[SECURITY] [DLA 1177-1] poppler security update

2017-11-1818:27:50

lists.debian.org

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

0.002 Low

EPSS

Percentile

53.1%

JSON

Package : poppler
Version : 0.18.4-6+deb7u4
CVE ID : CVE-2017-14975 CVE-2017-14976 CVE-2017-14977
CVE-2017-15565
Debian Bug : 879066 877952 877954 877957

It was discovered that poppler, a PDF rendering library, was affected
by several denial-of-service (application crash), null pointer
dereferences and heap-based buffer over-read bugs:

CVE-2017-14975
The FoFiType1C::convertToType0 function in FoFiType1C.cc
has a NULL pointer dereference vulnerability because a data structure
is not initialized, which allows an attacker to launch a denial of
service attack.

CVE-2017-14976
The FoFiType1C::convertToType0 function in FoFiType1C.cc
has a heap-based buffer over-read vulnerability if an out-of-bounds
font dictionary index is encountered, which allows an attacker to
launch a denial of service attack.

CVE-2017-14977
The FoFiTrueType::getCFFBlock function in FoFiTrueType.cc
has a NULL pointer dereference vulnerability due to lack of validation
of a table pointer, which allows an attacker to launch a denial of
service attack.

CVE-2017-15565
NULL Pointer Dereference exists in the GfxImageColorMap::getGrayLine()
function in GfxState.cc via a crafted PDF document.

For Debian 7 "Wheezy", these problems have been fixed in version
0.18.4-6+deb7u4.

We recommend that you upgrade your poppler packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

OSVersionArchitecturePackageVersionFilename
Debian9mipslibpoppler-glib-dev< 0.48.0-2+deb9u1libpoppler-glib-dev_0.48.0-2+deb9u1_mips.deb
Debian7armhflibpoppler-dev< 0.18.4-6+deb7u4libpoppler-dev_0.18.4-6+deb7u4_armhf.deb
Debian7armhflibpoppler-qt4-3< 0.18.4-6+deb7u4libpoppler-qt4-3_0.18.4-6+deb7u4_armhf.deb
Debian9armhflibpoppler-qt4-dev< 0.48.0-2+deb9u1libpoppler-qt4-dev_0.48.0-2+deb9u1_armhf.deb
Debian7allpoppler< 0.18.4-6+deb7u4poppler_0.18.4-6+deb7u4_all.deb
Debian9arm64libpoppler-qt4-4< 0.48.0-2+deb9u1libpoppler-qt4-4_0.48.0-2+deb9u1_arm64.deb
Debian9armhflibpoppler-qt5-1< 0.48.0-2+deb9u1libpoppler-qt5-1_0.48.0-2+deb9u1_armhf.deb
Debian9ppc64elpoppler-utils< 0.48.0-2+deb9u1poppler-utils_0.48.0-2+deb9u1_ppc64el.deb
Debian8amd64gir1.2-poppler-0.18< 0.26.5-2+deb8u2gir1.2-poppler-0.18_0.26.5-2+deb8u2_amd64.deb
Debian8arm64libpoppler-cpp-dev< 0.26.5-2+deb8u2libpoppler-cpp-dev_0.26.5-2+deb8u2_arm64.deb

OS	Version	Architecture	Package	Version	Filename
Debian	9	mips	libpoppler-glib-dev	< 0.48.0-2+deb9u1	libpoppler-glib-dev_0.48.0-2+deb9u1_mips.deb
Debian	7	armhf	libpoppler-dev	< 0.18.4-6+deb7u4	libpoppler-dev_0.18.4-6+deb7u4_armhf.deb
Debian	7	armhf	libpoppler-qt4-3	< 0.18.4-6+deb7u4	libpoppler-qt4-3_0.18.4-6+deb7u4_armhf.deb
Debian	9	armhf	libpoppler-qt4-dev	< 0.48.0-2+deb9u1	libpoppler-qt4-dev_0.48.0-2+deb9u1_armhf.deb
Debian	7	all	poppler	< 0.18.4-6+deb7u4	poppler_0.18.4-6+deb7u4_all.deb
Debian	9	arm64	libpoppler-qt4-4	< 0.48.0-2+deb9u1	libpoppler-qt4-4_0.48.0-2+deb9u1_arm64.deb
Debian	9	armhf	libpoppler-qt5-1	< 0.48.0-2+deb9u1	libpoppler-qt5-1_0.48.0-2+deb9u1_armhf.deb
Debian	9	ppc64el	poppler-utils	< 0.48.0-2+deb9u1	poppler-utils_0.48.0-2+deb9u1_ppc64el.deb
Debian	8	amd64	gir1.2-poppler-0.18	< 0.26.5-2+deb8u2	gir1.2-poppler-0.18_0.26.5-2+deb8u2_amd64.deb
Debian	8	arm64	libpoppler-cpp-dev	< 0.26.5-2+deb8u2	libpoppler-cpp-dev_0.26.5-2+deb8u2_arm64.deb