017 07:34:06 +0100] Santiago R.R. <santiagorr@riseup.net>:
+
+  * Fix CVE-2017-9406: a memory leak vulnerability was found in the function
+    gmalloc in gmem.cc, which allows attackers to cause a denial of service
+    via a crafted file.
+  * Fix CVE-2017-9408: memory leak in the function Object::initArray in
+    Object.cc that allows attackers to cause a DoS via a crafted file.
+  * Fix CVE-2017-9775: Stack buffer overflow in GfxState.cc in pdftocairo that
+    allows remote attackers to cause a denial of service (application crash)
+    via a crafted PDF document.
+  * Fix CVE-2017-9776: Integer overflow leading to Heap buffer overflow in
+    JBIG2Stream.cc in pdftocairo allows remote attackers to cause a denial of
+    service (application crash) or possibly have unspecified other impact via a
+    crafted PDF document.
+  * Fix CVE-2017-9865: The function GfxImageColorMap::getGray in GfxState.cc
+    allows remote attackers to cause a denial of service (stack-based buffer
+    over-read and application crash) via a crafted PDF document
+  * Fix CVE-2017-14517: NULL pointer dereference vulnerability in the
+    XRef::parseEntry() function in XRef.cc
+  * Fix CVE-2017-14518: Floating point exception in the
+    isImageInterpolationRequired() function in Splash.cc
+  * Fix CVE-2017-14519: A memory corruption may occur in a call to
+    Object::streamGetChar
+  * Fix CVE-2017-14520: Floating point exception in Splash::scaleImageYuXd()
+  * Fix CVE-2017-14617: Floating point exception in the ImageStream class in
+    Stream.cc
+  * Fix CVE-2017-14975: NULL pointer dereference vulnerability in the
+    FoFiType1C::convertToType0 function in FoFiType1C.cc
+  * Fix CVE-2017-14976: Heap-based buffer over-read vulnerability in the
+    FoFiType1C::convertToType0 function in FoFiType1C.cc
+  * Fix CVE-2017-14977: NULL pointer dereference vulnerability in the
+    FoFiTrueType::getCFFBlock function in FoFiTrueType.cc
+  * Fix CVE-2017-15565: NULL Pointer Dereference in the
+    GfxImageColorMap::getGrayLine() function in GfxState.cc
+
 0.26.5-2+deb8u1 [Mon, 25 Apr 2016 19:02:11 +0200] Pino Toscano <pino@debian.org>:
 
   * Backport upstream commit b3425dd3261679958cd56c0f71995c15d2124433 to fix
Comment 5 Arvid Requate univentionstaff 2018-05-07 20:29:02 CEST
* No UCS specific patches
* Comparison to previously shipped version ok
* Binary package update Ok
* Advisory adjusted:
  eb84797f4e | Sort CVEs
Comment 6 Arvid Requate univentionstaff 2018-05-08 14:56:54 CEST
<http://errata.software-univention.de/ucs/4.2/390.html>