Debian Bug report logs - #524809
xpdf: multiple vulnerabilities

version graph

Package: xpdf; Maintainer for xpdf is Michael Gilbert <mgilbert@debian.org>; Source for xpdf is src:xpdf.

Reported by: "Michael S. Gilbert" <michael.s.gilbert@gmail.com>

Date: Mon, 20 Apr 2009 02:27:02 UTC

Severity: grave

Tags: security

Fixed in versions xpdf/3.02-1.4+lenny1, xpdf/3.01-9.1+etch6

Done: Giuseppe Iuculano <giuseppe@iuculano.it>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian CUPS Maintainers <pkg-cups-devel@lists.alioth.debian.org>:
Bug#524807; Package cups. (Mon, 20 Apr 2009 02:27:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to "Michael S. Gilbert" <michael.s.gilbert@gmail.com>:
New Bug report received and forwarded. Copy sent to Debian CUPS Maintainers <pkg-cups-devel@lists.alioth.debian.org>. (Mon, 20 Apr 2009 02:27:05 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: "Michael S. Gilbert" <michael.s.gilbert@gmail.com>
To: submit@bugs.debian.org
Subject: cups: multiple vulnerabilities
Date: Sun, 19 Apr 2009 22:24:38 -0400
package: cups
severity: grave
tags: security

hello,

redhat recently patched the following cups [0], xpdf [1], and
kdegraphics[2] issues:

CVE-2009-0146, CVE-2009-0147, CVE-2009-0166, CVE-2009-0799,
CVE-2009-0800, CVE-2009-1179, CVE-2009-1180, CVE-2009-1181,
CVE-2009-1182, CVE-2009-1183

these are still reserved in the CVE list, but are disclosed at NVD.

[0] https://rhn.redhat.com/errata/RHSA-2009-0429.html
[1] https://rhn.redhat.com/errata/RHSA-2009-0430.html
[2] https://rhn.redhat.com/errata/RHSA-2009-0431.html




Bug 524807 cloned as bugs 524809, 524810. Request was from "Michael S. Gilbert" <michael.s.gilbert@gmail.com> to control@bugs.debian.org. (Mon, 20 Apr 2009 02:39:01 GMT) Full text and rfc822 format available.

Bug reassigned from package `cups' to `xpdf'. Request was from "Michael S. Gilbert" <michael.s.gilbert@gmail.com> to control@bugs.debian.org. (Mon, 20 Apr 2009 02:39:04 GMT) Full text and rfc822 format available.

Changed Bug title to `xpdf: multiple vulnerabilities' from `cups: multiple vulnerabilities'. Request was from "Michael S. Gilbert" <michael.s.gilbert@gmail.com> to control@bugs.debian.org. (Mon, 20 Apr 2009 02:39:05 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Hamish Moffatt <hamish@debian.org>:
Bug#524809; Package xpdf. (Sat, 02 May 2009 13:24:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Giuseppe Iuculano <giuseppe@iuculano.it>:
Extra info received and forwarded to list. Copy sent to Hamish Moffatt <hamish@debian.org>. (Sat, 02 May 2009 13:24:02 GMT) Full text and rfc822 format available.

Message #16 received at 524809@bugs.debian.org (full text, mbox):

From: Giuseppe Iuculano <giuseppe@iuculano.it>
To: team@security.debian.org
Cc: 524809@bugs.debian.org, 524809-submitter@bugs.debian.org
Subject: xpdf: Proposed NMU to fix CVE-2009-0146,0147,0165,0166,0799,0800,1179-1183
Date: Sat, 02 May 2009 15:23:09 +0200
[Message part 1 (text/plain, inline)]
Hi,

I've prepared a NMU to fix CVE-2009-0146,0147,0165,0166,0799,0800,1179-1183 in
stable and oldstable.

Proposed debdiffs in attachment.

Cheers,
Giuseppe.
[xpdf_3.01-9.1+etch6.debdiff (text/plain, attachment)]
[xpdf_3.02-1.4+lenny1.debdiff (text/plain, attachment)]
[signature.asc (application/pgp-signature, attachment)]

Message sent on to "Michael S. Gilbert" <michael.s.gilbert@gmail.com>:
Bug#524809. (Sat, 02 May 2009 13:24:04 GMT) Full text and rfc822 format available.

Reply sent to Giuseppe Iuculano <giuseppe@iuculano.it>:
You have taken responsibility. (Sun, 07 Jun 2009 14:09:02 GMT) Full text and rfc822 format available.

Notification sent to "Michael S. Gilbert" <michael.s.gilbert@gmail.com>:
Bug acknowledged by developer. (Sun, 07 Jun 2009 14:09:03 GMT) Full text and rfc822 format available.

Message #24 received at 524809-close@bugs.debian.org (full text, mbox):

From: Giuseppe Iuculano <giuseppe@iuculano.it>
To: 524809-close@bugs.debian.org
Subject: Bug#524809: fixed in xpdf 3.02-1.4+lenny1
Date: Sun, 07 Jun 2009 13:54:11 +0000
Source: xpdf
Source-Version: 3.02-1.4+lenny1

We believe that the bug you reported is fixed in the latest version of
xpdf, which is due to be installed in the Debian FTP archive:

xpdf-common_3.02-1.4+lenny1_all.deb
  to pool/main/x/xpdf/xpdf-common_3.02-1.4+lenny1_all.deb
xpdf-reader_3.02-1.4+lenny1_amd64.deb
  to pool/main/x/xpdf/xpdf-reader_3.02-1.4+lenny1_amd64.deb
xpdf-utils_3.02-1.4+lenny1_amd64.deb
  to pool/main/x/xpdf/xpdf-utils_3.02-1.4+lenny1_amd64.deb
xpdf_3.02-1.4+lenny1.diff.gz
  to pool/main/x/xpdf/xpdf_3.02-1.4+lenny1.diff.gz
xpdf_3.02-1.4+lenny1.dsc
  to pool/main/x/xpdf/xpdf_3.02-1.4+lenny1.dsc
xpdf_3.02-1.4+lenny1_all.deb
  to pool/main/x/xpdf/xpdf_3.02-1.4+lenny1_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 524809@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Giuseppe Iuculano <giuseppe@iuculano.it> (supplier of updated xpdf package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sat, 02 May 2009 10:05:02 +0200
Source: xpdf
Binary: xpdf xpdf-common xpdf-reader xpdf-utils
Architecture: source all amd64
Version: 3.02-1.4+lenny1
Distribution: stable-security
Urgency: high
Maintainer: noahm@debian.org
Changed-By: Giuseppe Iuculano <giuseppe@iuculano.it>
Description: 
 xpdf       - Portable Document Format (PDF) suite
 xpdf-common - Portable Document Format (PDF) suite -- common files
 xpdf-reader - Portable Document Format (PDF) suite -- viewer for X11
 xpdf-utils - Portable Document Format (PDF) suite -- utilities
Closes: 524809
Changes: 
 xpdf (3.02-1.4+lenny1) stable-security; urgency=high
 .
   * Non-maintainer upload.
   * This update fixes various security issues (Closes: #524809):
     - CVE-2009-0146: Multiple buffer overflows in the JBIG2 decoder in Xpdf
       3.02pl2 and earlier, CUPS 1.3.9 and earlier, and other products allow
       remote attackers to cause a denial of service (crash) via a crafted PDF
       file, related to (1) JBIG2SymbolDict::setBitmap and (2)
       JBIG2Stream::readSymbolDictSeg.
     - CVE-2009-0147: Multiple integer overflows in the JBIG2 decoder in Xpdf
       3.02pl2 and earlier, CUPS 1.3.9 and earlier, and other products allow
       remote attackers to cause a denial of service (crash) via a crafted PDF
       file, related to (1) JBIG2Stream::readSymbolDictSeg, (2)
       JBIG2Stream::readSymbolDictSeg, and (3) JBIG2Stream::readGenericBitmap.
     - CVE-2009-0165: Integer overflow in the JBIG2 decoder in Xpdf 3.02pl2 and
       earlier, as used in Poppler and other products, when running on Mac OS X,
       has unspecified impact, related to "g*allocn."
     - CVE-2009-0166: The JBIG2 decoder in Xpdf 3.02pl2 and earlier, CUPS 1.3.9
       and earlier, and other products allows remote attackers to cause a denial
       of service (crash) via a crafted PDF file that triggers a free of
       uninitialized memory.
     - CVE-2009-0799: The JBIG2 decoder in Xpdf 3.02pl2 and earlier, CUPS 1.3.9
       and earlier, Poppler before 0.10.6, and other products allows remote
       attackers to cause a denial of service (crash) via a crafted PDF file
       that triggers an out-of-bounds read.
     - CVE-2009-0800: Multiple "input validation flaws" in the JBIG2 decoder in
       Xpdf 3.02pl2 and earlier, CUPS 1.3.9 and earlier, Poppler before 0.10.6,
       and other products allow remote attackers to execute arbitrary code via
       a crafted PDF file.
     - CVE-2009-1179: Integer overflow in the JBIG2 decoder in Xpdf 3.02pl2 and
       earlier, CUPS 1.3.9 and earlier, Poppler before 0.10.6, and other products
       allows remote attackers to execute arbitrary code via a crafted PDF file.
     - CVE-2009-1180: The JBIG2 decoder in Xpdf 3.02pl2 and earlier, CUPS 1.3.9
       and earlier, Poppler before 0.10.6, and other products allows remote
       attackers to execute arbitrary code via a crafted PDF file that triggers
       a free of invalid data.
     - CVE-2009-1181: The JBIG2 decoder in Xpdf 3.02pl2 and earlier, CUPS 1.3.9
       and earlier, Poppler before 0.10.6, and other products allows remote
       attackers to cause a denial of service (crash) via a crafted PDF file that
       triggers a NULL pointer dereference.
     - CVE-2009-1182: Multiple buffer overflows in the JBIG2 MMR decoder in Xpdf
       3.02pl2 and earlier, CUPS 1.3.9 and earlier, Poppler before 0.10.6, and
       other products allow remote attackers to execute arbitrary code via a
       crafted PDF file.
     - CVE-2009-1183: The JBIG2 MMR decoder in Xpdf 3.02pl2 and earlier, CUPS
       1.3.9 and earlier, Poppler before 0.10.6, and other products allows remote
       attackers to cause a denial of service (infinite loop and hang) via a
       crafted PDF file.
Checksums-Sha1: 
 84e643c99c2648a58bf1216f62ba6465b00c442c 1266 xpdf_3.02-1.4+lenny1.dsc
 f5411fabc97d8239215cab3349a9fa6362e43cef 42280 xpdf_3.02-1.4+lenny1.diff.gz
 f9940698840c8a8045677e8be68ab8580903e20a 674912 xpdf_3.02.orig.tar.gz
 196ac0c168c9127d1070ed680ec040a12d2b9128 1268 xpdf_3.02-1.4+lenny1_all.deb
 0cc4b19819916a1e3f5d415f528c6c41c1804076 67664 xpdf-common_3.02-1.4+lenny1_all.deb
 00935a2a5210312d621fa01a10956b8802b01214 921892 xpdf-reader_3.02-1.4+lenny1_amd64.deb
 47ea78514eeaf35cabbedf3676608ae5ada57193 1709514 xpdf-utils_3.02-1.4+lenny1_amd64.deb
Checksums-Sha256: 
 c5b9f9721d3bdcd7ef100a2fc56714b2a03b660dfa2ad0e43686276e10ccb934 1266 xpdf_3.02-1.4+lenny1.dsc
 312d5c97ed6333fc1ba4346b178562e72464dc1127c55e854ddd01f13a3d03fc 42280 xpdf_3.02-1.4+lenny1.diff.gz
 b33a7d56f454c331ae50996f989e86c9166e57af97b74de28cddf3d51ac11f00 674912 xpdf_3.02.orig.tar.gz
 900c0229dad15b9fb0c786a347804faa50d79c0d75dc80f202a6f49418d13a29 1268 xpdf_3.02-1.4+lenny1_all.deb
 c922018866e82368a8a0dd09cb7bd581eb89f56d03295f8108c6b8a61dfaa7b0 67664 xpdf-common_3.02-1.4+lenny1_all.deb
 9633c16a2e1b160285130b3d4dc57f6e7fefc143bf2cbf6dc7571bfd6b0fe723 921892 xpdf-reader_3.02-1.4+lenny1_amd64.deb
 6fbe8c6234767f27ef0e551f0c96f1b3ca83ec98e7cb63aaa913b4212009b738 1709514 xpdf-utils_3.02-1.4+lenny1_amd64.deb
Files: 
 faeebc4dfc74129ca708a6345bb483f7 1266 text optional xpdf_3.02-1.4+lenny1.dsc
 362f72e95494f51a19eeb898b9a527ac 42280 text optional xpdf_3.02-1.4+lenny1.diff.gz
 599dc4cc65a07ee868cf92a667a913d2 674912 text optional xpdf_3.02.orig.tar.gz
 f67780458dac3c38cd59bfde186f9a3b 1268 text optional xpdf_3.02-1.4+lenny1_all.deb
 b5f063bf32cbeaf1aaeec315dc8aff0a 67664 text optional xpdf-common_3.02-1.4+lenny1_all.deb
 fb7de1db5e3885365c3ad74c3646ab57 921892 text optional xpdf-reader_3.02-1.4+lenny1_amd64.deb
 1e1277251a6dd0bb0a551997efd39175 1709514 text optional xpdf-utils_3.02-1.4+lenny1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFJ/6uyYrVLjBFATsMRAkRuAJ0QPVMMVtXR19JI0HxU56Ip7EjSZgCdHlTj
n8KjZ/uYRucKW6A1d3alBHI=
=c5zQ
-----END PGP SIGNATURE-----





Reply sent to Giuseppe Iuculano <giuseppe@iuculano.it>:
You have taken responsibility. (Sat, 27 Jun 2009 16:39:12 GMT) Full text and rfc822 format available.

Notification sent to "Michael S. Gilbert" <michael.s.gilbert@gmail.com>:
Bug acknowledged by developer. (Sat, 27 Jun 2009 16:39:12 GMT) Full text and rfc822 format available.

Message #29 received at 524809-close@bugs.debian.org (full text, mbox):

From: Giuseppe Iuculano <giuseppe@iuculano.it>
To: 524809-close@bugs.debian.org
Subject: Bug#524809: fixed in xpdf 3.02-1.4+lenny1
Date: Sat, 27 Jun 2009 16:04:55 +0000
Source: xpdf
Source-Version: 3.02-1.4+lenny1

We believe that the bug you reported is fixed in the latest version of
xpdf, which is due to be installed in the Debian FTP archive:

xpdf-common_3.02-1.4+lenny1_all.deb
  to pool/main/x/xpdf/xpdf-common_3.02-1.4+lenny1_all.deb
xpdf-reader_3.02-1.4+lenny1_amd64.deb
  to pool/main/x/xpdf/xpdf-reader_3.02-1.4+lenny1_amd64.deb
xpdf-utils_3.02-1.4+lenny1_amd64.deb
  to pool/main/x/xpdf/xpdf-utils_3.02-1.4+lenny1_amd64.deb
xpdf_3.02-1.4+lenny1.diff.gz
  to pool/main/x/xpdf/xpdf_3.02-1.4+lenny1.diff.gz
xpdf_3.02-1.4+lenny1.dsc
  to pool/main/x/xpdf/xpdf_3.02-1.4+lenny1.dsc
xpdf_3.02-1.4+lenny1_all.deb
  to pool/main/x/xpdf/xpdf_3.02-1.4+lenny1_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 524809@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Giuseppe Iuculano <giuseppe@iuculano.it> (supplier of updated xpdf package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sat, 02 May 2009 10:05:02 +0200
Source: xpdf
Binary: xpdf xpdf-common xpdf-reader xpdf-utils
Architecture: source all amd64
Version: 3.02-1.4+lenny1
Distribution: stable-security
Urgency: high
Maintainer: noahm@debian.org
Changed-By: Giuseppe Iuculano <giuseppe@iuculano.it>
Description: 
 xpdf       - Portable Document Format (PDF) suite
 xpdf-common - Portable Document Format (PDF) suite -- common files
 xpdf-reader - Portable Document Format (PDF) suite -- viewer for X11
 xpdf-utils - Portable Document Format (PDF) suite -- utilities
Closes: 524809
Changes: 
 xpdf (3.02-1.4+lenny1) stable-security; urgency=high
 .
   * Non-maintainer upload.
   * This update fixes various security issues (Closes: #524809):
     - CVE-2009-0146: Multiple buffer overflows in the JBIG2 decoder in Xpdf
       3.02pl2 and earlier, CUPS 1.3.9 and earlier, and other products allow
       remote attackers to cause a denial of service (crash) via a crafted PDF
       file, related to (1) JBIG2SymbolDict::setBitmap and (2)
       JBIG2Stream::readSymbolDictSeg.
     - CVE-2009-0147: Multiple integer overflows in the JBIG2 decoder in Xpdf
       3.02pl2 and earlier, CUPS 1.3.9 and earlier, and other products allow
       remote attackers to cause a denial of service (crash) via a crafted PDF
       file, related to (1) JBIG2Stream::readSymbolDictSeg, (2)
       JBIG2Stream::readSymbolDictSeg, and (3) JBIG2Stream::readGenericBitmap.
     - CVE-2009-0165: Integer overflow in the JBIG2 decoder in Xpdf 3.02pl2 and
       earlier, as used in Poppler and other products, when running on Mac OS X,
       has unspecified impact, related to "g*allocn."
     - CVE-2009-0166: The JBIG2 decoder in Xpdf 3.02pl2 and earlier, CUPS 1.3.9
       and earlier, and other products allows remote attackers to cause a denial
       of service (crash) via a crafted PDF file that triggers a free of
       uninitialized memory.
     - CVE-2009-0799: The JBIG2 decoder in Xpdf 3.02pl2 and earlier, CUPS 1.3.9
       and earlier, Poppler before 0.10.6, and other products allows remote
       attackers to cause a denial of service (crash) via a crafted PDF file
       that triggers an out-of-bounds read.
     - CVE-2009-0800: Multiple "input validation flaws" in the JBIG2 decoder in
       Xpdf 3.02pl2 and earlier, CUPS 1.3.9 and earlier, Poppler before 0.10.6,
       and other products allow remote attackers to execute arbitrary code via
       a crafted PDF file.
     - CVE-2009-1179: Integer overflow in the JBIG2 decoder in Xpdf 3.02pl2 and
       earlier, CUPS 1.3.9 and earlier, Poppler before 0.10.6, and other products
       allows remote attackers to execute arbitrary code via a crafted PDF file.
     - CVE-2009-1180: The JBIG2 decoder in Xpdf 3.02pl2 and earlier, CUPS 1.3.9
       and earlier, Poppler before 0.10.6, and other products allows remote
       attackers to execute arbitrary code via a crafted PDF file that triggers
       a free of invalid data.
     - CVE-2009-1181: The JBIG2 decoder in Xpdf 3.02pl2 and earlier, CUPS 1.3.9
       and earlier, Poppler before 0.10.6, and other products allows remote
       attackers to cause a denial of service (crash) via a crafted PDF file that
       triggers a NULL pointer dereference.
     - CVE-2009-1182: Multiple buffer overflows in the JBIG2 MMR decoder in Xpdf
       3.02pl2 and earlier, CUPS 1.3.9 and earlier, Poppler before 0.10.6, and
       other products allow remote attackers to execute arbitrary code via a
       crafted PDF file.
     - CVE-2009-1183: The JBIG2 MMR decoder in Xpdf 3.02pl2 and earlier, CUPS
       1.3.9 and earlier, Poppler before 0.10.6, and other products allows remote
       attackers to cause a denial of service (infinite loop and hang) via a
       crafted PDF file.
Checksums-Sha1: 
 84e643c99c2648a58bf1216f62ba6465b00c442c 1266 xpdf_3.02-1.4+lenny1.dsc
 f5411fabc97d8239215cab3349a9fa6362e43cef 42280 xpdf_3.02-1.4+lenny1.diff.gz
 f9940698840c8a8045677e8be68ab8580903e20a 674912 xpdf_3.02.orig.tar.gz
 196ac0c168c9127d1070ed680ec040a12d2b9128 1268 xpdf_3.02-1.4+lenny1_all.deb
 0cc4b19819916a1e3f5d415f528c6c41c1804076 67664 xpdf-common_3.02-1.4+lenny1_all.deb
 00935a2a5210312d621fa01a10956b8802b01214 921892 xpdf-reader_3.02-1.4+lenny1_amd64.deb
 47ea78514eeaf35cabbedf3676608ae5ada57193 1709514 xpdf-utils_3.02-1.4+lenny1_amd64.deb
Checksums-Sha256: 
 c5b9f9721d3bdcd7ef100a2fc56714b2a03b660dfa2ad0e43686276e10ccb934 1266 xpdf_3.02-1.4+lenny1.dsc
 312d5c97ed6333fc1ba4346b178562e72464dc1127c55e854ddd01f13a3d03fc 42280 xpdf_3.02-1.4+lenny1.diff.gz
 b33a7d56f454c331ae50996f989e86c9166e57af97b74de28cddf3d51ac11f00 674912 xpdf_3.02.orig.tar.gz
 900c0229dad15b9fb0c786a347804faa50d79c0d75dc80f202a6f49418d13a29 1268 xpdf_3.02-1.4+lenny1_all.deb
 c922018866e82368a8a0dd09cb7bd581eb89f56d03295f8108c6b8a61dfaa7b0 67664 xpdf-common_3.02-1.4+lenny1_all.deb
 9633c16a2e1b160285130b3d4dc57f6e7fefc143bf2cbf6dc7571bfd6b0fe723 921892 xpdf-reader_3.02-1.4+lenny1_amd64.deb
 6fbe8c6234767f27ef0e551f0c96f1b3ca83ec98e7cb63aaa913b4212009b738 1709514 xpdf-utils_3.02-1.4+lenny1_amd64.deb
Files: 
 faeebc4dfc74129ca708a6345bb483f7 1266 text optional xpdf_3.02-1.4+lenny1.dsc
 362f72e95494f51a19eeb898b9a527ac 42280 text optional xpdf_3.02-1.4+lenny1.diff.gz
 599dc4cc65a07ee868cf92a667a913d2 674912 text optional xpdf_3.02.orig.tar.gz
 f67780458dac3c38cd59bfde186f9a3b 1268 text optional xpdf_3.02-1.4+lenny1_all.deb
 b5f063bf32cbeaf1aaeec315dc8aff0a 67664 text optional xpdf-common_3.02-1.4+lenny1_all.deb
 fb7de1db5e3885365c3ad74c3646ab57 921892 text optional xpdf-reader_3.02-1.4+lenny1_amd64.deb
 1e1277251a6dd0bb0a551997efd39175 1709514 text optional xpdf-utils_3.02-1.4+lenny1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFJ/6uyYrVLjBFATsMRAkRuAJ0QPVMMVtXR19JI0HxU56Ip7EjSZgCdHlTj
n8KjZ/uYRucKW6A1d3alBHI=
=c5zQ
-----END PGP SIGNATURE-----





Reply sent to Giuseppe Iuculano <giuseppe@iuculano.it>:
You have taken responsibility. (Fri, 03 Jul 2009 20:30:06 GMT) Full text and rfc822 format available.

Notification sent to "Michael S. Gilbert" <michael.s.gilbert@gmail.com>:
Bug acknowledged by developer. (Fri, 03 Jul 2009 20:30:06 GMT) Full text and rfc822 format available.

Message #34 received at 524809-close@bugs.debian.org (full text, mbox):

From: Giuseppe Iuculano <giuseppe@iuculano.it>
To: 524809-close@bugs.debian.org
Subject: Bug#524809: fixed in xpdf 3.01-9.1+etch6
Date: Fri, 03 Jul 2009 19:54:13 +0000
Source: xpdf
Source-Version: 3.01-9.1+etch6

We believe that the bug you reported is fixed in the latest version of
xpdf, which is due to be installed in the Debian FTP archive:

xpdf-common_3.01-9.1+etch6_all.deb
  to pool/main/x/xpdf/xpdf-common_3.01-9.1+etch6_all.deb
xpdf-reader_3.01-9.1+etch6_amd64.deb
  to pool/main/x/xpdf/xpdf-reader_3.01-9.1+etch6_amd64.deb
xpdf-utils_3.01-9.1+etch6_amd64.deb
  to pool/main/x/xpdf/xpdf-utils_3.01-9.1+etch6_amd64.deb
xpdf_3.01-9.1+etch6.diff.gz
  to pool/main/x/xpdf/xpdf_3.01-9.1+etch6.diff.gz
xpdf_3.01-9.1+etch6.dsc
  to pool/main/x/xpdf/xpdf_3.01-9.1+etch6.dsc
xpdf_3.01-9.1+etch6_all.deb
  to pool/main/x/xpdf/xpdf_3.01-9.1+etch6_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 524809@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Giuseppe Iuculano <giuseppe@iuculano.it> (supplier of updated xpdf package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sat, 02 May 2009 14:12:12 +0200
Source: xpdf
Binary: xpdf-utils xpdf xpdf-reader xpdf-common
Architecture: source amd64 all
Version: 3.01-9.1+etch6
Distribution: oldstable-security
Urgency: high
Maintainer: noahm@debian.org
Changed-By: Giuseppe Iuculano <giuseppe@iuculano.it>
Description: 
 xpdf       - Portable Document Format (PDF) suite
 xpdf-common - Portable Document Format (PDF) suite -- common files
 xpdf-reader - Portable Document Format (PDF) suite -- viewer for X11
 xpdf-utils - Portable Document Format (PDF) suite -- utilities
Closes: 524809
Changes: 
 xpdf (3.01-9.1+etch6) oldstable-security; urgency=high
 .
   * Non-maintainer upload.
   * This update fixes various security issues (Closes: #524809):
     - CVE-2009-0146: Multiple buffer overflows in the JBIG2 decoder in Xpdf
       3.02pl2 and earlier, CUPS 1.3.9 and earlier, and other products allow
       remote attackers to cause a denial of service (crash) via a crafted PDF
       file, related to (1) JBIG2SymbolDict::setBitmap and (2)
       JBIG2Stream::readSymbolDictSeg.
     - CVE-2009-0147: Multiple integer overflows in the JBIG2 decoder in Xpdf
       3.02pl2 and earlier, CUPS 1.3.9 and earlier, and other products allow
       remote attackers to cause a denial of service (crash) via a crafted PDF
       file, related to (1) JBIG2Stream::readSymbolDictSeg, (2)
       JBIG2Stream::readSymbolDictSeg, and (3) JBIG2Stream::readGenericBitmap.
     - CVE-2009-0165: Integer overflow in the JBIG2 decoder in Xpdf 3.02pl2 and
       earlier, as used in Poppler and other products, when running on Mac OS X,
       has unspecified impact, related to "g*allocn."
     - CVE-2009-0166: The JBIG2 decoder in Xpdf 3.02pl2 and earlier, CUPS 1.3.9
       and earlier, and other products allows remote attackers to cause a denial
       of service (crash) via a crafted PDF file that triggers a free of
       uninitialized memory.
     - CVE-2009-0799: The JBIG2 decoder in Xpdf 3.02pl2 and earlier, CUPS 1.3.9
       and earlier, Poppler before 0.10.6, and other products allows remote
       attackers to cause a denial of service (crash) via a crafted PDF file
       that triggers an out-of-bounds read.
     - CVE-2009-0800: Multiple "input validation flaws" in the JBIG2 decoder in
       Xpdf 3.02pl2 and earlier, CUPS 1.3.9 and earlier, Poppler before 0.10.6,
       and other products allow remote attackers to execute arbitrary code via
       a crafted PDF file.
     - CVE-2009-1179: Integer overflow in the JBIG2 decoder in Xpdf 3.02pl2 and
       earlier, CUPS 1.3.9 and earlier, Poppler before 0.10.6, and other products
       allows remote attackers to execute arbitrary code via a crafted PDF file.
     - CVE-2009-1180: The JBIG2 decoder in Xpdf 3.02pl2 and earlier, CUPS 1.3.9
       and earlier, Poppler before 0.10.6, and other products allows remote
       attackers to execute arbitrary code via a crafted PDF file that triggers
       a free of invalid data.
     - CVE-2009-1181: The JBIG2 decoder in Xpdf 3.02pl2 and earlier, CUPS 1.3.9
       and earlier, Poppler before 0.10.6, and other products allows remote
       attackers to cause a denial of service (crash) via a crafted PDF file that
       triggers a NULL pointer dereference.
     - CVE-2009-1182: Multiple buffer overflows in the JBIG2 MMR decoder in Xpdf
       3.02pl2 and earlier, CUPS 1.3.9 and earlier, Poppler before 0.10.6, and
       other products allow remote attackers to execute arbitrary code via a
       crafted PDF file.
     - CVE-2009-1183: The JBIG2 MMR decoder in Xpdf 3.02pl2 and earlier, CUPS
       1.3.9 and earlier, Poppler before 0.10.6, and other products allows remote
       attackers to cause a denial of service (infinite loop and hang) via a
       crafted PDF file.
Files: 
 9c04059981f8b036d7e6e39c7f0aeb21 974 text optional xpdf_3.01-9.1+etch6.dsc
 c69a67b9ff487403e7c3ff819c6ff734 46835 text optional xpdf_3.01-9.1+etch6.diff.gz
 d6da8e00b02ab3f17ec44b90fff6bb30 1278 text optional xpdf_3.01-9.1+etch6_all.deb
 dd8f37161c3b2430cb1cd65c911e9f86 62834 text optional xpdf-common_3.01-9.1+etch6_all.deb
 171520d7642019943bfe7166876f5da5 809202 text optional xpdf-reader_3.01-9.1+etch6_amd64.deb
 9575f135e9ec312f9e6d7d2517dd8f5b 1493308 text optional xpdf-utils_3.01-9.1+etch6_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFJ/3IeYrVLjBFATsMRAkolAJ9EgMM8LxG3Hrnuaee7DtcGvjeuXACfa0Nq
To8Llx9RAjN+9FpltmxpS80=
=ysF6
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sat, 01 Aug 2009 07:39:18 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Apr 19 06:34:40 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.