Lucene search

DebianDEBIAN:DLA-1562-3:C40FF

HistoryDec 14, 2018 - 9:03 p.m.

[SECURITY] [DLA 1562-3] poppler regression update

2018-12-1421:03:32

lists.debian.org

111

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

4.3 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:N/I:N/A:P

0.019 Low

EPSS

Percentile

88.4%

JSON

Package : poppler
Version : 0.26.5-2+deb8u7
CVE ID : CVE-2018-16646
Debian Bug :

A second regression issue has been resolved in the poppler PDF rendering
shared library this time introduced with version 0.26.5-2+deb8u6 (see
DLA 1562-2).

CVE-2018-16646

In Poppler 0.68.0, the Parser::getObj() function in Parser.cc may
cause infinite recursion via a crafted file. A remote attacker can
leverage this for a DoS attack.

The poppler upstream developers added two more regression fixes on top
of the original fix (upstream merge request #91). These two patches
have now been added to the poppler package in Debian jessie LTS.

For Debian 8 "Jessie", this problem has been fixed in version
0.26.5-2+deb8u7.

We recommend that you upgrade your poppler packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

–

mike gabriel aka sunweaver (Debian Developer)
fon: +49 (1520) 1976 148

GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31
mail: [email protected], http://sunweavers.net

Attachment:
signature.asc
Description: PGP signature

OSVersionArchitecturePackageVersionFilename
Debian8armhflibpoppler-cpp-dev< 0.26.5-2+deb8u7libpoppler-cpp-dev_0.26.5-2+deb8u7_armhf.deb
Debian9i386libpoppler-qt4-4< 0.48.0-2+deb9u3libpoppler-qt4-4_0.48.0-2+deb9u3_i386.deb
Debian8amd64libpoppler-glib-dev< 0.26.5-2+deb8u7libpoppler-glib-dev_0.26.5-2+deb8u7_amd64.deb
Debian8armelpoppler-utils< 0.26.5-2+deb8u7poppler-utils_0.26.5-2+deb8u7_armel.deb
Debian9alllibpoppler-glib-doc< 0.48.0-2+deb9u3libpoppler-glib-doc_0.48.0-2+deb9u3_all.deb
Debian9arm64libpoppler64< 0.48.0-2+deb9u3libpoppler64_0.48.0-2+deb9u3_arm64.deb
Debian9armelpoppler-utils< 0.48.0-2+deb9u3poppler-utils_0.48.0-2+deb9u3_armel.deb
Debian9armelgir1.2-poppler-0.18< 0.48.0-2+deb9u3gir1.2-poppler-0.18_0.48.0-2+deb9u3_armel.deb
Debian8armhflibpoppler-private-dev< 0.26.5-2+deb8u7libpoppler-private-dev_0.26.5-2+deb8u7_armhf.deb
Debian9i386gir1.2-poppler-0.18< 0.48.0-2+deb9u3gir1.2-poppler-0.18_0.48.0-2+deb9u3_i386.deb

OS	Version	Architecture	Package	Version	Filename
Debian	8	armhf	libpoppler-cpp-dev	< 0.26.5-2+deb8u7	libpoppler-cpp-dev_0.26.5-2+deb8u7_armhf.deb
Debian	9	i386	libpoppler-qt4-4	< 0.48.0-2+deb9u3	libpoppler-qt4-4_0.48.0-2+deb9u3_i386.deb
Debian	8	amd64	libpoppler-glib-dev	< 0.26.5-2+deb8u7	libpoppler-glib-dev_0.26.5-2+deb8u7_amd64.deb
Debian	8	armel	poppler-utils	< 0.26.5-2+deb8u7	poppler-utils_0.26.5-2+deb8u7_armel.deb
Debian	9	all	libpoppler-glib-doc	< 0.48.0-2+deb9u3	libpoppler-glib-doc_0.48.0-2+deb9u3_all.deb
Debian	9	arm64	libpoppler64	< 0.48.0-2+deb9u3	libpoppler64_0.48.0-2+deb9u3_arm64.deb
Debian	9	armel	poppler-utils	< 0.48.0-2+deb9u3	poppler-utils_0.48.0-2+deb9u3_armel.deb
Debian	9	armel	gir1.2-poppler-0.18	< 0.48.0-2+deb9u3	gir1.2-poppler-0.18_0.48.0-2+deb9u3_armel.deb
Debian	8	armhf	libpoppler-private-dev	< 0.26.5-2+deb8u7	libpoppler-private-dev_0.26.5-2+deb8u7_armhf.deb
Debian	9	i386	gir1.2-poppler-0.18	< 0.48.0-2+deb9u3	gir1.2-poppler-0.18_0.48.0-2+deb9u3_i386.deb