-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.8 Date: Sat, 02 May 2009 10:05:02 +0200 Source: xpdf Binary: xpdf xpdf-common xpdf-reader xpdf-utils Architecture: source all amd64 Version: 3.02-1.4+lenny1 Distribution: stable-security Urgency: high Maintainer: noahm@debian.org Changed-By: Giuseppe Iuculano <giuseppe@iuculano.it> Description: xpdf - Portable Document Format (PDF) suite xpdf-common - Portable Document Format (PDF) suite -- common files xpdf-reader - Portable Document Format (PDF) suite -- viewer for X11 xpdf-utils - Portable Document Format (PDF) suite -- utilities Closes: 524809 Changes: xpdf (3.02-1.4+lenny1) stable-security; urgency=high . * Non-maintainer upload. * This update fixes various security issues (Closes: #524809): - CVE-2009-0146: Multiple buffer overflows in the JBIG2 decoder in Xpdf 3.02pl2 and earlier, CUPS 1.3.9 and earlier, and other products allow remote attackers to cause a denial of service (crash) via a crafted PDF file, related to (1) JBIG2SymbolDict::setBitmap and (2) JBIG2Stream::readSymbolDictSeg. - CVE-2009-0147: Multiple integer overflows in the JBIG2 decoder in Xpdf 3.02pl2 and earlier, CUPS 1.3.9 and earlier, and other products allow remote attackers to cause a denial of service (crash) via a crafted PDF file, related to (1) JBIG2Stream::readSymbolDictSeg, (2) JBIG2Stream::readSymbolDictSeg, and (3) JBIG2Stream::readGenericBitmap. - CVE-2009-0165: Integer overflow in the JBIG2 decoder in Xpdf 3.02pl2 and earlier, as used in Poppler and other products, when running on Mac OS X, has unspecified impact, related to "g*allocn." - CVE-2009-0166: The JBIG2 decoder in Xpdf 3.02pl2 and earlier, CUPS 1.3.9 and earlier, and other products allows remote attackers to cause a denial of service (crash) via a crafted PDF file that triggers a free of uninitialized memory. - CVE-2009-0799: The JBIG2 decoder in Xpdf 3.02pl2 and earlier, CUPS 1.3.9 and earlier, Poppler before 0.10.6, and other products allows remote attackers to cause a denial of service (crash) via a crafted PDF file that triggers an out-of-bounds read. - CVE-2009-0800: Multiple "input validation flaws" in the JBIG2 decoder in Xpdf 3.02pl2 and earlier, CUPS 1.3.9 and earlier, Poppler before 0.10.6, and other products allow remote attackers to execute arbitrary code via a crafted PDF file. - CVE-2009-1179: Integer overflow in the JBIG2 decoder in Xpdf 3.02pl2 and earlier, CUPS 1.3.9 and earlier, Poppler before 0.10.6, and other products allows remote attackers to execute arbitrary code via a crafted PDF file. - CVE-2009-1180: The JBIG2 decoder in Xpdf 3.02pl2 and earlier, CUPS 1.3.9 and earlier, Poppler before 0.10.6, and other products allows remote attackers to execute arbitrary code via a crafted PDF file that triggers a free of invalid data. - CVE-2009-1181: The JBIG2 decoder in Xpdf 3.02pl2 and earlier, CUPS 1.3.9 and earlier, Poppler before 0.10.6, and other products allows remote attackers to cause a denial of service (crash) via a crafted PDF file that triggers a NULL pointer dereference. - CVE-2009-1182: Multiple buffer overflows in the JBIG2 MMR decoder in Xpdf 3.02pl2 and earlier, CUPS 1.3.9 and earlier, Poppler before 0.10.6, and other products allow remote attackers to execute arbitrary code via a crafted PDF file. - CVE-2009-1183: The JBIG2 MMR decoder in Xpdf 3.02pl2 and earlier, CUPS 1.3.9 and earlier, Poppler before 0.10.6, and other products allows remote attackers to cause a denial of service (infinite loop and hang) via a crafted PDF file. Checksums-Sha1: 84e643c99c2648a58bf1216f62ba6465b00c442c 1266 xpdf_3.02-1.4+lenny1.dsc f5411fabc97d8239215cab3349a9fa6362e43cef 42280 xpdf_3.02-1.4+lenny1.diff.gz f9940698840c8a8045677e8be68ab8580903e20a 674912 xpdf_3.02.orig.tar.gz 196ac0c168c9127d1070ed680ec040a12d2b9128 1268 xpdf_3.02-1.4+lenny1_all.deb 0cc4b19819916a1e3f5d415f528c6c41c1804076 67664 xpdf-common_3.02-1.4+lenny1_all.deb 00935a2a5210312d621fa01a10956b8802b01214 921892 xpdf-reader_3.02-1.4+lenny1_amd64.deb 47ea78514eeaf35cabbedf3676608ae5ada57193 1709514 xpdf-utils_3.02-1.4+lenny1_amd64.deb Checksums-Sha256: c5b9f9721d3bdcd7ef100a2fc56714b2a03b660dfa2ad0e43686276e10ccb934 1266 xpdf_3.02-1.4+lenny1.dsc 312d5c97ed6333fc1ba4346b178562e72464dc1127c55e854ddd01f13a3d03fc 42280 xpdf_3.02-1.4+lenny1.diff.gz b33a7d56f454c331ae50996f989e86c9166e57af97b74de28cddf3d51ac11f00 674912 xpdf_3.02.orig.tar.gz 900c0229dad15b9fb0c786a347804faa50d79c0d75dc80f202a6f49418d13a29 1268 xpdf_3.02-1.4+lenny1_all.deb c922018866e82368a8a0dd09cb7bd581eb89f56d03295f8108c6b8a61dfaa7b0 67664 xpdf-common_3.02-1.4+lenny1_all.deb 9633c16a2e1b160285130b3d4dc57f6e7fefc143bf2cbf6dc7571bfd6b0fe723 921892 xpdf-reader_3.02-1.4+lenny1_amd64.deb 6fbe8c6234767f27ef0e551f0c96f1b3ca83ec98e7cb63aaa913b4212009b738 1709514 xpdf-utils_3.02-1.4+lenny1_amd64.deb Files: faeebc4dfc74129ca708a6345bb483f7 1266 text optional xpdf_3.02-1.4+lenny1.dsc 362f72e95494f51a19eeb898b9a527ac 42280 text optional xpdf_3.02-1.4+lenny1.diff.gz 599dc4cc65a07ee868cf92a667a913d2 674912 text optional xpdf_3.02.orig.tar.gz f67780458dac3c38cd59bfde186f9a3b 1268 text optional xpdf_3.02-1.4+lenny1_all.deb b5f063bf32cbeaf1aaeec315dc8aff0a 67664 text optional xpdf-common_3.02-1.4+lenny1_all.deb fb7de1db5e3885365c3ad74c3646ab57 921892 text optional xpdf-reader_3.02-1.4+lenny1_amd64.deb 1e1277251a6dd0bb0a551997efd39175 1709514 text optional xpdf-utils_3.02-1.4+lenny1_amd64.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iD8DBQFJ/6uyYrVLjBFATsMRAkRuAJ0QPVMMVtXR19JI0HxU56Ip7EjSZgCdHlTj n8KjZ/uYRucKW6A1d3alBHI= =c5zQ -----END PGP SIGNATURE----- Accepted: xpdf-common_3.02-1.4+lenny1_all.deb to pool/main/x/xpdf/xpdf-common_3.02-1.4+lenny1_all.deb xpdf-reader_3.02-1.4+lenny1_amd64.deb to pool/main/x/xpdf/xpdf-reader_3.02-1.4+lenny1_amd64.deb xpdf-utils_3.02-1.4+lenny1_amd64.deb to pool/main/x/xpdf/xpdf-utils_3.02-1.4+lenny1_amd64.deb xpdf_3.02-1.4+lenny1.diff.gz to pool/main/x/xpdf/xpdf_3.02-1.4+lenny1.diff.gz xpdf_3.02-1.4+lenny1.dsc to pool/main/x/xpdf/xpdf_3.02-1.4+lenny1.dsc xpdf_3.02-1.4+lenny1_all.deb to pool/main/x/xpdf/xpdf_3.02-1.4+lenny1_all.deb