Summary: | <app-text/poppler-0.12.3-r3: Integer Overflows (CVE-2009-{3603,3604,3605,3606,3607,3608,3609}) | ||||||
---|---|---|---|---|---|---|---|
Product: | Gentoo Security | Reporter: | Alex Legler (RETIRED) <a3li> | ||||
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> | ||||
Status: | RESOLVED FIXED | ||||||
Severity: | normal | CC: | loki_val | ||||
Priority: | High | ||||||
Version: | unspecified | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
URL: | http://www.ocert.org/advisories/ocert-2009-016.html | ||||||
Whiteboard: | B2 [glsa] | ||||||
Package list: | Runtime testing required: | --- | |||||
Bug Depends on: | 284361, 301943 | ||||||
Bug Blocks: | 290430 | ||||||
Attachments: |
|
Description
Alex Legler (RETIRED)
2009-10-25 15:23:50 UTC
Created attachment 208213 [details, diff]
poppler-CVE-2009-3607.patch
CVE-2009-3607 is not yet fixed in poppler 0.12.1, please apply the attached patch and bump.
Are these fixed in 0.12.3? (Haven't had time to check yet) 0.12.3 does have this patch applied. Arches, please mark stable (or, in the case of mips, keyword) the following ebuilds: app-text/poppler-0.12.3-r3 app-text/poppler-data-0.4.0 virtual/poppler-0.12.3-r1 virtual/poppler-glib-0.12.3-r2 virtual/poppler-qt4-0.12.3-r1 virtual/poppler-utils-0.12.3-r1 You should stable luatex-0.50.0 (bug 301943) at the same time. x86 stable Stable for HPPA. ppc64 done amd64 stable arm stable alpha/ia64/s390/sh/sparc stable CVE-2009-3605 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3605): Multiple integer overflows in Poppler 0.10.5 and earlier allow remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted PDF file, related to (1) glib/poppler-page.cc; (2) ArthurOutputDev.cc, (3) CairoOutputDev.cc, (4) GfxState.cc, (5) JBIG2Stream.cc, (6) PSOutputDev.cc, and (7) SplashOutputDev.cc in poppler/; and (8) SplashBitmap.cc, (9) Splash.cc, and (10) SplashFTFont.cc in splash/. NOTE: this may overlap CVE-2009-0791. ppc stable m68k has decided to drop keywords, so only mips is left to be done Mips done with okay from Kumba. Security: you're good to go for the next step. Thanks folks. Added to existing GLSA request. Thanks guys. No vulnerable version left in the tree. Nothing to do for printing anymore. Will anyone still read this GLSA if it ever comes out? Come on, stable is poppler-0.20 by now. This issue was resolved and addressed in GLSA 201310-03 at http://security.gentoo.org/glsa/glsa-201310-03.xml by GLSA coordinator Sean Amoss (ackle). |