Package: poppler
Version: 0.4.5-5
Severity: important
Tags: patch, security
Hi,
Please update poppler for CVE-2007-0104; patch attached.
Let me know if you want me to NMU.
Side notes:
- your control.in isn't used anymore, this is confusing
- config.log isn't cleaned up
Bye,
-- System Information:
Debian Release: 4.0
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-3-686
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
--
Loïc Minier <[EMAIL PROTECTED]>
--- poppler-0.4.5/debian/changelog
+++ poppler-0.4.5/debian/changelog
@@ -1,3 +1,13 @@
+poppler (0.4.5-5.1) unstable; urgency=high
+
+ * Non-maintainer upload.
+ * SECURITY UPDATE: Denial of Service.
+ * New patch, 108_CVE-2007-0104; limits recursion depth of the parsing tree to
+ 100 to avoid infinite loop with crafted documents; CVE-2007-0104; from
+ Ubuntu's 0.4.2-0ubuntu6.8; originally taken from koffice security update.
+
+ -- Loic Minier <[EMAIL PROTECTED]> Sat, 20 Jan 2007 00:12:49 +0100
+
poppler (0.4.5-5) unstable; urgency=low
* Acknowledge NMU (Closes: #375332)
--- poppler-0.4.5.orig/debian/patches/108_CVE-2007-0104.patch
+++ poppler-0.4.5/debian/patches/108_CVE-2007-0104.patch
@@ -0,0 +1,63 @@
+diff -Nur poppler-0.5.4/poppler/Catalog.cc poppler-0.5.4.new/poppler/Catalog.cc
+--- poppler-0.5.4/poppler/Catalog.cc 2006-09-13 17:10:52.000000000 +0200
++++ poppler-0.5.4.new/poppler/Catalog.cc 2007-01-16 17:57:43.000000000 +0100
+@@ -26,6 +26,12 @@
+ #include "UGooString.h"
+ #include "Catalog.h"
+
++// This define is used to limit the depth of recursive readPageTree calls
++// This is needed because the page tree nodes can reference their parents
++// leaving us in an infinite loop
++// Most sane pdf documents don't have a call depth higher than 10
++#define MAX_CALL_DEPTH 1000
++
+ //------------------------------------------------------------------------
+ // Catalog
+ //------------------------------------------------------------------------
+@@ -75,7 +81,7 @@
+ pageRefs[i].num = -1;
+ pageRefs[i].gen = -1;
+ }
+- numPages = readPageTree(pagesDict.getDict(), NULL, 0);
++ numPages = readPageTree(pagesDict.getDict(), NULL, 0, 0);
+ if (numPages != numPages0) {
+ error(-1, "Page count in top-level pages object is incorrect");
+ }
+@@ -217,7 +223,7 @@
+ return s;
+ }
+
+-int Catalog::readPageTree(Dict *pagesDict, PageAttrs *attrs, int start) {
++int Catalog::readPageTree(Dict *pagesDict, PageAttrs *attrs, int start, int callDepth) {
+ Object kids;
+ Object kid;
+ Object kidRef;
+@@ -262,9 +268,13 @@
+ // This should really be isDict("Pages"), but I've seen at least one
+ // PDF file where the /Type entry is missing.
+ } else if (kid.isDict()) {
+- if ((start = readPageTree(kid.getDict(), attrs1, start))
+- < 0)
+- goto err2;
++ if (callDepth > MAX_CALL_DEPTH) {
++ error(-1, "Limit of %d recursive calls reached while reading the page tree. If your document is correct and not a test to try to force a crash, please report a bug.", MAX_CALL_DEPTH);
++ } else {
++ if ((start = readPageTree(kid.getDict(), attrs1, start, callDepth + 1))
++ < 0)
++ goto err2;
++ }
+ } else {
+ error(-1, "Kid object (page %d) is wrong type (%s)",
+ start+1, kid.getTypeName());
+diff -Nur poppler-0.5.4/poppler/Catalog.h poppler-0.5.4.new/poppler/Catalog.h
+--- poppler-0.5.4/poppler/Catalog.h 2006-01-23 15:43:36.000000000 +0100
++++ poppler-0.5.4.new/poppler/Catalog.h 2007-01-16 17:58:09.000000000 +0100
+@@ -193,7 +193,7 @@
+ PageMode pageMode; // page mode
+ PageLayout pageLayout; // page layout
+
+- int readPageTree(Dict *pages, PageAttrs *attrs, int start);
++ int readPageTree(Dict *pages, PageAttrs *attrs, int start, int callDepth);
+ Object *findDestInTree(Object *tree, GooString *name, Object *obj);
+ };
+
