-
poppler (0.8.7-1ubuntu0.5) intrepid-security; urgency=low
* SECURITY UPDATE: segfault in Okular with security update (LP: #457985)
- debian/patches/65_security_CVE-2009-3605.patch: update patch to use
gmallocn_checkoverflow in splash/SplashFTFont.cc, as bitmap->h can
be 0 and this was causing a regression with Okular.
- CVE-2009-3605
-- Marc Deslauriers <email address hidden> Thu, 22 Oct 2009 10:11:49 -0400
-
poppler (0.8.7-1ubuntu0.4) intrepid-security; urgency=low
* SECURITY UPDATE: denial of service or arbitrary code execution via
unsafe malloc usage
- debian/patches/65_security_CVE-2009-3605.patch: introduce gmallocn3
in goo/gmem.{cc,h} and replace malloc calls with safe versions in
glib/poppler-page.cc, poppler/{ArthurOutputDev,CairoOutputDev,
GfxState,JBIG2Stream,PSOutputDev,SplashOutputDev}.cc,
splash/{SplashBitmap,Splash,SplashFTFont}.cc.
- CVE-2009-3605
* SECURITY UPDATE: denial of service via invalid Form Opt entry
(LP: #321764)
- debian/patches/66_security_CVE-2009-0755.patch: handle invalid Opt
entry gracefully in poppler/Form.cc.
- CVE-2009-0755
* SECURITY UPDATE: denial of service or arbitrary code execution via
overflow in rowSize computation
- debian/patches/67_security_CVE-2009-360x.patch: make sure width value
is sane in splash/SplashBitmap.cc.
- CVE-2009-3603
* SECURITY UPDATE: denial of service or arbitrary code execution via
overflow in pixel buffer size calculation
- debian/patches/67_security_CVE-2009-360x.patch: make sure yp value
is sane in splash/Splash.cc, splash/SplashErrorCodes.h.
- CVE-2009-3604
* SECURITY UPDATE: denial of service or arbitrary code execution via
overflow in object stream handling
- debian/patches/67_security_CVE-2009-360x.patch: limit number of
nObjects in poppler/XRef.cc.
- CVE-2009-3608
* SECURITY UPDATE: denial of service or arbitrary code execution via
integer overflow in ImageStream::ImageStream
- debian/patches/67_security_CVE-2009-360x.patch: check size of width
and nComps in poppler/Stream.cc.
- CVE-2009-3609
* SECURITY UPDATE: denial of service or arbitrary code execution via
overflow in create_surface_from_thumbnail_data
- debian/patches/68_security_CVE-2009-3607.patch: eliminate g_malloc in
glib/poppler-page.cc.
- CVE-2009-3607
-- Marc Deslauriers <email address hidden> Tue, 20 Oct 2009 09:23:31 -0400
-
poppler (0.8.7-1ubuntu0.2) intrepid-security; urgency=low
* SECURITY UPDATE: denial of service and possible code execution from
multiple integer overflows, buffer overflows, and other issues with
JBIG2 decoding.
- debian/patches/64_security_jbig2.patch: prevent integer overflow in
poppler/CairoOutputDev.cc and splash/SplashBitmap.cc, add overflow
checking, improve error handling, and fix other issues in
poppler/JBIG2Stream.*.
- CVE-2009-0146
- CVE-2009-0147
- CVE-2009-0166
- CVE-2009-0799
- CVE-2009-0800
- CVE-2009-1179
- CVE-2009-1180
- CVE-2009-1181
- CVE-2009-1182
- CVE-2009-1183
-- Marc Deslauriers <email address hidden> Thu, 09 Apr 2009 08:37:29 -0400
-
poppler (0.8.7-1ubuntu0.1) intrepid-proposed; urgency=low
* debian/patches/63_do-not-make-ps-arrays-bigger-than-64k-from-big-images-in-patterns.patch:
pdftops produced wrong PostScript when a large image is in a pattern in
the input file (LP: #311982, Upstream bugs #18908 and #19368).
-- Till Kamppeter <email address hidden> Fri, 2 Jan 2009 14:26:55 +0100
-
poppler (0.8.7-1) unstable; urgency=low
* Bump up Standards-Version to 3.8.0.
* New patch, 61_manpages-hyphens, fixes escaping of hyphens in man pages;
FreeDesktop #17225.
* New patch, 62_pdftops-mandatory-arg, fixes synopsis of pdftops in man page
to clarify that a PDF file is required in all cases; FreeDesktop #17226;
closes: #491816.
* Build-dep on cdbs (>= 0.4.52) and add a lintian override with rationale
for the following lintian warning:
W: poppler-dbg: dbg-package-missing-depends poppler
* Add xrefs and CVE for #489756 in 0.8.5-1 as I didn't merge the 0.8.4-1.1
NMU.
* New upstream release; no API change, bug fixes.
-- Lo?c Minier <email address hidden> Thu, 11 Sep 2008 08:31:43 +0100
-
poppler (0.8.6-1) unstable; urgency=low
* Fix /usr/share/gtk-doc/html/poppler symlink to point at
/usr/share/doc/libpoppler-glib-dev/html/poppler instead of
/usr/share/doc/libpoppler-glib-dev/html; LP: #226677.
* New upstream stable release; bug fixes, no API change.
* New patch, 60_manpages-cfg-flag, drop unimplemented -cfg flag from man
pages; FreeDesktop #17222; closes: #461961.
* Rename patch 001_jpxstream_int_crash to 10_jpxstream_int_crash as we don't
have that many patches; also add upstream bug id (FreeDesktop #5667) and
refresh to apply cleanly.
* Build-dep on pkg-config >= 0.18 to make sure -lpoppler is only in
poppler-qt's Libs.private (it already is though); closes: #360595.
-- Sebastien Bacher <email address hidden> Thu, 21 Aug 2008 12:06:40 +0100
-
poppler (0.8.5-1) unstable; urgency=low
* New upstream release; no API changes, misc fixes.
-- Sebastien Bacher <email address hidden> Thu, 31 Jul 2008 15:30:55 +0100
-
poppler (0.8.4-1.1) unstable; urgency=high
* Non-maintainer upload by the Security Team.
* Fix missing pageWidgets object initialization that could lead to arbitrary
code execution by a crafted PDF file when the Page destructor deletes
the object which has not been initialized before
(CVE-2008-2950.patch; Closes: #489756).
-- Sebastien Bacher <email address hidden> Thu, 17 Jul 2008 16:59:48 +0100
-
poppler (0.8.4-1) unstable; urgency=low
* New upstream release; no API change.
- Fixes crash when reloading PDFs; GNOME #536482; closes: 484160.
-- Ubuntu Archive Auto-Sync <email address hidden> Fri, 04 Jul 2008 08:44:38 +0100
-
poppler (0.8.3-1) unstable; urgency=low
* New upstream release. Closes: #487214.
+ Fix crasher with some PDF files. Closes: #484224.
-- Jonathan Riddell <email address hidden> Wed, 25 Jun 2008 18:38:19 +0100
-
poppler (0.8.2-2) unstable; urgency=low
* Upload to unstable.
* Set myself as Maintainer instead of Uploader, taking over from Ondřej Surý
but I wish we move to an official team; closes: #481323.
poppler (0.8.2-1) experimental; urgency=low
* New upstream releases.
- Drop patch 006_pthreads_ldflags, upstream now calls ACX_PTHREAD() in
configure.ac which does the right thing.
- Drop patch 102_embedded-font-fixes, merged upstream.
poppler (0.8.0-1) experimental; urgency=low
* Bump libcairo2-dev build-dep and dep to >= 1.4; thanks
Marc 'HE' Brockschmidt.
* New upstream stable release, with ABI and API changes; closes: #476323.
- Rename libpoppler2 to libpoppler3, libpoppler-glib2 to libpoppler-glib3,
and libpoppler-qt4-2 to libpoppler-qt4-3; NB: libpoppler-qt2 not
renamed; update control, DEB_DH_MAKESHLIBS_ARGS_* in rules, rename
install files.
- Drop shlib version except for libpoppler-qt2.
- Update patch 006_pthreads_ldflags for the version-info changes in
poppler/Makefile.am.
- Force usage of qt4's moc via a PATH setting; export PATH.
* Let libpoppler-glib-dev depend on libglib2.0-dev >= 2.6 for consistency
with build-deps.
* New patch, 102_embedded-font-fixes; protects the methods of the Object
class to be more robust and prevent things like CVE-2008-1693; see also
FreeDesktop/Poppler #11392; taken from the Ubuntu package;
closes: #476842.
* Add a poppler-dbg package; closes: #408403.
- Bump up cdbs build-dep to >= 0.4.51 for -dbg handling fixes.
- Add poppler-dbg to control.
-- Jonathan Riddell <email address hidden> Wed, 28 May 2008 15:32:49 +0100
-
poppler (0.6.4-1ubuntu1) hardy; urgency=low
* SECURITY UPDATE: arbitrary code execution via malicious embedded fonts.
* debian/patches/102_embedded-font-fixes.patch: stronger type-checking.
* References
CVE-2008-1693
-- Kees Cook <email address hidden> Tue, 15 Apr 2008 13:04:21 -0700
