+++ This bug was initially created as a clone of Bug #290430 +++ CVE-2009-3603 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3603): Integer overflow in the SplashBitmap::SplashBitmap function in Xpdf 3.x before 3.02pl4 and Poppler before 0.12.1 might allow remote attackers to execute arbitrary code via a crafted PDF document that triggers a heap-based buffer overflow. NOTE: some of these details are obtained from third party information. NOTE: this issue reportedly exists because of an incomplete fix for CVE-2009-1188. CVE-2009-3604 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3604): The Splash::drawImage function in Splash.cc in Xpdf 2.x and 3.x before 3.02pl4, and Poppler 0.x, as used in GPdf and kdegraphics KPDF, does not properly allocate memory, which allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted PDF document that triggers a NULL pointer dereference or a heap-based buffer overflow. CVE-2009-3606 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3606): Integer overflow in the PSOutputDev::doImageL1Sep function in Xpdf before 3.02pl4, and Poppler 0.x, as used in kdegraphics KPDF, might allow remote attackers to execute arbitrary code via a crafted PDF document that triggers a heap-based buffer overflow. CVE-2009-3607 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3607): Integer overflow in the create_surface_from_thumbnail_data function in glib/poppler-page.cc in Poppler 0.x allows remote attackers to cause a denial of service (memory corruption) or possibly execute arbitrary code via a crafted PDF document that triggers a heap-based buffer overflow. NOTE: some of these details are obtained from third party information. CVE-2009-3608 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3608): Integer overflow in the ObjectStream::ObjectStream function in XRef.cc in Xpdf 3.x before 3.02pl4 and Poppler before 0.12.1, as used in GPdf, kdegraphics KPDF, CUPS pdftops, and teTeX, might allow remote attackers to execute arbitrary code via a crafted PDF document that triggers a heap-based buffer overflow. CVE-2009-3609 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3609): Integer overflow in the ImageStream::ImageStream function in Stream.cc in Xpdf before 3.02pl4 and Poppler before 0.12.1, as used in GPdf, kdegraphics KPDF, and CUPS pdftops, allows remote attackers to cause a denial of service (application crash) via a crafted PDF document that triggers a NULL pointer dereference or buffer over-read.
Created attachment 208213 [details, diff] poppler-CVE-2009-3607.patch CVE-2009-3607 is not yet fixed in poppler 0.12.1, please apply the attached patch and bump.
Are these fixed in 0.12.3? (Haven't had time to check yet)
0.12.3 does have this patch applied.
Arches, please mark stable (or, in the case of mips, keyword) the following ebuilds: app-text/poppler-0.12.3-r3 app-text/poppler-data-0.4.0 virtual/poppler-0.12.3-r1 virtual/poppler-glib-0.12.3-r2 virtual/poppler-qt4-0.12.3-r1 virtual/poppler-utils-0.12.3-r1 You should stable luatex-0.50.0 (bug 301943) at the same time.
x86 stable
Stable for HPPA.
ppc64 done
amd64 stable
arm stable
alpha/ia64/s390/sh/sparc stable
CVE-2009-3605 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3605): Multiple integer overflows in Poppler 0.10.5 and earlier allow remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted PDF file, related to (1) glib/poppler-page.cc; (2) ArthurOutputDev.cc, (3) CairoOutputDev.cc, (4) GfxState.cc, (5) JBIG2Stream.cc, (6) PSOutputDev.cc, and (7) SplashOutputDev.cc in poppler/; and (8) SplashBitmap.cc, (9) Splash.cc, and (10) SplashFTFont.cc in splash/. NOTE: this may overlap CVE-2009-0791.
ppc stable
m68k has decided to drop keywords, so only mips is left to be done
Mips done with okay from Kumba. Security: you're good to go for the next step.
Thanks folks. Added to existing GLSA request.
Thanks guys. No vulnerable version left in the tree. Nothing to do for printing anymore.
Will anyone still read this GLSA if it ever comes out? Come on, stable is poppler-0.20 by now.
This issue was resolved and addressed in GLSA 201310-03 at http://security.gentoo.org/glsa/glsa-201310-03.xml by GLSA coordinator Sean Amoss (ackle).
