[SECURITY] [DLA 1562-2] poppler security update

2018-11-2911:18:48

lists.debian.org

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

4.3 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:N/I:N/A:P

0.019 Low

EPSS

Percentile

88.5%

JSON

Package : poppler
Version : 0.26.5-2+deb8u6
CVE ID : CVE-2018-16646

A regression issue has been resolved in the poppler PDF rendering
shared library introduced with version 0.26.5-2+deb8u5.

CVE-2018-16646

In Poppler 0.68.0, the Parser::getObj() function in Parser.cc may
cause infinite recursion via a crafted file. A remote attacker can
leverage this for a DoS attack.

The previous solution in Debian LTS fixed the above issue in XRef.cc,
the patches had been obtained from a merge request (#67) on upstream&#x27;s
Git development platform. Unfortunately, this merge request was declined
by upstream and another merge request (#91) got applied instead. The
fix now directly occurs in the Parser.cc file.

This version of poppler now ships the changeset that got favorized by
the poppler upstream developers (MR #91) and drops the patches from
MR #67.

For Debian 8 "Jessie", this problem has been fixed in version
0.26.5-2+deb8u6.

We recommend that you upgrade your poppler packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

–

mike gabriel aka sunweaver (Debian Developer)
fon: +49 (1520) 1976 148

GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31
mail: [email protected], http://sunweavers.net

Attachment:
signature.asc
Description: PGP signature

OSVersionArchitecturePackageVersionFilename
Debian9armhflibpoppler-cpp0v5< 0.48.0-2+deb9u3libpoppler-cpp0v5_0.48.0-2+deb9u3_armhf.deb
Debian9arm64poppler-dbg< 0.48.0-2+deb9u3poppler-dbg_0.48.0-2+deb9u3_arm64.deb
Debian8amd64libpoppler-glib8< 0.26.5-2+deb8u6libpoppler-glib8_0.26.5-2+deb8u6_amd64.deb
Debian8i386poppler-utils< 0.26.5-2+deb8u7poppler-utils_0.26.5-2+deb8u7_i386.deb
Debian8armhflibpoppler-qt5-1< 0.26.5-2+deb8u7libpoppler-qt5-1_0.26.5-2+deb8u7_armhf.deb
Debian8armellibpoppler-glib8< 0.26.5-2+deb8u7libpoppler-glib8_0.26.5-2+deb8u7_armel.deb
Debian8armellibpoppler-qt5-1< 0.26.5-2+deb8u7libpoppler-qt5-1_0.26.5-2+deb8u7_armel.deb
Debian8i386libpoppler-qt4-4< 0.26.5-2+deb8u6libpoppler-qt4-4_0.26.5-2+deb8u6_i386.deb
Debian8armhflibpoppler-qt4-dev< 0.26.5-2+deb8u7libpoppler-qt4-dev_0.26.5-2+deb8u7_armhf.deb
Debian9amd64libpoppler-private-dev< 0.48.0-2+deb9u3libpoppler-private-dev_0.48.0-2+deb9u3_amd64.deb

OS	Version	Architecture	Package	Version	Filename
Debian	9	armhf	libpoppler-cpp0v5	< 0.48.0-2+deb9u3	libpoppler-cpp0v5_0.48.0-2+deb9u3_armhf.deb
Debian	9	arm64	poppler-dbg	< 0.48.0-2+deb9u3	poppler-dbg_0.48.0-2+deb9u3_arm64.deb
Debian	8	amd64	libpoppler-glib8	< 0.26.5-2+deb8u6	libpoppler-glib8_0.26.5-2+deb8u6_amd64.deb
Debian	8	i386	poppler-utils	< 0.26.5-2+deb8u7	poppler-utils_0.26.5-2+deb8u7_i386.deb
Debian	8	armhf	libpoppler-qt5-1	< 0.26.5-2+deb8u7	libpoppler-qt5-1_0.26.5-2+deb8u7_armhf.deb
Debian	8	armel	libpoppler-glib8	< 0.26.5-2+deb8u7	libpoppler-glib8_0.26.5-2+deb8u7_armel.deb
Debian	8	armel	libpoppler-qt5-1	< 0.26.5-2+deb8u7	libpoppler-qt5-1_0.26.5-2+deb8u7_armel.deb
Debian	8	i386	libpoppler-qt4-4	< 0.26.5-2+deb8u6	libpoppler-qt4-4_0.26.5-2+deb8u6_i386.deb
Debian	8	armhf	libpoppler-qt4-dev	< 0.26.5-2+deb8u7	libpoppler-qt4-dev_0.26.5-2+deb8u7_armhf.deb
Debian	9	amd64	libpoppler-private-dev	< 0.48.0-2+deb9u3	libpoppler-private-dev_0.48.0-2+deb9u3_amd64.deb