Bug#702071: marked as done (CVE-2013-1788, CVE-2013-1789 and CVE-2013-1790)

[Debian Bug Tracking System]

Your message dated Mon, 25 Mar 2013 21:17:55 +0000
with message-id <e1ukemb-0008qd...@franck.debian.org>
and subject line Bug#702071: fixed in poppler 0.18.4-6
has caused the Debian Bug report #702071,
regarding CVE-2013-1788, CVE-2013-1789 and CVE-2013-1790
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
702071: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=702071
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: poppler
Severity: grave
Tags: security

Hi,

the following vulnerabilities were published for poppler.

CVE-2013-1788[0]:
invalid memory issues

CVE-2013-1789[1]:
crash in broken documents

CVE-2013-1790[2]:
uninitialized memory read

Patches are referenced in the Red Hat Bugzilla to the relevant commits.

If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

Could you check which Debian package versions are affected? (not for all
issues, all patches might be relevant). At least for the unitialized
memory read issiue the code seems present in stable.

For further information see:

[0] http://security-tracker.debian.org/tracker/CVE-2013-1788
[1] http://security-tracker.debian.org/tracker/CVE-2013-1789
[2] http://security-tracker.debian.org/tracker/CVE-2013-1790

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

--- End Message ---

--- Begin Message ---

Source: poppler
Source-Version: 0.18.4-6

We believe that the bug you reported is fixed in the latest version of
poppler, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 702...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Pino Toscano <p...@debian.org> (supplier of updated poppler package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Mon, 25 Mar 2013 21:43:07 +0100
Source: poppler
Binary: libpoppler19 libpoppler-dev libpoppler-private-dev libpoppler-glib8 
libpoppler-glib-dev gir1.2-poppler-0.18 libpoppler-qt4-3 libpoppler-qt4-dev 
libpoppler-cpp0 libpoppler-cpp-dev poppler-utils poppler-dbg
Architecture: source amd64
Version: 0.18.4-6
Distribution: unstable
Urgency: low
Maintainer: Loic Minier <l...@dooz.org>
Changed-By: Pino Toscano <p...@debian.org>
Description: 
 gir1.2-poppler-0.18 - GObject introspection data for poppler-glib
 libpoppler-cpp-dev - PDF rendering library -- development files (CPP interface)
 libpoppler-cpp0 - PDF rendering library (CPP shared library)
 libpoppler-dev - PDF rendering library -- development files
 libpoppler-glib-dev - PDF rendering library -- development files (GLib 
interface)
 libpoppler-glib8 - PDF rendering library (GLib-based shared library)
 libpoppler-private-dev - PDF rendering library -- private development files
 libpoppler-qt4-3 - PDF rendering library (Qt 4 based shared library)
 libpoppler-qt4-dev - PDF rendering library -- development files (Qt 4 
interface)
 libpoppler19 - PDF rendering library
 poppler-dbg - PDF rendering library -- debugging symbols
 poppler-utils - PDF utilities (based on Poppler)
Closes: 702071
Changes: 
 poppler (0.18.4-6) unstable; urgency=low
 .
   * Backport upstream commits 0388837f01bc467045164f9ddaff787000a8caaa (patch
     upstream_Fix-another-invalid-memory-access-in-1091.pdf.asan.7.patch),
     8b6dc55e530b2f5ede6b9dfb64aafdd1d5836492 (adapted patch
     upstream_Fix-invalid-memory-access-in-1150.pdf.asan.8.69.patch), and
     e14b6e9c13d35c9bd1e0c50906ace8e707816888 (adapted patch
     upstream_Fix-invalid-memory-access-in-2030.pdf.asan.69.463.patch) to fix
     CVE-2013-1788.
   * Backport upstream commit b1026b5978c385328f2a15a2185c599a563edf91 to fix
     CVE-2013-1790 (patch upstream_Initialize-refLine-totally.patch).
   * With the changes above, this upload closes: #702071.
Checksums-Sha1: 
 c12bf43420675491afab8fa8b45d747a35a0bf04 2356 poppler_0.18.4-6.dsc
 2cb490c8b377d07d84496b23b67ec0fdac85139f 21714 poppler_0.18.4-6.debian.tar.gz
 27f0fe6d6b625eeb90823fd9f8d46e629cba7ee9 1109420 
libpoppler19_0.18.4-6_amd64.deb
 da90ec76c6b9dd43bd27a70754bc17fb39ef080b 917992 
libpoppler-dev_0.18.4-6_amd64.deb
 d45822f399ce83f226ea18f1d8177a2566185924 209208 
libpoppler-private-dev_0.18.4-6_amd64.deb
 caec5246e122bdb94fa32b7eaa891a42180646fd 106378 
libpoppler-glib8_0.18.4-6_amd64.deb
 2075ddeac827862fc7a088781b731eadd8169508 232490 
libpoppler-glib-dev_0.18.4-6_amd64.deb
 8f4ad2e1211119648c9164ea2b106e0b48a3f0d3 28896 
gir1.2-poppler-0.18_0.18.4-6_amd64.deb
 159cd089da7bc8a8d9bbd1bd9bf07eb4c220bf3f 140588 
libpoppler-qt4-3_0.18.4-6_amd64.deb
 06ae5922ff36f84df8db98c029ace8b7dbd92e6e 190632 
libpoppler-qt4-dev_0.18.4-6_amd64.deb
 b37af0c0a338caf973487e228c0907868ff1e3bd 47910 
libpoppler-cpp0_0.18.4-6_amd64.deb
 080fd89d0b1db3044e444aa8196668874a3e5293 56266 
libpoppler-cpp-dev_0.18.4-6_amd64.deb
 77fb9d39145c60421462a8fe8315d0adaa49a38c 162034 
poppler-utils_0.18.4-6_amd64.deb
 34ccd89c84907879d64701de2d779b6e821c1bff 5142400 poppler-dbg_0.18.4-6_amd64.deb
Checksums-Sha256: 
 ce309363bbe2f303f29dcc9cba68c749df8c66d13df4dc05e4241c029612fcdc 2356 
poppler_0.18.4-6.dsc
 98e391067b6f2fa224a4120f2e56fead858fcc21f2629fc7fbe6c2d988a839b1 21714 
poppler_0.18.4-6.debian.tar.gz
 4cc541c85df2aeb582367072bc9279fc20572727bc535ce7974b59d241120e31 1109420 
libpoppler19_0.18.4-6_amd64.deb
 18137b1d525990b9595d1e38271fa3c19562e75c05659066088b911b624649bf 917992 
libpoppler-dev_0.18.4-6_amd64.deb
 7d4f9ddf8feb102f22575aceee5d6377bf2fd252100c0e9ed730f2e27139b5ab 209208 
libpoppler-private-dev_0.18.4-6_amd64.deb
 b333b67b1a5ffc819c77c57ac8c65c92c60543deabbbbfa627249165849029c2 106378 
libpoppler-glib8_0.18.4-6_amd64.deb
 227e497272e4ffd3661168b5a119bb274c0fe8fde6828e699fe1235097a5475f 232490 
libpoppler-glib-dev_0.18.4-6_amd64.deb
 11d334549e17ea52f10413c6139ed926605c09f0821af6c44915f0432ca36658 28896 
gir1.2-poppler-0.18_0.18.4-6_amd64.deb
 75299b4d740541ac6bf1d87296a79d46da0b230cc245ad7c9b46b8f7d646645e 140588 
libpoppler-qt4-3_0.18.4-6_amd64.deb
 407c01cad2a10d64a5f1e83b39bf0a759e58f5e296197743d66c0723ffc44a8d 190632 
libpoppler-qt4-dev_0.18.4-6_amd64.deb
 3dfc606be0e3487e554a167aa1c52474cfd63134a421ef4fa14355fccbbb4cdf 47910 
libpoppler-cpp0_0.18.4-6_amd64.deb
 9556cb1166477c8ef6f161effad9d62e4771ba0061d0c247c262dae0e227db87 56266 
libpoppler-cpp-dev_0.18.4-6_amd64.deb
 38f2d13ccddac9e3d05abff7c5fab353d3fea550c8f39293850651e03c3f8be4 162034 
poppler-utils_0.18.4-6_amd64.deb
 1861e6f3f24f47a18392042e8458b75918fba7ac0b4aec7fbcd3f57ea39396c3 5142400 
poppler-dbg_0.18.4-6_amd64.deb
Files: 
 4fdf2a89340d29f1c2a1a6ec56144171 2356 devel optional poppler_0.18.4-6.dsc
 70cba07fb8a1ee835e2c67cfeaae459d 21714 devel optional 
poppler_0.18.4-6.debian.tar.gz
 ac2a329440e594bf9225ad5ad071478c 1109420 libs optional 
libpoppler19_0.18.4-6_amd64.deb
 a43097cfcaecdb0a186f9ef04298694b 917992 libdevel optional 
libpoppler-dev_0.18.4-6_amd64.deb
 8d7e4106d80b3709723a3948be6b2469 209208 libdevel optional 
libpoppler-private-dev_0.18.4-6_amd64.deb
 e182ba8b6530a20248d49d249a1e5224 106378 libs optional 
libpoppler-glib8_0.18.4-6_amd64.deb
 f0d214b4d260b47ba3f4cd3188afd3d6 232490 libdevel optional 
libpoppler-glib-dev_0.18.4-6_amd64.deb
 ab7b8dd97720fe46edd50c2abb9ac86e 28896 introspection optional 
gir1.2-poppler-0.18_0.18.4-6_amd64.deb
 9fce7c910fd64432a4a502892d418604 140588 libs optional 
libpoppler-qt4-3_0.18.4-6_amd64.deb
 9a9b6d0ffb95123d5e9bf30e4bc9b304 190632 libdevel optional 
libpoppler-qt4-dev_0.18.4-6_amd64.deb
 a3396c97c962d9d6475ec73db2106485 47910 libs optional 
libpoppler-cpp0_0.18.4-6_amd64.deb
 1c8766828a11fc3fef10d9f0c9bf28f4 56266 libdevel optional 
libpoppler-cpp-dev_0.18.4-6_amd64.deb
 0f0254920f85b6190ba7b03f4d2a7d73 162034 utils optional 
poppler-utils_0.18.4-6_amd64.deb
 a3ac0663323df13d07fba659f6a91348 5142400 debug extra 
poppler-dbg_0.18.4-6_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iD8DBQFRULnRTNH2piB/L3oRAuHrAJ9Ei8Rgo2L/XpYXBc7l+539iaotxACgghUr
wkZLgAnWT/YdgaZ4qUOk01c=
=TqXO
-----END PGP SIGNATURE-----

--- End Message ---