Debian Package Tracker

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
To: <debian-lts-changes@lists.debian.org> , <dispatch@tracker.debian.org>
Subject: Accepted poppler 0.48.0-2+deb9u4 (source) into oldstable
Date: Sun, 08 Nov 2020 23:40:12 +0000
Signed by: Markus Koschany <apo@debian.org>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sun, 08 Nov 2020 17:12:52 +0100
Source: poppler
Binary: libpoppler64 libpoppler-dev libpoppler-private-dev libpoppler-glib8 libpoppler-glib-dev libpoppler-glib-doc gir1.2-poppler-0.18 libpoppler-qt4-4 libpoppler-qt4-dev libpoppler-qt5-1 libpoppler-qt5-dev libpoppler-cpp0v5 libpoppler-cpp-dev poppler-utils poppler-dbg
Architecture: source
Version: 0.48.0-2+deb9u4
Distribution: stretch-security
Urgency: high
Maintainer: Loic Minier <lool@dooz.org>
Changed-By: Markus Koschany <apo@debian.org>
Description:
 gir1.2-poppler-0.18 - GObject introspection data for poppler-glib
 libpoppler-cpp-dev - PDF rendering library -- development files (CPP interface)
 libpoppler-cpp0v5 - PDF rendering library (CPP shared library)
 libpoppler-dev - PDF rendering library -- development files
 libpoppler-glib-dev - PDF rendering library -- development files (GLib interface)
 libpoppler-glib-doc - PDF rendering library -- documentation for the GLib interface
 libpoppler-glib8 - PDF rendering library (GLib-based shared library)
 libpoppler-private-dev - PDF rendering library -- private development files
 libpoppler-qt4-4 - PDF rendering library (Qt 4 based shared library)
 libpoppler-qt4-dev - PDF rendering library -- development files (Qt 4 interface)
 libpoppler-qt5-1 - PDF rendering library (Qt 5 based shared library)
 libpoppler-qt5-dev - PDF rendering library -- development files (Qt 5 interface)
 libpoppler64 - PDF rendering library
 poppler-dbg - PDF rendering library -- debugging symbols
 poppler-utils - PDF utilities (based on Poppler)
Changes:
 poppler (0.48.0-2+deb9u4) stretch-security; urgency=high
 .
   * Non-maintainer upload by the LTS team.
   * CVE-2019-9959:
     The JPXStream::init function in Poppler doesn't check for negative values
     of stream length, leading to an Integer Overflow, thereby making it
     possible to allocate a large memory chunk on the heap, with a size
     controlled by an attacker, as demonstrated by pdftocairo.
   * CVE-2019-7310:
     In Poppler, a heap-based buffer over-read (due to an integer signedness
     error in the XRef::getEntry function in XRef.cc) allows remote attackers to
     cause a denial of service (application crash) or possibly have unspecified
     other impact via a crafted PDF document, as demonstrated by pdftocairo.
   * CVE-2019-14494:
     There is a divide-by-zero error in the function
     SplashOutputDev::tilingPatternFill at SplashOutputDev.cc.
   * CVE-2019-10018:
     There is an FPE in the function PostScriptFunction::exec at Function.cc for
     the psOpIdiv case.
   * CVE-2018-20662:
     PDFDoc::setup in PDFDoc.cc allows attackers to cause a denial-of-service
     (application crash caused by Object.h SIGABRT, because of a wrong return
     value from PDFDoc::setup) by crafting a PDF file in which an xref data
     structure is mishandled during extractPDFSubtype processing.
   * CVE-2018-20650:
     A reachable Object::dictLookup assertion in Poppler allows attackers to
     cause a denial of service due to the lack of a check for the dict data
     type, as demonstrated by use of the FileSpec class (in FileSpec.cc) in
     pdfdetach.
   * CVE-2018-19058:
     There is a reachable abort in Object.h, which will lead to denial of
     service because EmbFile::save2 in FileSpec.cc lacks a stream check before
     saving an embedded file.
   * CVE-2017-14928:
     A NULL Pointer Dereference exists in
     AnnotRichMedia::Configuration::Configuration in Annot.cc via a crafted PDF
     document.
   * CVE-2017-14926:
     In Poppler 0.59.0, a NULL Pointer Dereference exists in
     AnnotRichMedia::Content::Content in Annot.cc via a crafted PDF document.
Checksums-Sha1:
 6b134fe4590957489146ae13dd8f8a00490fec0c 3559 poppler_0.48.0-2+deb9u4.dsc
 9d4b1952dbcd991cb12fe2f08fa6d83b39629535 48360 poppler_0.48.0-2+deb9u4.debian.tar.xz
 ccfab7899e59098b208ceead7f7add63ee524358 18166 poppler_0.48.0-2+deb9u4_amd64.buildinfo
Checksums-Sha256:
 05ecb7e94c05b63ca9a4fd71d5fa54eecf531292478d1aa654d6491fbc7543d3 3559 poppler_0.48.0-2+deb9u4.dsc
 c20ba2c5b1967c051f1e6acfae1f75aa5440b79c29b06c5bc776bf049f3b5a7f 48360 poppler_0.48.0-2+deb9u4.debian.tar.xz
 1c4c367cffccc87f10e3c6dd5f3572fe2030d2d7b86aedfa4fe8b091bf628f55 18166 poppler_0.48.0-2+deb9u4_amd64.buildinfo
Files:
 788d279f146324e0828a83041d946a64 3559 devel optional poppler_0.48.0-2+deb9u4.dsc
 298ccaa5dcda68659a4e605a87bfead0 48360 devel optional poppler_0.48.0-2+deb9u4.debian.tar.xz
 5b38e905a09ff5d79b468008811c41fa 18166 devel optional poppler_0.48.0-2+deb9u4_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAl+ofhZfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp
YW4ub3JnAAoJENmtFLlRO1Hk3AQQAMSBP5qhzp0CKOSWLujwS1mV8cWRgc1d5ace
ICqVgDlCFHg1Ba/Cnnj0Iew5BEqcirMUiVhhHoOsmsEr62D8K73iPj7OsZ+BABhF
BDgK//jGknIqx2suxpD64hAxP5WF8pkEjWXL7XdxVyuC8xW8pDQ7EjM5pArTnFc5
rRoxMfwFPX2vD7gj/LlAknf2v017J83YF7eWLD4qoq8ESOAKKiIzLB2pq6qccfgn
QVfrsYWUAPyGBOqTeAjibuOoCnSTffgK9Pk+xb2uffOQCb7+ZRO132merLD0QqH7
76vFzf5rRfuP+d73uCHY2V3y4nJ4jyx3poWrdu22Sec1KpWDHptUTKmuo+l/SLx4
HQSgjSaGFlGL30Y+z8AJR8yN6wrwy4qeUg/+sab45wMskvBJmliFHVzvmhoUJLnp
A+k1tCHwzebxCTZFlZ+hpoCsGyjIxoHe+VfileDnIJ7/qg7tlaJH+4biBrvbVceJ
GrowreVvhf2kcTYOufICrA53d018azN10syZDSXUWGxLoSEe5Um/QqcJdxH3yR3c
PLF1EtpvL+2R6sGOTjpZ8SO/ZHKTV+rBLxBFY4/Vx2ibhaHYcklxmseoyWAYYRXW
waEF4ZJmROZH3w9+ydcpJPvuFamy8JWZuTM+ED1iAurOlISakhMpTu7845NJ/BjB
oHMppraK
=1wTb
-----END PGP SIGNATURE-----
News for package poppler
