[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[SECURITY] [DLA 1706-1] poppler security update



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Package        : poppler
Version        : 0.26.5-2+deb8u8
CVE ID         : CVE-2018-19058 CVE-2018-20481 CVE-2018-20662
                 CVE-2019-7310 CVE-2019-9200
Debian Bug     : 913177 917325 918158 921215 923414

Several security vulnerabilities were discovered in the poppler PDF
rendering shared library.

CVE-2018-19058

    A reachable abort in Object.h will lead to denial-of-service because
    EmbFile::save2 in FileSpec.cc lacks a stream check before saving an
    embedded file.

CVE-2018-20481

    Poppler mishandles unallocated XRef entries, which allows remote
    attackers to cause a denial-of-service (NULL pointer dereference)
    via a crafted PDF document.

CVE-2018-20662

    Poppler allows attackers to cause a denial-of-service (application
    crash and segmentation fault by crafting a PDF file in which an xref
    data structure is corrupted.

CVE-2019-7310

    A heap-based buffer over-read (due to an integer signedness error in
    the XRef::getEntry function in XRef.cc) allows remote attackers to
    cause a denial of service (application crash) or possibly have
    unspecified other impact via a crafted PDF document.

CVE-2019-9200

    A heap-based buffer underwrite exists in ImageStream::getLine()
    located at Stream.cc that can (for example) be triggered by sending
    a crafted PDF file to the pdfimages binary. It allows an attacker to
    cause denial-of-service (segmentation fault) or possibly have
    unspecified other impact.

For Debian 8 "Jessie", these problems have been fixed in version
0.26.5-2+deb8u8.

We recommend that you upgrade your poppler packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAlyC0nxfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7
UeSADA//WoORipRClpa37uyOReoY/LpJF/6A+I09319knIajvns2pn5vJaQ5hZ9a
JTQVz0cGQYb5OHWVzr7dlbJyy3DLH+BQ/vMca0qTG5OAlLbKhw+dFankHLPeyqJH
CnTwLDgEGnn650uF4p86kEkzUwH36KvRPsEfjX2HsABY87bEwMcUxaCcJBazKyTC
uTj4qwCidssoiA4lmCGNAa/VEAHUykIzaI2eC0ZWtAN4UWRFiLt4XfXi7K3TcswK
GMvRHwe+AQCJVK4jhpyb5qdhbRmMWuahcFUlYncCpW7/5Qrw9cEqhdOfHoW3VYNS
PufpPySCjET34GCY2wizq424XVeSzmz+Um5vKhBFp/FCt7vdEvww73kAnbXbFGWb
wyVD7iC3lS675iq7P91AdPQtQFDNTQELxEvcgEplLpFMhLKXCa4j34xkzO1Xf17a
tfiqq/C5PjaXFCNF8eFqI/jAhOXcFyV7pX+/dimxw/IjjidTAyiQnil27MQTqfQC
pTcx6ZYC5ed1FcIpPvDwBF1Sjv8h+okcZIWbFCPi1s9nyU44iAxoF/AXMNRzWwpm
x2VVUsXxy4ZjVCY3StKTyKiJCKKAsDiIbEhbbmQcvFl2T1A2R32sYnWoH64cpZJy
iox1jympDYjPcPc89XnMkxQvFpNX4Ws/UEaCjF/V64HYHcgMpjw=
=gwm1
-----END PGP SIGNATURE-----


Reply to: