Mandriva Linux Security Advisory 2011-175 - Multiple security vulnerabilities has been discovered and corrected in poppler. An out-of-bounds reading flaw in the JBIG2 decoder allows remote attackers to cause a denial of service via a crafted PDF file. Multiple input validation flaws in the JBIG2 decoder allows remote attackers to execute arbitrary code via a crafted PDF file. An integer overflow in the JBIG2 decoder allows remote attackers to execute arbitrary code via a crafted PDF file. Multiple other vulnerabilities have been addressed as well. The updated packages have been patched to correct these issues.
277a0876547aa48a2da60db5935554f4108da58a7024458c326a8a0ae4c37a2e
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________________
Mandriva Linux Security Advisory MDVSA-2011:175
http://www.mandriva.com/security/
_______________________________________________________________________
Package : poppler
Date : November 15, 2011
Affected: Enterprise Server 5.0
_______________________________________________________________________
Problem Description:
Multiple security vulnerabilities has been discovered and corrected
in poppler:
An out-of-bounds reading flaw in the JBIG2 decoder allows remote
attackers to cause a denial of service (crash) via a crafted PDF file
(CVE-2009-0799).
Multiple input validation flaws in the JBIG2 decoder allows
remote attackers to execute arbitrary code via a crafted PDF file
(CVE-2009-0800).
An integer overflow in the JBIG2 decoder allows remote attackers to
execute arbitrary code via a crafted PDF file (CVE-2009-1179).
A free of invalid data flaw in the JBIG2 decoder allows remote
attackers to execute arbitrary code via a crafted PDF (CVE-2009-1180).
A NULL pointer dereference flaw in the JBIG2 decoder allows remote
attackers to cause denial of service (crash) via a crafted PDF file
(CVE-2009-1181).
Multiple buffer overflows in the JBIG2 MMR decoder allows remote
attackers to cause denial of service or to execute arbitrary code
via a crafted PDF file (CVE-2009-1182, CVE-2009-1183).
An integer overflow in the JBIG2 decoding feature allows remote
attackers to cause a denial of service (crash) and possibly execute
arbitrary code via vectors related to CairoOutputDev (CVE-2009-1187).
An integer overflow in the JBIG2 decoding feature allows remote
attackers to execute arbitrary code or cause a denial of service
(application crash) via a crafted PDF document (CVE-2009-1188).
Integer overflow in the SplashBitmap::SplashBitmap function in Xpdf 3.x
before 3.02pl4 and Poppler before 0.12.1 might allow remote attackers
to execute arbitrary code via a crafted PDF document that triggers a
heap-based buffer overflow. NOTE: some of these details are obtained
from third party information. NOTE: this issue reportedly exists
because of an incomplete fix for CVE-2009-1188 (CVE-2009-3603).
The Splash::drawImage function in Splash.cc in Xpdf 2.x and 3.x
before 3.02pl4, and Poppler 0.x, as used in GPdf and kdegraphics KPDF,
does not properly allocate memory, which allows remote attackers to
cause a denial of service (application crash) or possibly execute
arbitrary code via a crafted PDF document that triggers a NULL pointer
dereference or a heap-based buffer overflow (CVE-2009-3604).
Multiple integer overflows allow remote attackers to cause a denial
of service (application crash) or possibly execute arbitrary code
via a crafted PDF file, related to (1) glib/poppler-page.cc; (2)
ArthurOutputDev.cc, (3) CairoOutputDev.cc, (4) GfxState.cc, (5)
JBIG2Stream.cc, (6) PSOutputDev.cc, and (7) SplashOutputDev.cc
in poppler/; and (8) SplashBitmap.cc, (9) Splash.cc, and (10)
SplashFTFont.cc in splash/. NOTE: this may overlap CVE-2009-0791
(CVE-2009-3605).
Integer overflow in the PSOutputDev::doImageL1Sep function in Xpdf
before 3.02pl4, and Poppler 0.x, as used in kdegraphics KPDF, might
allow remote attackers to execute arbitrary code via a crafted PDF
document that triggers a heap-based buffer overflow (CVE-2009-3606).
Integer overflow in the create_surface_from_thumbnail_data function
in glib/poppler-page.cc allows remote attackers to cause a denial of
service (memory corruption) or possibly execute arbitrary code via a
crafted PDF document that triggers a heap-based buffer overflow. NOTE:
some of these details are obtained from third party information
(CVE-2009-3607).
Integer overflow in the ObjectStream::ObjectStream function in XRef.cc
in Xpdf 3.x before 3.02pl4 and Poppler before 0.12.1, as used in
GPdf, kdegraphics KPDF, CUPS pdftops, and teTeX, might allow remote
attackers to execute arbitrary code via a crafted PDF document that
triggers a heap-based buffer overflow (CVE-2009-3608).
Integer overflow in the ImageStream::ImageStream function in Stream.cc
in Xpdf before 3.02pl4 and Poppler before 0.12.1, as used in GPdf,
kdegraphics KPDF, and CUPS pdftops, allows remote attackers to
cause a denial of service (application crash) via a crafted PDF
document that triggers a NULL pointer dereference or buffer over-read
(CVE-2009-3609).
Buffer overflow in the ABWOutputDev::endWord function in
poppler/ABWOutputDev.cc as used by the Abiword pdftoabw utility,
allows user-assisted remote attackers to cause a denial of service and
possibly execute arbitrary code via a crafted PDF file (CVE-2009-3938).
The updated packages have been patched to correct these issues.
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0799
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0800
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1179
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1180
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1181
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1182
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1183
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1188
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3603
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3604
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3605
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3606
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3607
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3608
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3609
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3938
_______________________________________________________________________
Updated Packages:
Mandriva Enterprise Server 5:
783eaf3485f688288f070f1a9f911c4d mes5/i586/libpoppler3-0.8.7-2.5mdvmes5.2.i586.rpm
bd06380ed4b45d450389d1770276dccc mes5/i586/libpoppler-devel-0.8.7-2.5mdvmes5.2.i586.rpm
e1945537640307b76bcad253ebb73854 mes5/i586/libpoppler-glib3-0.8.7-2.5mdvmes5.2.i586.rpm
ff93afd4e687dfb8062360f7f7bfd347 mes5/i586/libpoppler-glib-devel-0.8.7-2.5mdvmes5.2.i586.rpm
7f7c3ea25304806c37306ed4f27335e8 mes5/i586/libpoppler-qt2-0.8.7-2.5mdvmes5.2.i586.rpm
ef9780095457b8efb52e961720c58052 mes5/i586/libpoppler-qt4-3-0.8.7-2.5mdvmes5.2.i586.rpm
d9080de0f92bb36a34ad010fe2ad2a4c mes5/i586/libpoppler-qt4-devel-0.8.7-2.5mdvmes5.2.i586.rpm
3d9d5d68cfdb63ff2668040fb0fd0e93 mes5/i586/libpoppler-qt-devel-0.8.7-2.5mdvmes5.2.i586.rpm
ff2f445d1e3942039c5f9b326c64b5e3 mes5/i586/poppler-0.8.7-2.5mdvmes5.2.i586.rpm
29cce020068d6ca7a651a273f9cf8595 mes5/SRPMS/poppler-0.8.7-2.5mdvmes5.2.src.rpm
Mandriva Enterprise Server 5/X86_64:
e534d6c09ebffd8e9a4f85cb35e15947 mes5/x86_64/lib64poppler3-0.8.7-2.5mdvmes5.2.x86_64.rpm
d71984d177742a10af4168adae141357 mes5/x86_64/lib64poppler-devel-0.8.7-2.5mdvmes5.2.x86_64.rpm
709c2fb028305c6038da922d4385a44b mes5/x86_64/lib64poppler-glib3-0.8.7-2.5mdvmes5.2.x86_64.rpm
46bf6bf33ab672b333d52078b37e3bf0 mes5/x86_64/lib64poppler-glib-devel-0.8.7-2.5mdvmes5.2.x86_64.rpm
bed66c55ec459b0a845ea4f0adf69c6f mes5/x86_64/lib64poppler-qt2-0.8.7-2.5mdvmes5.2.x86_64.rpm
bfdb0391cff52b910302f6c272223393 mes5/x86_64/lib64poppler-qt4-3-0.8.7-2.5mdvmes5.2.x86_64.rpm
6b0ec4b64459cdf517499703ebd21532 mes5/x86_64/lib64poppler-qt4-devel-0.8.7-2.5mdvmes5.2.x86_64.rpm
3f7f2f03348fa025df99564e5cf15665 mes5/x86_64/lib64poppler-qt-devel-0.8.7-2.5mdvmes5.2.x86_64.rpm
01bf66ad02b533cf4b6141058df40b62 mes5/x86_64/poppler-0.8.7-2.5mdvmes5.2.x86_64.rpm
29cce020068d6ca7a651a273f9cf8595 mes5/SRPMS/poppler-0.8.7-2.5mdvmes5.2.src.rpm
_______________________________________________________________________
To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.
All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:
gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
You can view other update advisories for Mandriva Linux at:
http://www.mandriva.com/security/advisories
If you want to report vulnerabilities, please contact
security_(at)_mandriva.com
_______________________________________________________________________
Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iD8DBQFOwmCOmqjQ0CJFipgRAkA2AJ4idaGL0tc4rVBtwwiVbl27Em6xZwCgrJjl
ar8t2URRRlYmyIxMC/5cgAM=
=5FhG
-----END PGP SIGNATURE-----