Bug#867477: marked as done (poppler: CVE-2017-9865 stack-based overflow leading to denial-of-service)

Tue, 15 Aug 2017 16:03:44 -0700 

Your message dated Tue, 15 Aug 2017 23:00:12 +0000
with message-id <e1dhkom-000huo...@fasolo.debian.org>
and subject line Bug#867477: fixed in poppler 0.57.0-1
has caused the Debian Bug report #867477,
regarding poppler: CVE-2017-9865 stack-based overflow leading to 
denial-of-service
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
867477: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=867477
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message --- 
Package: poppler
X-Debbugs-CC: t...@security.debian.org 
secure-testing-t...@lists.alioth.debian.org
Severity: grave
Tags: security patch upstream
Forwarded: https://bugs.freedesktop.org/show_bug.cgi?id=100774

Hi,

the following vulnerability was published for poppler.

CVE-2017-9865[0]:
| The function GfxImageColorMap::getGray in GfxState.cc in Poppler 0.54.0
| allows remote attackers to cause a denial of service (stack-based
| buffer over-read and application crash) via a crafted PDF document,
| related to missing color-map validation in ImageOutputDev.cc.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-9865
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9865

Please adjust the affected versions in the BTS as needed.

Attachment: signature.asc
Description: PGP signature


--- End Message ---
--- Begin Message --- 
Source: poppler
Source-Version: 0.57.0-1

We believe that the bug you reported is fixed in the latest version of
poppler, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 867...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Emilio Pozuelo Monfort <po...@debian.org> (supplier of updated poppler package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Mon, 14 Aug 2017 22:19:15 +0200
Source: poppler
Binary: libpoppler68 libpoppler-dev libpoppler-private-dev libpoppler-glib8 
libpoppler-glib-dev libpoppler-glib-doc gir1.2-poppler-0.18 libpoppler-qt4-4 
libpoppler-qt4-dev libpoppler-qt5-1 libpoppler-qt5-dev libpoppler-cpp0v5 
libpoppler-cpp-dev poppler-utils
Architecture: source amd64 all
Version: 0.57.0-1
Distribution: experimental
Urgency: medium
Maintainer: Debian freedesktop.org maintainers 
<pkg-freedesktop-maintain...@lists.alioth.debian.org>
Changed-By: Emilio Pozuelo Monfort <po...@debian.org>
Description:
 gir1.2-poppler-0.18 - GObject introspection data for poppler-glib
 libpoppler-cpp-dev - PDF rendering library -- development files (CPP interface)
 libpoppler-cpp0v5 - PDF rendering library (CPP shared library)
 libpoppler-dev - PDF rendering library -- development files
 libpoppler-glib-dev - PDF rendering library -- development files (GLib 
interface)
 libpoppler-glib-doc - PDF rendering library -- documentation for the GLib 
interface
 libpoppler-glib8 - PDF rendering library (GLib-based shared library)
 libpoppler-private-dev - PDF rendering library -- private development files
 libpoppler-qt4-4 - PDF rendering library (Qt 4 based shared library)
 libpoppler-qt4-dev - PDF rendering library -- development files (Qt 4 
interface)
 libpoppler-qt5-1 - PDF rendering library (Qt 5 based shared library)
 libpoppler-qt5-dev - PDF rendering library -- development files (Qt 5 
interface)
 libpoppler68 - PDF rendering library
 poppler-utils - PDF utilities (based on Poppler)
Closes: 860955 863759 864009 864010 865679 865680 867477
Changes:
 poppler (0.57.0-1) experimental; urgency=medium
 .
   [ Pino Toscano ]
   * Update Vcs-* fields.
   * Add a lintian override for the "breaks-without-version xpdf-common" in
     poppler-utils, as it is making sure to clean up xpdf-common for upgrades
     to Buster.
 .
   [ Emilio Pozuelo Monfort ]
   * New upstream release. Closes: #860955.
   * Fixes:
     CVE-2017-9406: memory leak parsing XRef entries. Closes: #864010.
     CVE-2017-9408: memory leak in Object::initArray. Closes: #864009.
     CVE-2017-9775: stack buffer overflow in GfxState.cc. Closes: #865680.
     CVE-2017-9776: integer overflow leading to heap buffer overflow
     in JBIG2Stream.cc. Closes: #865679.
     CVE-2017-9865: stack buffer overflow in GfxImageColorMap::getGray.
     Closes: #867477.
     CVE-2017-7511: pdfunite denial of service due to null pointer
     dereference. Closes: #863759.
   * debian/patches/upstream_pdfseparate-remove-extra-in-error-message.patch:
     + Dropped, fixed upstream.
   * Update symbols files.
   * libpoppler64 -> libpoppler68.
   * Re-enable PIE. Looks like Qt5 got fixed.
   * Bump debhelper compat to 10.
     + debhelper now defaults to --with autoreconf.
     + It also defaults to --parallel.
   * Switch to -dbgsym packages.
   * Set the team as maintainer.
   * Add myself to uploaders.
Checksums-Sha1:
 4701e44c9e0fef054c3e492dff49bdde87a63782 3437 poppler_0.57.0-1.dsc
 128f175a81a7c25c4c67b353391b8cae506db2ae 1703300 poppler_0.57.0.orig.tar.xz
 63f02bec72158bec7a12e18cef1a4d8d5a0a683c 31136 poppler_0.57.0-1.debian.tar.xz
 6e8ce23a4c482180beeb5f7c1b411543f75dfbaf 35084 
gir1.2-poppler-0.18_0.57.0-1_amd64.deb
 4241bccea9587713db0d3fda79a0a50f5a8a78d7 48496 
libpoppler-cpp-dev_0.57.0-1_amd64.deb
 d15f5a4f48bd9ee5c34eee0534e602470ca91147 449370 
libpoppler-cpp0v5-dbgsym_0.57.0-1_amd64.deb
 fe11e8189014b846b06cd6fd228e06618b6d10ab 44998 
libpoppler-cpp0v5_0.57.0-1_amd64.deb
 f5c3d4df4f4af285cf76151b3edefd8abfc510f7 777416 
libpoppler-dev_0.57.0-1_amd64.deb
 24909c4b39b60e906450bd777f87f6e973f5fbef 166772 
libpoppler-glib-dev_0.57.0-1_amd64.deb
 6db3e3ad5d7406d7fc4c5f67075ded7c66c78053 88178 
libpoppler-glib-doc_0.57.0-1_all.deb
 02bf74f73980996f9d02a7ae9dbc633cc0f2f3b4 858956 
libpoppler-glib8-dbgsym_0.57.0-1_amd64.deb
 e5e6b0a5df340c6e725b93f84f3072f64184a325 126190 
libpoppler-glib8_0.57.0-1_amd64.deb
 1f8d700739fa5db1564146c817c6f7bd5ee05950 184314 
libpoppler-private-dev_0.57.0-1_amd64.deb
 c392d0c02d073b3b56b53979c8043d30293f1c0f 1889484 
libpoppler-qt4-4-dbgsym_0.57.0-1_amd64.deb
 e9d6cb4e93cfa439c70dc68a27e217fa664468ee 138300 
libpoppler-qt4-4_0.57.0-1_amd64.deb
 32597cb026ff9b6a037b3227b487a59e8a279889 167866 
libpoppler-qt4-dev_0.57.0-1_amd64.deb
 66aadfdeb1a3825d77a90a1fe02e4f32dcfe8f29 2657402 
libpoppler-qt5-1-dbgsym_0.57.0-1_amd64.deb
 fbc16581fb4f36b3c8eb16b0d0bb193764a62746 145790 
libpoppler-qt5-1_0.57.0-1_amd64.deb
 e1ff1ea3a3da0803f060baa5835d13febdbc6abb 181610 
libpoppler-qt5-dev_0.57.0-1_amd64.deb
 dec4459dd0c03c12dba4f6359bca88d3385a5aed 2897146 
libpoppler68-dbgsym_0.57.0-1_amd64.deb
 746b4a375ee48c893e3b3ecd781e785e307a7297 1309754 
libpoppler68_0.57.0-1_amd64.deb
 6e30922a1ff574b45386858b612076f2dcae1f04 1103326 
poppler-utils-dbgsym_0.57.0-1_amd64.deb
 1d9aade3131999127da199a711cc188261a99d62 156372 
poppler-utils_0.57.0-1_amd64.deb
 a330f884cbb310aa9861ad49515ce81495306741 18350 poppler_0.57.0-1_amd64.buildinfo
Checksums-Sha256:
 c567022f671ae93506971d23155828f276cc3901179d3a70130dc13a4765899a 3437 
poppler_0.57.0-1.dsc
 0ea37de71b7db78212ebc79df59f99b66409a29c2eac4d882dae9f2397fe44d8 1703300 
poppler_0.57.0.orig.tar.xz
 4f5986d155c13b70d8c29e162c4126f0d28e690686acf94e22c6825242ab878b 31136 
poppler_0.57.0-1.debian.tar.xz
 4e2c6039a38f5504aa0bcc16647ede4a0110ff67ceab92d72d56d84ea1539884 35084 
gir1.2-poppler-0.18_0.57.0-1_amd64.deb
 73984a9dc5d4d5b92fd0fbfce67b6ff69ec22146aca62adc1ed164dc3bf1e10e 48496 
libpoppler-cpp-dev_0.57.0-1_amd64.deb
 a5cb5de6c73436cf05a19a3fb94897862947bd53bbffc2327da081e590101043 449370 
libpoppler-cpp0v5-dbgsym_0.57.0-1_amd64.deb
 84201ba61644a6ee5d8213d085027ca57f65da2410134fbd2476ac4144ed3e85 44998 
libpoppler-cpp0v5_0.57.0-1_amd64.deb
 49051911e2d06d129eacd4ef80f9e08270b68751b488e9c00c44e5dc324d5d4c 777416 
libpoppler-dev_0.57.0-1_amd64.deb
 1e6dc1c186412f084b67a48a6f6eb003dccff7733fc04030ba2320f74b3b35a0 166772 
libpoppler-glib-dev_0.57.0-1_amd64.deb
 570d1cb9042ddbd16f2e3a9815c1981372c1b97b5465b866e169b39ff4cad8d6 88178 
libpoppler-glib-doc_0.57.0-1_all.deb
 6a9b50637e2c9eb356f379061fabce12b8ffab19cc7b4aeddc8ec760e1eb845e 858956 
libpoppler-glib8-dbgsym_0.57.0-1_amd64.deb
 f2236ce933ebe15addb6d8d13a0512f3153d956975c415a7837f0f90e09305ba 126190 
libpoppler-glib8_0.57.0-1_amd64.deb
 b1fb4a9e3559e82680897788b63d9fb0b7681f50ebbcb9746d464e325a582713 184314 
libpoppler-private-dev_0.57.0-1_amd64.deb
 0b62d6abff1e7b0e07962e7cd532399596f0a3e53355aab47d4dde7c7466367b 1889484 
libpoppler-qt4-4-dbgsym_0.57.0-1_amd64.deb
 4b9126b07785ce7c12eeec30b07cf7797999961e513a74fe21e90a6cb21030c0 138300 
libpoppler-qt4-4_0.57.0-1_amd64.deb
 518d316a441884eb2332cb87c5f97bc64731b1d03948b84d0efcd157197c188f 167866 
libpoppler-qt4-dev_0.57.0-1_amd64.deb
 6d882036251e7c325101d511fec03249f79f9995fa132a827c63838b3c76b312 2657402 
libpoppler-qt5-1-dbgsym_0.57.0-1_amd64.deb
 870efd99699d40a3a702324bc03a05b61b7145b2e42e7272382d6492ed803ca6 145790 
libpoppler-qt5-1_0.57.0-1_amd64.deb
 b5adffc8f464f31b7e337b5f21a62c0a4b00c4ff595bac3fa4c7da42132c3559 181610 
libpoppler-qt5-dev_0.57.0-1_amd64.deb
 33a3e1f383c735c9601d1f06976e55dbd06dc79dfd007e6f1cf629e1aeff0e7f 2897146 
libpoppler68-dbgsym_0.57.0-1_amd64.deb
 4d4ebda125247eace23e2acde4a3d5cca99d4e1563be3ec3ba56df2ba8b05811 1309754 
libpoppler68_0.57.0-1_amd64.deb
 a100ba4fb7c68d55a16229897f49784d585846e9116aaefa46cf7cff0bba1974 1103326 
poppler-utils-dbgsym_0.57.0-1_amd64.deb
 bef750de1bc4179d93408dcb9533d079735afdf1d822541e7216d0e76d05b393 156372 
poppler-utils_0.57.0-1_amd64.deb
 b83fc2680e2a2ca5962550555d6cbe61fabf46d780dbfa95c8670727ddddfc09 18350 
poppler_0.57.0-1_amd64.buildinfo
Files:
 07f0a3f8bac3f10fada0153b74631bb7 3437 devel optional poppler_0.57.0-1.dsc
 bc5a191741604552c90d484103229374 1703300 devel optional 
poppler_0.57.0.orig.tar.xz
 36ba7dac29789a42efdf98313a5b316c 31136 devel optional 
poppler_0.57.0-1.debian.tar.xz
 858e99304da54e056cea7a6bb3e56bcf 35084 introspection optional 
gir1.2-poppler-0.18_0.57.0-1_amd64.deb
 916a04e3304a6f9b6300eacd286df7f3 48496 libdevel optional 
libpoppler-cpp-dev_0.57.0-1_amd64.deb
 04b104c07ffee179fe3fd770bb3982f3 449370 debug extra 
libpoppler-cpp0v5-dbgsym_0.57.0-1_amd64.deb
 eaa4ffff97d4411f5d36146cdebcf157 44998 libs optional 
libpoppler-cpp0v5_0.57.0-1_amd64.deb
 518312e6cd722f06acebc6b98f940562 777416 libdevel optional 
libpoppler-dev_0.57.0-1_amd64.deb
 e74f4d97befefd5f8f2566df06d7bd06 166772 libdevel optional 
libpoppler-glib-dev_0.57.0-1_amd64.deb
 5430729bb89ea31d93ca1b76af16bec6 88178 doc optional 
libpoppler-glib-doc_0.57.0-1_all.deb
 000c75c305b7017448631318a6f85986 858956 debug extra 
libpoppler-glib8-dbgsym_0.57.0-1_amd64.deb
 76d389f261aec599da43202ffe412caa 126190 libs optional 
libpoppler-glib8_0.57.0-1_amd64.deb
 0d1a849c5eb4f99378b7a5f88d107557 184314 libdevel optional 
libpoppler-private-dev_0.57.0-1_amd64.deb
 2cb3b95d6cc12e923d2a9bc9255e0042 1889484 debug extra 
libpoppler-qt4-4-dbgsym_0.57.0-1_amd64.deb
 b619d29b576eb7847d664e04c748b723 138300 libs optional 
libpoppler-qt4-4_0.57.0-1_amd64.deb
 50dce1622638fd3940ce32b3dd37d0cb 167866 libdevel optional 
libpoppler-qt4-dev_0.57.0-1_amd64.deb
 2b76351d03a0605b37e430db5dbd7f32 2657402 debug extra 
libpoppler-qt5-1-dbgsym_0.57.0-1_amd64.deb
 5186e87c499228a79fe35d37a0e3a838 145790 libs optional 
libpoppler-qt5-1_0.57.0-1_amd64.deb
 157a320f7336f2e21684e116be604897 181610 libdevel optional 
libpoppler-qt5-dev_0.57.0-1_amd64.deb
 9587aede0643d45c75b5420a8c7efabe 2897146 debug extra 
libpoppler68-dbgsym_0.57.0-1_amd64.deb
 3bbe2df742aa80eae1bf3edeeca3477c 1309754 libs optional 
libpoppler68_0.57.0-1_amd64.deb
 2976092ea99ce04833ac94ab60145605 1103326 debug extra 
poppler-utils-dbgsym_0.57.0-1_amd64.deb
 3cb0250a6b82b2f304292e2a8112c2b8 156372 utils optional 
poppler-utils_0.57.0-1_amd64.deb
 a7ef271b4dcb10f190b73047edc826b7 18350 devel optional 
poppler_0.57.0-1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEcJymx+vmJZxd92Q+nUbEiOQ2gwIFAlmSC7sACgkQnUbEiOQ2
gwKSoBAAt493Vnwyknr5rKixoTRX2KymrSsIOE1QaQ6zxsYq0VdhMSKkjRT+dIsx
GVjV9c6bsJiQXELcfFxEB+lLjRuT3qw5hLu7H4m38U8Yz05uJnXZC4AKULDpfH8+
t5Qm4WBlPxPoxmiW8eiSJSOZblC5zNyyT2Svnv1DqTm81X32od9HWijb4/lpboSG
B6agTAaN4aGPemrmp011r3jkJU40OuKOPtLA53w3R6nEBgihD9eletsgxZlvmLhB
gXrhZ2HA0pcWkO5uAVO++SsyoLLqj3kA3QOtLT0WnuT1OE3tQBm1DPUyCoMpTsrC
HhQao5GNTIIZgtW7Ktoh0usopNkZBPio2DdtxqrX7RDZCjNJPYLbrgQu/pBZLB3M
2e8WiqJytoc2RZsQYtAcxG4Ccs7OAF/4TwYA6igEklIS8BqvNe0dYZY04BPW/kQX
00fWEmt9MjQHI8fb1+WT07yKTzW/HXVVv4tIsErCBHCazYGfVa3csTI27+/F5Qr1
EUO+m0r6wrpJis7FgLEDK70uVj6qVM/uB+4aRmHDzp7NFAAyozDOr6jayVqPk4Gp
RKJUo/a9yE2GLaXsjzkSy4W+BlDjRCRuqFh1q6pvIcveTiVuPu42GSJoJlfEA7Ua
SMCUM8L0EketXC7UDh5UwpjLBv5++4TYQg2PIxz+JNDjZFsLKIA=
=DAFT
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to