[SECURITY] [DLA 1706-1] poppler security update
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Package : poppler
Version : 0.26.5-2+deb8u8
CVE ID : CVE-2018-19058 CVE-2018-20481 CVE-2018-20662
CVE-2019-7310 CVE-2019-9200
Debian Bug : 913177 917325 918158 921215 923414
Several security vulnerabilities were discovered in the poppler PDF
rendering shared library.
CVE-2018-19058
A reachable abort in Object.h will lead to denial-of-service because
EmbFile::save2 in FileSpec.cc lacks a stream check before saving an
embedded file.
CVE-2018-20481
Poppler mishandles unallocated XRef entries, which allows remote
attackers to cause a denial-of-service (NULL pointer dereference)
via a crafted PDF document.
CVE-2018-20662
Poppler allows attackers to cause a denial-of-service (application
crash and segmentation fault by crafting a PDF file in which an xref
data structure is corrupted.
CVE-2019-7310
A heap-based buffer over-read (due to an integer signedness error in
the XRef::getEntry function in XRef.cc) allows remote attackers to
cause a denial of service (application crash) or possibly have
unspecified other impact via a crafted PDF document.
CVE-2019-9200
A heap-based buffer underwrite exists in ImageStream::getLine()
located at Stream.cc that can (for example) be triggered by sending
a crafted PDF file to the pdfimages binary. It allows an attacker to
cause denial-of-service (segmentation fault) or possibly have
unspecified other impact.
For Debian 8 "Jessie", these problems have been fixed in version
0.26.5-2+deb8u8.
We recommend that you upgrade your poppler packages.
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----
iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAlyC0nxfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7
UeSADA//WoORipRClpa37uyOReoY/LpJF/6A+I09319knIajvns2pn5vJaQ5hZ9a
JTQVz0cGQYb5OHWVzr7dlbJyy3DLH+BQ/vMca0qTG5OAlLbKhw+dFankHLPeyqJH
CnTwLDgEGnn650uF4p86kEkzUwH36KvRPsEfjX2HsABY87bEwMcUxaCcJBazKyTC
uTj4qwCidssoiA4lmCGNAa/VEAHUykIzaI2eC0ZWtAN4UWRFiLt4XfXi7K3TcswK
GMvRHwe+AQCJVK4jhpyb5qdhbRmMWuahcFUlYncCpW7/5Qrw9cEqhdOfHoW3VYNS
PufpPySCjET34GCY2wizq424XVeSzmz+Um5vKhBFp/FCt7vdEvww73kAnbXbFGWb
wyVD7iC3lS675iq7P91AdPQtQFDNTQELxEvcgEplLpFMhLKXCa4j34xkzO1Xf17a
tfiqq/C5PjaXFCNF8eFqI/jAhOXcFyV7pX+/dimxw/IjjidTAyiQnil27MQTqfQC
pTcx6ZYC5ed1FcIpPvDwBF1Sjv8h+okcZIWbFCPi1s9nyU44iAxoF/AXMNRzWwpm
x2VVUsXxy4ZjVCY3StKTyKiJCKKAsDiIbEhbbmQcvFl2T1A2R32sYnWoH64cpZJy
iox1jympDYjPcPc89XnMkxQvFpNX4Ws/UEaCjF/V64HYHcgMpjw=
=gwm1
-----END PGP SIGNATURE-----
Reply to: