Your message dated Wed, 09 Jul 2008 11:17:04 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#489756: fixed in poppler 0.8.4-1.1
has caused the Debian Bug report #489756,
regarding poppler: CVE-2008-2950 arbitrary code execution
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [EMAIL PROTECTED]
immediately.)
--
489756: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=489756
Debian Bug Tracking System
Contact [EMAIL PROTECTED] with problems
--- Begin Message ---
Package: libpoppler3
Severity: grave
Tags: security patch
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for poppler.
CVE-2008-2950[0]:
| The poppler PDF rendering library suffers a memory management bug which leads
| to arbitrary code execution.
|
| The vulnerability is present in the Page class constructor/destructor. The
| pageWidgets object is not initialized in the Page constructor if specific
| conditions are met, but it is deleted afterwards in the destructor regardless
| of its initialization.
|
| Specific PDF files can be crafted which allocate arbitrary memory to trigger
| the vulnerability.
This is not yet on the mitre site, in the meantime check out:
http://www.ocert.org/advisories/ocert-2008-007.html
The patch is also available on this website.
A new upstream release to fix this is scheduled on July 30th according
to the maintainer. Please don't wait until then to upload a fixed package.
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2950
http://security-tracker.debian.net/tracker/CVE-2008-2950
--
Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
pgpe9kRigFS7p.pgp
Description: PGP signature
--- End Message ---
--- Begin Message ---
Source: poppler
Source-Version: 0.8.4-1.1
We believe that the bug you reported is fixed in the latest version of
poppler, which is due to be installed in the Debian FTP archive:
libpoppler-dev_0.8.4-1.1_amd64.deb
to pool/main/p/poppler/libpoppler-dev_0.8.4-1.1_amd64.deb
libpoppler-glib-dev_0.8.4-1.1_amd64.deb
to pool/main/p/poppler/libpoppler-glib-dev_0.8.4-1.1_amd64.deb
libpoppler-glib3_0.8.4-1.1_amd64.deb
to pool/main/p/poppler/libpoppler-glib3_0.8.4-1.1_amd64.deb
libpoppler-qt-dev_0.8.4-1.1_amd64.deb
to pool/main/p/poppler/libpoppler-qt-dev_0.8.4-1.1_amd64.deb
libpoppler-qt2_0.8.4-1.1_amd64.deb
to pool/main/p/poppler/libpoppler-qt2_0.8.4-1.1_amd64.deb
libpoppler-qt4-3_0.8.4-1.1_amd64.deb
to pool/main/p/poppler/libpoppler-qt4-3_0.8.4-1.1_amd64.deb
libpoppler-qt4-dev_0.8.4-1.1_amd64.deb
to pool/main/p/poppler/libpoppler-qt4-dev_0.8.4-1.1_amd64.deb
libpoppler3_0.8.4-1.1_amd64.deb
to pool/main/p/poppler/libpoppler3_0.8.4-1.1_amd64.deb
poppler-dbg_0.8.4-1.1_amd64.deb
to pool/main/p/poppler/poppler-dbg_0.8.4-1.1_amd64.deb
poppler-utils_0.8.4-1.1_amd64.deb
to pool/main/p/poppler/poppler-utils_0.8.4-1.1_amd64.deb
poppler_0.8.4-1.1.diff.gz
to pool/main/p/poppler/poppler_0.8.4-1.1.diff.gz
poppler_0.8.4-1.1.dsc
to pool/main/p/poppler/poppler_0.8.4-1.1.dsc
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Nico Golde <[EMAIL PROTECTED]> (supplier of updated poppler package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Wed, 09 Jul 2008 00:09:10 +0200
Source: poppler
Binary: libpoppler3 libpoppler-dev libpoppler-glib3 libpoppler-glib-dev
libpoppler-qt2 libpoppler-qt-dev libpoppler-qt4-3 libpoppler-qt4-dev
poppler-utils poppler-dbg
Architecture: source amd64
Version: 0.8.4-1.1
Distribution: unstable
Urgency: high
Maintainer: Loic Minier <[EMAIL PROTECTED]>
Changed-By: Nico Golde <[EMAIL PROTECTED]>
Description:
libpoppler-dev - PDF rendering library -- development files
libpoppler-glib-dev - PDF rendering library -- development files (GLib
interface)
libpoppler-glib3 - PDF rendering library (GLib-based shared library)
libpoppler-qt-dev - PDF rendering library -- development files (Qt 3 interface)
libpoppler-qt2 - PDF rendering library (Qt 3 based shared library)
libpoppler-qt4-3 - PDF rendering library (Qt 4 based shared library)
libpoppler-qt4-dev - PDF rendering library -- development files (Qt 4
interface)
libpoppler3 - PDF rendering library
poppler-dbg - PDF rendering library - detached debugging symbols
poppler-utils - PDF utilitites (based on libpoppler)
Closes: 489756
Changes:
poppler (0.8.4-1.1) unstable; urgency=high
.
* Non-maintainer upload by the Security Team.
* Fix missing pageWidgets object initialization that could lead to arbitrary
code execution by a crafted PDF file when the Page destructor deletes
the object which has not been initialized before
(CVE-2008-2950.patch; Closes: #489756).
Checksums-Sha1:
74dc53bb9b4d2020ff5d03c904d9eedbf5289d9d 1463 poppler_0.8.4-1.1.dsc
b8f31a71bfc87cb7d0b5a8c9a2ad5deacb7fc8f6 9126 poppler_0.8.4-1.1.diff.gz
b670001d2bf7b8ac4ddc6255084f50c9a166d3ac 834586 libpoppler3_0.8.4-1.1_amd64.deb
7be959b875e32cf62bc217e793588107ec3de2a2 1113998
libpoppler-dev_0.8.4-1.1_amd64.deb
158d14f2d16f6e23900cb95d2b5a49fc0dddba8f 213554
libpoppler-glib3_0.8.4-1.1_amd64.deb
84bea7d76f6aa85b40089f47d90cd54cc349bb9d 273486
libpoppler-glib-dev_0.8.4-1.1_amd64.deb
0ec7b586bbb9a966fc02a1bf0365f148c8f34afe 174522
libpoppler-qt2_0.8.4-1.1_amd64.deb
378957aeeab01f6b8e266b860dc06d938c5da580 180960
libpoppler-qt-dev_0.8.4-1.1_amd64.deb
0130beac092bbd259a9a0ac8ba864de19f392fd9 309920
libpoppler-qt4-3_0.8.4-1.1_amd64.deb
0aa6b1c1d3d43f5eae31eac143204be46a2aa1f0 353876
libpoppler-qt4-dev_0.8.4-1.1_amd64.deb
99844d980eda11c2afac3110e30a93e5949f9e99 226548
poppler-utils_0.8.4-1.1_amd64.deb
db12acb4786d4965849a9e5cf06b1ab6cfbe148f 3146928
poppler-dbg_0.8.4-1.1_amd64.deb
Checksums-Sha256:
54ef7d9ec133a05f4255ab9c1859bed66923ba61a331cb2d5c8c39c1ecff06f7 1463
poppler_0.8.4-1.1.dsc
6902f8a20d63cb09e7b9ecb29e197b29b1378b78546a0431713b489563676042 9126
poppler_0.8.4-1.1.diff.gz
4f5651935a25df26818ac063ffc06216d12c49030875fa635d2b0385c3b2fb56 834586
libpoppler3_0.8.4-1.1_amd64.deb
43a9d48308cef1af589c290351aece5316d3d901be70992a62c0395a58b6a48e 1113998
libpoppler-dev_0.8.4-1.1_amd64.deb
d3f3473c54096dfb6910b0c27b86bf24eb47b04dd8a1f8413f1e8bf8fbc9d963 213554
libpoppler-glib3_0.8.4-1.1_amd64.deb
b6a52fe63e3bd91c731a8e92dc73d4ac0bafb75a379c7c1d7688bc16d6cd0948 273486
libpoppler-glib-dev_0.8.4-1.1_amd64.deb
e96e099f106cf20de236de9d6ffd194a1ffe54aa5e6b9c9de95e66a8ff109ddd 174522
libpoppler-qt2_0.8.4-1.1_amd64.deb
14f34e180705724e9504b8de39f32eae2b8293999cf6161a14d6569757edf03c 180960
libpoppler-qt-dev_0.8.4-1.1_amd64.deb
b602ce9489ef1a5877d6836155296fe57715193281cefa4531c52173a8ca4058 309920
libpoppler-qt4-3_0.8.4-1.1_amd64.deb
e927f75a63711392bd165f77eb39eadaf0457385d44535fc2a0a4663697be96c 353876
libpoppler-qt4-dev_0.8.4-1.1_amd64.deb
25f03610d04d080aadcd5ff0593dc77c708814fa2f487074ec3760a03cb2ace6 226548
poppler-utils_0.8.4-1.1_amd64.deb
835b0a237281759277ff2a4827e3f0ca0aecca23ad30aebc58a62e89e333be77 3146928
poppler-dbg_0.8.4-1.1_amd64.deb
Files:
b39a789e6e08252cae5f48bef211d393 1463 devel optional poppler_0.8.4-1.1.dsc
8a38ba24d506a72cbbd29aebfc4a184b 9126 devel optional poppler_0.8.4-1.1.diff.gz
ededcc754776994736afc44f1229f230 834586 libs optional
libpoppler3_0.8.4-1.1_amd64.deb
47da6a0424406d196388400fd242a068 1113998 libdevel optional
libpoppler-dev_0.8.4-1.1_amd64.deb
00de8240ec51d13b9e902db94fe99586 213554 libs optional
libpoppler-glib3_0.8.4-1.1_amd64.deb
e6d8e7777ec33b0d964ba246ffdade48 273486 libdevel optional
libpoppler-glib-dev_0.8.4-1.1_amd64.deb
1b01578f970f232f32445dd09439c257 174522 libs optional
libpoppler-qt2_0.8.4-1.1_amd64.deb
38b62a876c997bd79103ea4c60705411 180960 libdevel optional
libpoppler-qt-dev_0.8.4-1.1_amd64.deb
14a56a4566f99c465a9448aa4e552d75 309920 libs optional
libpoppler-qt4-3_0.8.4-1.1_amd64.deb
7660b4b78fda557d125442ab25ce6b08 353876 libdevel optional
libpoppler-qt4-dev_0.8.4-1.1_amd64.deb
ce6eae85595a6c25e725771feb8cb5f3 226548 utils optional
poppler-utils_0.8.4-1.1_amd64.deb
e915cdb80b015003419fc74d50781cd9 3146928 libs extra
poppler-dbg_0.8.4-1.1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkh0m2cACgkQHYflSXNkfP+9EwCgseGWHr1QNpvX/Qvdf81W5MaT
GHgAn2gZJO9MxvLRLIdIryQ40OrPkZD1
=bW0p
-----END PGP SIGNATURE-----
--- End Message ---
