-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                         ESB-2008.0685 -- [Debian]
             poppler packages fix execution of arbitrary code
                               10 July 2008

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              poppler
Publisher:            Debian
Operating System:     Debian GNU/Linux 4.0
Impact:               Execute Arbitrary Code/Commands
Access:               Remote/Unauthenticated

Ref:                  ESB-2008.0402

Original Bulletin:    http://www.debian.org/security/2008/dsa-1606

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- - ------------------------------------------------------------------------
Debian Security Advisory DSA-1606-1                  security@debian.org
http://www.debian.org/security/                               Steve Kemp
July 09, 2008                         http://www.debian.org/security/faq
- - ------------------------------------------------------------------------

Package        : poppler
Vulnerability  : programming error
Problem type   : local
Debian-specific: no
CVE Id(s)      : CVE 2008-1693
Debian Bug     : 476842

It was discovered that poppler, a PDF rendering library, did not 
properly handle embedded fonts in PDF files, allowing attackers to
execute arbitrary code via a crafted font object.

For the stable distribution (etch), this problem has been fixed in version
0.4.5-5.1etch3.

For the unstable distribution (sid), this problem has been fixed in
version 0.8.0-1.

We recommend that you upgrade your poppler package.


Upgrade instructions
- - --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 4.0 alias etch
- - -------------------------------

Source archives:

  http://security.debian.org/pool/updates/main/p/poppler/poppler_0.4.5-5.1etch3.dsc
    Size/MD5 checksum:      757 1560882fd2916cf690dfab5b36caf393
  http://security.debian.org/pool/updates/main/p/poppler/poppler_0.4.5-5.1etch3.diff.gz
    Size/MD5 checksum:   484328 8f9c696fb31d332b65515d263b9b29da
  http://security.debian.org/pool/updates/main/p/poppler/poppler_0.4.5.orig.tar.gz
    Size/MD5 checksum:   783752 2bb1c75aa3f9c42f0ba48b5492e6d32c

alpha architecture (DEC Alpha)

  http://security.debian.org/pool/updates/main/p/poppler/libpoppler0c2-qt_0.4.5-5.1etch3_alpha.deb
    Size/MD5 checksum:    30352 3a20e8e3a5f60e0c8a676a290e858a61
  http://security.debian.org/pool/updates/main/p/poppler/libpoppler0c2-glib_0.4.5-5.1etch3_alpha.deb
    Size/MD5 checksum:    43058 9bb013f968577d9320de44b82e7fd1f1
  http://security.debian.org/pool/updates/main/p/poppler/libpoppler-dev_0.4.5-5.1etch3_alpha.deb
    Size/MD5 checksum:   772710 d2b3b2490771162ac139f5246e85b231
  http://security.debian.org/pool/updates/main/p/poppler/poppler-utils_0.4.5-5.1etch3_alpha.deb
    Size/MD5 checksum:    86580 c396dba838001d108bf56d477f08cd4b
  http://security.debian.org/pool/updates/main/p/poppler/libpoppler-qt-dev_0.4.5-5.1etch3_alpha.deb
    Size/MD5 checksum:    34056 5f12b52c57a11f9881e433bb9710acaa
  http://security.debian.org/pool/updates/main/p/poppler/libpoppler-glib-dev_0.4.5-5.1etch3_alpha.deb
    Size/MD5 checksum:    55052 fd976b4ba5a06387095fd5ab0eb1ddd3
  http://security.debian.org/pool/updates/main/p/poppler/libpoppler0c2_0.4.5-5.1etch3_alpha.deb
    Size/MD5 checksum:   504476 19e19093f81f966f0e8e2da723f8e07b

amd64 architecture (AMD x86_64 (AMD64))

  http://security.debian.org/pool/updates/main/p/poppler/libpoppler-dev_0.4.5-5.1etch3_amd64.deb
    Size/MD5 checksum:   613694 30e519a2a6a52073527556f7be56e368
  http://security.debian.org/pool/updates/main/p/poppler/libpoppler-qt-dev_0.4.5-5.1etch3_amd64.deb
    Size/MD5 checksum:    30656 879a9f7b40b84395dec8667fbaed7a30
  http://security.debian.org/pool/updates/main/p/poppler/libpoppler-glib-dev_0.4.5-5.1etch3_amd64.deb
    Size/MD5 checksum:    46070 3fca3fa3a27cd8591e3b654e0063d818
  http://security.debian.org/pool/updates/main/p/poppler/libpoppler0c2-glib_0.4.5-5.1etch3_amd64.deb
    Size/MD5 checksum:    41768 0e876f9dde8c94548fb5a5f973d4d1fb
  http://security.debian.org/pool/updates/main/p/poppler/libpoppler0c2_0.4.5-5.1etch3_amd64.deb
    Size/MD5 checksum:   456526 1aa5b6834c6605b9c0c89d76c527b085
  http://security.debian.org/pool/updates/main/p/poppler/libpoppler0c2-qt_0.4.5-5.1etch3_amd64.deb
    Size/MD5 checksum:    29706 252693ce004ebe4da029cb8cac60c8ad
  http://security.debian.org/pool/updates/main/p/poppler/poppler-utils_0.4.5-5.1etch3_amd64.deb
    Size/MD5 checksum:    83614 4f3e6d766e655a6a6e48ce379853e720

arm architecture (ARM)

  http://security.debian.org/pool/updates/main/p/poppler/libpoppler0c2-glib_0.4.5-5.1etch3_arm.deb
    Size/MD5 checksum:    40176 c220cbc637a1898a24f3d6facf2334b5
  http://security.debian.org/pool/updates/main/p/poppler/poppler-utils_0.4.5-5.1etch3_arm.deb
    Size/MD5 checksum:    81782 513ca3c03a1d48caa5ab2ddd4ada7aed
  http://security.debian.org/pool/updates/main/p/poppler/libpoppler0c2_0.4.5-5.1etch3_arm.deb
    Size/MD5 checksum:   438142 f4b166156f43a8715d2cc8b27c621e53
  http://security.debian.org/pool/updates/main/p/poppler/libpoppler-glib-dev_0.4.5-5.1etch3_arm.deb
    Size/MD5 checksum:    44736 ae0bddb8502ebb76a4f9624dcac81604
  http://security.debian.org/pool/updates/main/p/poppler/libpoppler0c2-qt_0.4.5-5.1etch3_arm.deb
    Size/MD5 checksum:    29436 d43e6939e318a65c9c8e0c16cb02bd38
  http://security.debian.org/pool/updates/main/p/poppler/libpoppler-qt-dev_0.4.5-5.1etch3_arm.deb
    Size/MD5 checksum:    30426 0967f5e7fa741c8cf026ffb763ff014e
  http://security.debian.org/pool/updates/main/p/poppler/libpoppler-dev_0.4.5-5.1etch3_arm.deb
    Size/MD5 checksum:   594928 dac70571d0ad3f9a909198b26a28faa4

hppa architecture (HP PA RISC)

  http://security.debian.org/pool/updates/main/p/poppler/libpoppler0c2_0.4.5-5.1etch3_hppa.deb
    Size/MD5 checksum:   540242 df8ce9c4c3a169f9be4e3926d994eee6
  http://security.debian.org/pool/updates/main/p/poppler/libpoppler0c2-glib_0.4.5-5.1etch3_hppa.deb
    Size/MD5 checksum:    45668 74f74bfe2617742ead80785c9e11cbad
  http://security.debian.org/pool/updates/main/p/poppler/poppler-utils_0.4.5-5.1etch3_hppa.deb
    Size/MD5 checksum:    87808 41b1e8124adc89510682a7583c76923c
  http://security.debian.org/pool/updates/main/p/poppler/libpoppler-glib-dev_0.4.5-5.1etch3_hppa.deb
    Size/MD5 checksum:    50304 a811b4590c717572d0e531b1c818f5a4
  http://security.debian.org/pool/updates/main/p/poppler/libpoppler0c2-qt_0.4.5-5.1etch3_hppa.deb
    Size/MD5 checksum:    31084 357259aca7b21fa7971c9f884fb43726
  http://security.debian.org/pool/updates/main/p/poppler/libpoppler-dev_0.4.5-5.1etch3_hppa.deb
    Size/MD5 checksum:   713728 a90e1e548048facb915ce56eccada131
  http://security.debian.org/pool/updates/main/p/poppler/libpoppler-qt-dev_0.4.5-5.1etch3_hppa.deb
    Size/MD5 checksum:    31838 38bdf2ce3f6f7f5131d15d4b8a609630

i386 architecture (Intel ia32)

  http://security.debian.org/pool/updates/main/p/poppler/libpoppler0c2-glib_0.4.5-5.1etch3_i386.deb
    Size/MD5 checksum:    41398 6e9efb137e66dfd94845df3317e21fd1
  http://security.debian.org/pool/updates/main/p/poppler/libpoppler-dev_0.4.5-5.1etch3_i386.deb
    Size/MD5 checksum:   577624 0fdd4127669e2a47670cb4047f9cd21d
  http://security.debian.org/pool/updates/main/p/poppler/libpoppler-qt-dev_0.4.5-5.1etch3_i386.deb
    Size/MD5 checksum:    30342 681d77159be64f8285d2292fa718ccc2
  http://security.debian.org/pool/updates/main/p/poppler/libpoppler0c2-qt_0.4.5-5.1etch3_i386.deb
    Size/MD5 checksum:    29758 790a89e5646fcaf5ffa5209fa17540d2
  http://security.debian.org/pool/updates/main/p/poppler/libpoppler-glib-dev_0.4.5-5.1etch3_i386.deb
    Size/MD5 checksum:    44856 09726e0b4b94ac65ad12d70ea485469f
  http://security.debian.org/pool/updates/main/p/poppler/poppler-utils_0.4.5-5.1etch3_i386.deb
    Size/MD5 checksum:    80810 8b155f09a771e3ed179a973a7a7d06e4
  http://security.debian.org/pool/updates/main/p/poppler/libpoppler0c2_0.4.5-5.1etch3_i386.deb
    Size/MD5 checksum:   443684 817175329a0cfead2f00c128ad8f55f8

ia64 architecture (Intel ia64)

  http://security.debian.org/pool/updates/main/p/poppler/libpoppler0c2_0.4.5-5.1etch3_ia64.deb
    Size/MD5 checksum:   613198 31d755b29e5623ee0ece5795bee720cc
  http://security.debian.org/pool/updates/main/p/poppler/libpoppler0c2-qt_0.4.5-5.1etch3_ia64.deb
    Size/MD5 checksum:    32206 aa89439c77d7ef337971944ee621b064
  http://security.debian.org/pool/updates/main/p/poppler/libpoppler-glib-dev_0.4.5-5.1etch3_ia64.deb
    Size/MD5 checksum:    54842 36132f7b438eac1b793cc7ba7c1a740a
  http://security.debian.org/pool/updates/main/p/poppler/libpoppler-qt-dev_0.4.5-5.1etch3_ia64.deb
    Size/MD5 checksum:    33788 0603447588cfbffd6969596a06f7ad57
  http://security.debian.org/pool/updates/main/p/poppler/poppler-utils_0.4.5-5.1etch3_ia64.deb
    Size/MD5 checksum:   105274 679fe2ab7f9cc54b7e86b7b02c1f6eb7
  http://security.debian.org/pool/updates/main/p/poppler/libpoppler-dev_0.4.5-5.1etch3_ia64.deb
    Size/MD5 checksum:   808860 774cbfee74f2b356689996d27c79bcb3
  http://security.debian.org/pool/updates/main/p/poppler/libpoppler0c2-glib_0.4.5-5.1etch3_ia64.deb
    Size/MD5 checksum:    47804 a1e68d3e0dc53644c5441fb7c1b03a64

mips architecture (MIPS (Big Endian))

  http://security.debian.org/pool/updates/main/p/poppler/libpoppler-glib-dev_0.4.5-5.1etch3_mips.deb
    Size/MD5 checksum:    50294 8598301860f891c34b5028950926e23c
  http://security.debian.org/pool/updates/main/p/poppler/libpoppler0c2_0.4.5-5.1etch3_mips.deb
    Size/MD5 checksum:   457928 b27722d07d500b168c8ac57e84c24d7c
  http://security.debian.org/pool/updates/main/p/poppler/libpoppler0c2-glib_0.4.5-5.1etch3_mips.deb
    Size/MD5 checksum:    41816 dd3ce7ee3f109ea7b391bebe67631708
  http://security.debian.org/pool/updates/main/p/poppler/libpoppler-dev_0.4.5-5.1etch3_mips.deb
    Size/MD5 checksum:   674736 3d4f077c3a79d1b1adb6ad5a2c79c8fc
  http://security.debian.org/pool/updates/main/p/poppler/libpoppler-qt-dev_0.4.5-5.1etch3_mips.deb
    Size/MD5 checksum:    31980 f170e8066e739f995a6bc7af43f22fde
  http://security.debian.org/pool/updates/main/p/poppler/poppler-utils_0.4.5-5.1etch3_mips.deb
    Size/MD5 checksum:    86668 d8d6c0f593dbcf10984a171a77f36c77
  http://security.debian.org/pool/updates/main/p/poppler/libpoppler0c2-qt_0.4.5-5.1etch3_mips.deb
    Size/MD5 checksum:    29582 97643d32f0109d0a692b13942f48e413

powerpc architecture (PowerPC)

  http://security.debian.org/pool/updates/main/p/poppler/poppler-utils_0.4.5-5.1etch3_powerpc.deb
    Size/MD5 checksum:    89292 cd9cf091a64c2e3f98b07fcb82d8f850
  http://security.debian.org/pool/updates/main/p/poppler/libpoppler0c2_0.4.5-5.1etch3_powerpc.deb
    Size/MD5 checksum:   472336 2b6b5805523bda347c3a01473b068327
  http://security.debian.org/pool/updates/main/p/poppler/libpoppler-glib-dev_0.4.5-5.1etch3_powerpc.deb
    Size/MD5 checksum:    48130 eacfcf656af6fbc9c16cff979b37e75e
  http://security.debian.org/pool/updates/main/p/poppler/libpoppler0c2-qt_0.4.5-5.1etch3_powerpc.deb
    Size/MD5 checksum:    31438 b132335b02f73e42de78e173cbcbbfb6
  http://security.debian.org/pool/updates/main/p/poppler/libpoppler-qt-dev_0.4.5-5.1etch3_powerpc.deb
    Size/MD5 checksum:    31406 a091098584a0686afc4b28ae1fbf83c5
  http://security.debian.org/pool/updates/main/p/poppler/libpoppler-dev_0.4.5-5.1etch3_powerpc.deb
    Size/MD5 checksum:   651942 78df9e2410257f45d1eeb22da2ae805c
  http://security.debian.org/pool/updates/main/p/poppler/libpoppler0c2-glib_0.4.5-5.1etch3_powerpc.deb
    Size/MD5 checksum:    43162 4455826b656b6e8d5f966c470ca6ca03

s390 architecture (IBM S/390)

  http://security.debian.org/pool/updates/main/p/poppler/libpoppler0c2_0.4.5-5.1etch3_s390.deb
    Size/MD5 checksum:   453844 9018dafb416a5fbb7cf6e67a98b7ca16
  http://security.debian.org/pool/updates/main/p/poppler/libpoppler0c2-qt_0.4.5-5.1etch3_s390.deb
    Size/MD5 checksum:    29504 e6d1179ace04c734f919a53c4ed20c85
  http://security.debian.org/pool/updates/main/p/poppler/libpoppler-glib-dev_0.4.5-5.1etch3_s390.deb
    Size/MD5 checksum:    46820 1e299394d64f0bf5a17dd340a41e55a0
  http://security.debian.org/pool/updates/main/p/poppler/poppler-utils_0.4.5-5.1etch3_s390.deb
    Size/MD5 checksum:    80750 a61100d27837dc60ef1857b8d786fada
  http://security.debian.org/pool/updates/main/p/poppler/libpoppler-qt-dev_0.4.5-5.1etch3_s390.deb
    Size/MD5 checksum:    30596 8153c10261795e578b27c2ede5cc5528
  http://security.debian.org/pool/updates/main/p/poppler/libpoppler0c2-glib_0.4.5-5.1etch3_s390.deb
    Size/MD5 checksum:    41692 26f0d2342e4386061533faa2a55f5de3
  http://security.debian.org/pool/updates/main/p/poppler/libpoppler-dev_0.4.5-5.1etch3_s390.deb
    Size/MD5 checksum:   621930 27d8f7cc1cd2c307285eafddc3efb70b

sparc architecture (Sun SPARC/UltraSPARC)

  http://security.debian.org/pool/updates/main/p/poppler/libpoppler-dev_0.4.5-5.1etch3_sparc.deb
    Size/MD5 checksum:   583994 e2d0fbcc107d82d95a774ad7b24dbd43
  http://security.debian.org/pool/updates/main/p/poppler/poppler-utils_0.4.5-5.1etch3_sparc.deb
    Size/MD5 checksum:    78276 e75355488b436d46872686c50397ef04
  http://security.debian.org/pool/updates/main/p/poppler/libpoppler0c2-glib_0.4.5-5.1etch3_sparc.deb
    Size/MD5 checksum:    40438 d7b939665ce01d3773e76456a310d3bc
  http://security.debian.org/pool/updates/main/p/poppler/libpoppler-qt-dev_0.4.5-5.1etch3_sparc.deb
    Size/MD5 checksum:    30616 96c7b850564ce3c51e75e0e0241ac6a1
  http://security.debian.org/pool/updates/main/p/poppler/libpoppler0c2-qt_0.4.5-5.1etch3_sparc.deb
    Size/MD5 checksum:    29272 aed8c46365fd59e786288d4e55298792
  http://security.debian.org/pool/updates/main/p/poppler/libpoppler0c2_0.4.5-5.1etch3_sparc.deb
    Size/MD5 checksum:   444346 2e2b0a2a3bd75ed2d534f48ef4a1b275
  http://security.debian.org/pool/updates/main/p/poppler/libpoppler-glib-dev_0.4.5-5.1etch3_sparc.deb
    Size/MD5 checksum:    44546 7dcf884f27b08f31306b332e817f4571


  These files will probably be moved into the stable distribution on
  its next update.

- - ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFIdPlGwM/Gs81MDZ0RAu1eAKC9rgrnj6V8Fdk6+avR6/cBNTa7JgCgrl1k
XDZxfWQ3WS/oPJn0RZAE7ls=
=T3pa
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

If you believe that your computer system has been compromised or attacked in 
any way, we encourage you to let us know by completing the secure National IT 
Incident Reporting Form at:

        http://www.auscert.org.au/render.html?it=3192

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================

-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQCVAwUBSHVonyh9+71yA2DNAQLLcwP/Q8GS5Gbtu0D+6snaUoxJ89MAXLz3tDSW
A6SP/S04qr8wOzJ5X5EJevfow19gnuzrD7AMgc12ueE4oJdnf+Dweycl/gpy+jdS
EE4cypt1HnVeo4rpoyYMt4DnpBpRujKeaY4BJjcfLNtOPGuIM1rxJrzlCeZ/fpqq
JAbQ7OtSpDw=
=pP8q
-----END PGP SIGNATURE-----