Your message dated Mon, 12 Nov 2007 05:27:34 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#450629: fixed in xpdf 3.02-1.3
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--- Begin Message ---
Package: xpdf
Version: 3.02-1
Severity: grave
Tags: security
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for poppler.
CVE-2007-4352[0]:
| Array index error in the DCTStream::readProgressiveDataUnit method in
| xpdf/Stream.cc in Xpdf 3.02 with xpdf-3.02pl1.patch allows remote
| attackers to trigger memory corruption and execute arbitrary code via
| a crafted PDF file.
CVE-2007-5392[1]:
| Integer overflow in the DCTStream::reset method in
| xpdf/Stream.cc in Xpdf 3.02 with xpdf-3.02pl1.patch allows
| remote attackers to execute arbitrary code via a crafted PDF
| file, resulting in a heap-based buffer overflow.
CVE-2007-5393[2]:
| Heap-based buffer overflow in the CCITTFaxStream::lookChar
| method in xpdf/Stream.cc in Xpdf 3.02 with
| xpdf-3.02pl1.patch allows remote attackers to execute
| arbitrary code via a PDF file that contains a crafted
| CCITTFaxDecode filter.
If you fix this vulnerability please also include the CVE id
in your changelog entry.
For further information:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4352
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5392
[2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5393
Kind regards
Nico
--
Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
pgpMETkZqkdse.pgp
Description: PGP signature
--- End Message ---
--- Begin Message ---
Source: xpdf
Source-Version: 3.02-1.3
We believe that the bug you reported is fixed in the latest version of
xpdf, which is due to be installed in the Debian FTP archive:
xpdf-common_3.02-1.3_all.deb
to pool/main/x/xpdf/xpdf-common_3.02-1.3_all.deb
xpdf-reader_3.02-1.3_i386.deb
to pool/main/x/xpdf/xpdf-reader_3.02-1.3_i386.deb
xpdf-utils_3.02-1.3_i386.deb
to pool/main/x/xpdf/xpdf-utils_3.02-1.3_i386.deb
xpdf_3.02-1.3.diff.gz
to pool/main/x/xpdf/xpdf_3.02-1.3.diff.gz
xpdf_3.02-1.3.dsc
to pool/main/x/xpdf/xpdf_3.02-1.3.dsc
xpdf_3.02-1.3_all.deb
to pool/main/x/xpdf/xpdf_3.02-1.3_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Nico Golde <[EMAIL PROTECTED]> (supplier of updated xpdf package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Fri, 09 Nov 2007 09:22:19 +0100
Source: xpdf
Binary: xpdf-utils xpdf xpdf-reader xpdf-common
Architecture: source i386 all
Version: 3.02-1.3
Distribution: unstable
Urgency: high
Maintainer: Hamish Moffatt <[EMAIL PROTECTED]>
Changed-By: Nico Golde <[EMAIL PROTECTED]>
Description:
xpdf - Portable Document Format (PDF) suite
xpdf-common - Portable Document Format (PDF) suite -- common files
xpdf-reader - Portable Document Format (PDF) suite -- viewer for X11
xpdf-utils - Portable Document Format (PDF) suite -- utilities
Closes: 450629
Changes:
xpdf (3.02-1.3) unstable; urgency=high
.
* Non-maintainer upload by testing security team.
* Included fix-CVE-2007-5393_2007-5392_2007-4352.dpatch to address the
following security issues (Closes: #450629)
- CVE-2007-5393 buffer overflow in the CCITTFaxStream::lookChar leading
to arbitrary code execution via a crafted pdf file.
- CVE-2007-5392 integer overflow in the DCTStream::reset resulting in a
heap based buffer overflow allows code execution.
- CVE-2007-4352 array index error in DCTStream::readProgressiveDataUnit
leads to memory corruption and possibly arbitrary code execution.
Files:
04630760081b60af98ab4f477607d362 872 text optional xpdf_3.02-1.3.dsc
424a2ae72f005f718c25fedee9f8b4f3 37396 text optional xpdf_3.02-1.3.diff.gz
353fa4f41c1663c4216d6874557abf6a 1262 text optional xpdf_3.02-1.3_all.deb
fdde4ea9fb5e8d3c87531f21007a6ef6 66486 text optional
xpdf-common_3.02-1.3_all.deb
309a74068b4ce18ca2aebd8d291234ef 862622 text optional
xpdf-reader_3.02-1.3_i386.deb
1220159d03ad9debf972e0f3ba6c3102 1585026 text optional
xpdf-utils_3.02-1.3_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFHNt3+HYflSXNkfP8RAkCUAJ4zwH0Sf95NUhTWoHG6s/SlUNs1XACfa1I4
Mrtri9zm+D6+aG7JPyNgm/0=
=3QPW
-----END PGP SIGNATURE-----
--- End Message ---
