[SECURITY] [DLA 1963-1] poppler security update

2019-10-1721:17:50

lists.debian.org

133

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

4.3 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:N/I:N/A:P

0.007 Low

EPSS

Percentile

80.7%

JSON

Package : poppler
Version : 0.26.5-2+deb8u12
CVE ID : CVE-2019-9959 CVE-2019-10871

Two buffer allocation issues were identified in poppler.

CVE-2019-9959

An unexpected negative length value can cause an integer
overflow, which in turn making it possible to allocate a large
memory chunk on the heap with size controlled by an attacker.

CVE-2019-10871

The RGB data are considered CMYK data and hence it reads 4 bytes
instead of 3 bytes at the end of the image. The fixed version
defines SPLASH_CMYK which is the upstream recommended solution.

For Debian 8 "Jessie", these problems have been fixed in version
0.26.5-2+deb8u12.

We recommend that you upgrade your poppler packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

OSVersionArchitecturePackageVersionFilename
Debian8armhflibpoppler-dev< 0.26.5-2+deb8u12libpoppler-dev_0.26.5-2+deb8u12_armhf.deb
Debian8armellibpoppler-cpp0< 0.26.5-2+deb8u12libpoppler-cpp0_0.26.5-2+deb8u12_armel.deb
Debian8armellibpoppler-private-dev< 0.26.5-2+deb8u12libpoppler-private-dev_0.26.5-2+deb8u12_armel.deb
Debian8i386libpoppler-cpp0< 0.26.5-2+deb8u12libpoppler-cpp0_0.26.5-2+deb8u12_i386.deb
Debian8allpoppler< 0.26.5-2+deb8u12poppler_0.26.5-2+deb8u12_all.deb
Debian8amd64libpoppler-private-dev< 0.26.5-2+deb8u12libpoppler-private-dev_0.26.5-2+deb8u12_amd64.deb
Debian8amd64libpoppler-qt4-4< 0.26.5-2+deb8u12libpoppler-qt4-4_0.26.5-2+deb8u12_amd64.deb
Debian8armhflibpoppler-qt4-4< 0.26.5-2+deb8u12libpoppler-qt4-4_0.26.5-2+deb8u12_armhf.deb
Debian8i386poppler-dbg< 0.26.5-2+deb8u12poppler-dbg_0.26.5-2+deb8u12_i386.deb
Debian8amd64libpoppler-qt4-dev< 0.26.5-2+deb8u12libpoppler-qt4-dev_0.26.5-2+deb8u12_amd64.deb

OS	Version	Architecture	Package	Version	Filename
Debian	8	armhf	libpoppler-dev	< 0.26.5-2+deb8u12	libpoppler-dev_0.26.5-2+deb8u12_armhf.deb
Debian	8	armel	libpoppler-cpp0	< 0.26.5-2+deb8u12	libpoppler-cpp0_0.26.5-2+deb8u12_armel.deb
Debian	8	armel	libpoppler-private-dev	< 0.26.5-2+deb8u12	libpoppler-private-dev_0.26.5-2+deb8u12_armel.deb
Debian	8	i386	libpoppler-cpp0	< 0.26.5-2+deb8u12	libpoppler-cpp0_0.26.5-2+deb8u12_i386.deb
Debian	8	all	poppler	< 0.26.5-2+deb8u12	poppler_0.26.5-2+deb8u12_all.deb
Debian	8	amd64	libpoppler-private-dev	< 0.26.5-2+deb8u12	libpoppler-private-dev_0.26.5-2+deb8u12_amd64.deb
Debian	8	amd64	libpoppler-qt4-4	< 0.26.5-2+deb8u12	libpoppler-qt4-4_0.26.5-2+deb8u12_amd64.deb
Debian	8	armhf	libpoppler-qt4-4	< 0.26.5-2+deb8u12	libpoppler-qt4-4_0.26.5-2+deb8u12_armhf.deb
Debian	8	i386	poppler-dbg	< 0.26.5-2+deb8u12	poppler-dbg_0.26.5-2+deb8u12_i386.deb
Debian	8	amd64	libpoppler-qt4-dev	< 0.26.5-2+deb8u12	libpoppler-qt4-dev_0.26.5-2+deb8u12_amd64.deb