11 March 2019
Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2019.0746 [DLA 1706-1] poppler security update 11 March 2019 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: poppler Publisher: Debian Operating System: Debian GNU/Linux 8 Impact/Access: Denial of Service -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2019-9200 CVE-2019-7310 CVE-2018-20662 CVE-2018-20481 CVE-2018-19058 Reference: ESB-2019.0424 Original Bulletin: https://lists.debian.org/debian-lts-announce/2019/03/msg00008.html - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Package : poppler Version : 0.26.5-2+deb8u8 CVE ID : CVE-2018-19058 CVE-2018-20481 CVE-2018-20662 CVE-2019-7310 CVE-2019-9200 Debian Bug : 913177 917325 918158 921215 923414 Several security vulnerabilities were discovered in the poppler PDF rendering shared library. CVE-2018-19058 A reachable abort in Object.h will lead to denial-of-service because EmbFile::save2 in FileSpec.cc lacks a stream check before saving an embedded file. CVE-2018-20481 Poppler mishandles unallocated XRef entries, which allows remote attackers to cause a denial-of-service (NULL pointer dereference) via a crafted PDF document. CVE-2018-20662 Poppler allows attackers to cause a denial-of-service (application crash and segmentation fault by crafting a PDF file in which an xref data structure is corrupted. CVE-2019-7310 A heap-based buffer over-read (due to an integer signedness error in the XRef::getEntry function in XRef.cc) allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted PDF document. CVE-2019-9200 A heap-based buffer underwrite exists in ImageStream::getLine() located at Stream.cc that can (for example) be triggered by sending a crafted PDF file to the pdfimages binary. It allows an attacker to cause denial-of-service (segmentation fault) or possibly have unspecified other impact. For Debian 8 "Jessie", these problems have been fixed in version 0.26.5-2+deb8u8. We recommend that you upgrade your poppler packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS - -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAlyC0nxfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7 UeSADA//WoORipRClpa37uyOReoY/LpJF/6A+I09319knIajvns2pn5vJaQ5hZ9a JTQVz0cGQYb5OHWVzr7dlbJyy3DLH+BQ/vMca0qTG5OAlLbKhw+dFankHLPeyqJH CnTwLDgEGnn650uF4p86kEkzUwH36KvRPsEfjX2HsABY87bEwMcUxaCcJBazKyTC uTj4qwCidssoiA4lmCGNAa/VEAHUykIzaI2eC0ZWtAN4UWRFiLt4XfXi7K3TcswK GMvRHwe+AQCJVK4jhpyb5qdhbRmMWuahcFUlYncCpW7/5Qrw9cEqhdOfHoW3VYNS PufpPySCjET34GCY2wizq424XVeSzmz+Um5vKhBFp/FCt7vdEvww73kAnbXbFGWb wyVD7iC3lS675iq7P91AdPQtQFDNTQELxEvcgEplLpFMhLKXCa4j34xkzO1Xf17a tfiqq/C5PjaXFCNF8eFqI/jAhOXcFyV7pX+/dimxw/IjjidTAyiQnil27MQTqfQC pTcx6ZYC5ed1FcIpPvDwBF1Sjv8h+okcZIWbFCPi1s9nyU44iAxoF/AXMNRzWwpm x2VVUsXxy4ZjVCY3StKTyKiJCKKAsDiIbEhbbmQcvFl2T1A2R32sYnWoH64cpZJy iox1jympDYjPcPc89XnMkxQvFpNX4Ws/UEaCjF/V64HYHcgMpjw= =gwm1 - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to firstname.lastname@example.org and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: email@example.com Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXIW5a2aOgq3Tt24GAQhd5Q//TBHjoA2Jy/3NJKDJdlY1ZVwf8aanlgqF kv2Az6g0uSTFXA7l21TAT7QyT6Lx6v1LdhFuHCoviZegZpq5noCuugqs00Vd8/hc BagRfR+Y/kAZg0UNBf81x4z0FZYmEGMaKt1nQiS/5A+ShkbfFAyiRC4/QgpbO+6a LnncGAHT0PEy25US64kLl/KeErcjACrUJPtEL0Y1GzZjWp30UKuk3SCTE1/Yp9WX 8HBBdDDDuOXOZwnbg/dbApqnvxkPSIoW6j6asT1a3CZEgfMMkl+moBU4ylJqciml v2HSTQnbq0mGLUEuE/3B41qi755ewlzESvI0TQXlB/bcf9CTaFLa53cX71S+FOL8 CBh2bu/DDuWU3xhDJwucG9ihPazOdCRp3ZetScfH3/yQ0REtc80eftOnhWnPgQOx NZDVZWZ03sRsMDST0bO9ChyXBLOWdD2YcVEAVOBPjs2wjwNG9/obJg6yE81tYo8Q +xIZR3zDv5PTIORz7bIR0HZsxjDKnE4lhXwAjq91kugrBkQ7cJdCCg2vCIFsNPbO 00kpDegVE8lrOln5GuQ+SNiBWbMJOXWbIGSvSMH2d/VqCkT9zltj47X/Sm+QIpLp jVcm6po4Ie975r28Vx9lBRtpGCI9aKl0CER6a6esIFSPHVXtB8GDdBtvga1n3paP WpRHibC//5k= =7rPL -----END PGP SIGNATURE-----