Your message dated Sun, 07 Jun 2009 13:54:11 +0000
with message-id <e1mdip9-0003hj...@ries.debian.org>
and subject line Bug#524809: fixed in xpdf 3.02-1.4+lenny1
has caused the Debian Bug report #524809,
regarding xpdf: multiple vulnerabilities
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
524809: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=524809
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
package: cups
severity: grave
tags: security
hello,
redhat recently patched the following cups [0], xpdf [1], and
kdegraphics[2] issues:
CVE-2009-0146, CVE-2009-0147, CVE-2009-0166, CVE-2009-0799,
CVE-2009-0800, CVE-2009-1179, CVE-2009-1180, CVE-2009-1181,
CVE-2009-1182, CVE-2009-1183
these are still reserved in the CVE list, but are disclosed at NVD.
[0] https://rhn.redhat.com/errata/RHSA-2009-0429.html
[1] https://rhn.redhat.com/errata/RHSA-2009-0430.html
[2] https://rhn.redhat.com/errata/RHSA-2009-0431.html
--- End Message ---
--- Begin Message ---
Source: xpdf
Source-Version: 3.02-1.4+lenny1
We believe that the bug you reported is fixed in the latest version of
xpdf, which is due to be installed in the Debian FTP archive:
xpdf-common_3.02-1.4+lenny1_all.deb
to pool/main/x/xpdf/xpdf-common_3.02-1.4+lenny1_all.deb
xpdf-reader_3.02-1.4+lenny1_amd64.deb
to pool/main/x/xpdf/xpdf-reader_3.02-1.4+lenny1_amd64.deb
xpdf-utils_3.02-1.4+lenny1_amd64.deb
to pool/main/x/xpdf/xpdf-utils_3.02-1.4+lenny1_amd64.deb
xpdf_3.02-1.4+lenny1.diff.gz
to pool/main/x/xpdf/xpdf_3.02-1.4+lenny1.diff.gz
xpdf_3.02-1.4+lenny1.dsc
to pool/main/x/xpdf/xpdf_3.02-1.4+lenny1.dsc
xpdf_3.02-1.4+lenny1_all.deb
to pool/main/x/xpdf/xpdf_3.02-1.4+lenny1_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 524...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Giuseppe Iuculano <giuse...@iuculano.it> (supplier of updated xpdf package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sat, 02 May 2009 10:05:02 +0200
Source: xpdf
Binary: xpdf xpdf-common xpdf-reader xpdf-utils
Architecture: source all amd64
Version: 3.02-1.4+lenny1
Distribution: stable-security
Urgency: high
Maintainer: no...@debian.org
Changed-By: Giuseppe Iuculano <giuse...@iuculano.it>
Description:
xpdf - Portable Document Format (PDF) suite
xpdf-common - Portable Document Format (PDF) suite -- common files
xpdf-reader - Portable Document Format (PDF) suite -- viewer for X11
xpdf-utils - Portable Document Format (PDF) suite -- utilities
Closes: 524809
Changes:
xpdf (3.02-1.4+lenny1) stable-security; urgency=high
.
* Non-maintainer upload.
* This update fixes various security issues (Closes: #524809):
- CVE-2009-0146: Multiple buffer overflows in the JBIG2 decoder in Xpdf
3.02pl2 and earlier, CUPS 1.3.9 and earlier, and other products allow
remote attackers to cause a denial of service (crash) via a crafted PDF
file, related to (1) JBIG2SymbolDict::setBitmap and (2)
JBIG2Stream::readSymbolDictSeg.
- CVE-2009-0147: Multiple integer overflows in the JBIG2 decoder in Xpdf
3.02pl2 and earlier, CUPS 1.3.9 and earlier, and other products allow
remote attackers to cause a denial of service (crash) via a crafted PDF
file, related to (1) JBIG2Stream::readSymbolDictSeg, (2)
JBIG2Stream::readSymbolDictSeg, and (3) JBIG2Stream::readGenericBitmap.
- CVE-2009-0165: Integer overflow in the JBIG2 decoder in Xpdf 3.02pl2 and
earlier, as used in Poppler and other products, when running on Mac OS X,
has unspecified impact, related to "g*allocn."
- CVE-2009-0166: The JBIG2 decoder in Xpdf 3.02pl2 and earlier, CUPS 1.3.9
and earlier, and other products allows remote attackers to cause a denial
of service (crash) via a crafted PDF file that triggers a free of
uninitialized memory.
- CVE-2009-0799: The JBIG2 decoder in Xpdf 3.02pl2 and earlier, CUPS 1.3.9
and earlier, Poppler before 0.10.6, and other products allows remote
attackers to cause a denial of service (crash) via a crafted PDF file
that triggers an out-of-bounds read.
- CVE-2009-0800: Multiple "input validation flaws" in the JBIG2 decoder in
Xpdf 3.02pl2 and earlier, CUPS 1.3.9 and earlier, Poppler before 0.10.6,
and other products allow remote attackers to execute arbitrary code via
a crafted PDF file.
- CVE-2009-1179: Integer overflow in the JBIG2 decoder in Xpdf 3.02pl2 and
earlier, CUPS 1.3.9 and earlier, Poppler before 0.10.6, and other
products
allows remote attackers to execute arbitrary code via a crafted PDF file.
- CVE-2009-1180: The JBIG2 decoder in Xpdf 3.02pl2 and earlier, CUPS 1.3.9
and earlier, Poppler before 0.10.6, and other products allows remote
attackers to execute arbitrary code via a crafted PDF file that triggers
a free of invalid data.
- CVE-2009-1181: The JBIG2 decoder in Xpdf 3.02pl2 and earlier, CUPS 1.3.9
and earlier, Poppler before 0.10.6, and other products allows remote
attackers to cause a denial of service (crash) via a crafted PDF file
that
triggers a NULL pointer dereference.
- CVE-2009-1182: Multiple buffer overflows in the JBIG2 MMR decoder in Xpdf
3.02pl2 and earlier, CUPS 1.3.9 and earlier, Poppler before 0.10.6, and
other products allow remote attackers to execute arbitrary code via a
crafted PDF file.
- CVE-2009-1183: The JBIG2 MMR decoder in Xpdf 3.02pl2 and earlier, CUPS
1.3.9 and earlier, Poppler before 0.10.6, and other products allows
remote
attackers to cause a denial of service (infinite loop and hang) via a
crafted PDF file.
Checksums-Sha1:
84e643c99c2648a58bf1216f62ba6465b00c442c 1266 xpdf_3.02-1.4+lenny1.dsc
f5411fabc97d8239215cab3349a9fa6362e43cef 42280 xpdf_3.02-1.4+lenny1.diff.gz
f9940698840c8a8045677e8be68ab8580903e20a 674912 xpdf_3.02.orig.tar.gz
196ac0c168c9127d1070ed680ec040a12d2b9128 1268 xpdf_3.02-1.4+lenny1_all.deb
0cc4b19819916a1e3f5d415f528c6c41c1804076 67664
xpdf-common_3.02-1.4+lenny1_all.deb
00935a2a5210312d621fa01a10956b8802b01214 921892
xpdf-reader_3.02-1.4+lenny1_amd64.deb
47ea78514eeaf35cabbedf3676608ae5ada57193 1709514
xpdf-utils_3.02-1.4+lenny1_amd64.deb
Checksums-Sha256:
c5b9f9721d3bdcd7ef100a2fc56714b2a03b660dfa2ad0e43686276e10ccb934 1266
xpdf_3.02-1.4+lenny1.dsc
312d5c97ed6333fc1ba4346b178562e72464dc1127c55e854ddd01f13a3d03fc 42280
xpdf_3.02-1.4+lenny1.diff.gz
b33a7d56f454c331ae50996f989e86c9166e57af97b74de28cddf3d51ac11f00 674912
xpdf_3.02.orig.tar.gz
900c0229dad15b9fb0c786a347804faa50d79c0d75dc80f202a6f49418d13a29 1268
xpdf_3.02-1.4+lenny1_all.deb
c922018866e82368a8a0dd09cb7bd581eb89f56d03295f8108c6b8a61dfaa7b0 67664
xpdf-common_3.02-1.4+lenny1_all.deb
9633c16a2e1b160285130b3d4dc57f6e7fefc143bf2cbf6dc7571bfd6b0fe723 921892
xpdf-reader_3.02-1.4+lenny1_amd64.deb
6fbe8c6234767f27ef0e551f0c96f1b3ca83ec98e7cb63aaa913b4212009b738 1709514
xpdf-utils_3.02-1.4+lenny1_amd64.deb
Files:
faeebc4dfc74129ca708a6345bb483f7 1266 text optional xpdf_3.02-1.4+lenny1.dsc
362f72e95494f51a19eeb898b9a527ac 42280 text optional
xpdf_3.02-1.4+lenny1.diff.gz
599dc4cc65a07ee868cf92a667a913d2 674912 text optional xpdf_3.02.orig.tar.gz
f67780458dac3c38cd59bfde186f9a3b 1268 text optional
xpdf_3.02-1.4+lenny1_all.deb
b5f063bf32cbeaf1aaeec315dc8aff0a 67664 text optional
xpdf-common_3.02-1.4+lenny1_all.deb
fb7de1db5e3885365c3ad74c3646ab57 921892 text optional
xpdf-reader_3.02-1.4+lenny1_amd64.deb
1e1277251a6dd0bb0a551997efd39175 1709514 text optional
xpdf-utils_3.02-1.4+lenny1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iD8DBQFJ/6uyYrVLjBFATsMRAkRuAJ0QPVMMVtXR19JI0HxU56Ip7EjSZgCdHlTj
n8KjZ/uYRucKW6A1d3alBHI=
=c5zQ
-----END PGP SIGNATURE-----
--- End Message ---
