[ubuntu/lucid] xpdf 3.02-1.4+lenny1ubuntu1 (Accepted)

Ilya Barygin barygin at gmail.com
Wed Jan 20 19:35:21 GMT 2010


xpdf (3.02-1.4+lenny1ubuntu1) lucid; urgency=low

  * Merge from Debian unstable, remaining changes:
    - patch 09_xpdfrc_manpage.dpatch for xpdfrc.5
    - debian/control: modified build-depends on a obsolete package (x-dev)
    - do-not-make-ps-arrays-bigger-than-64k-from-big-images-in-patterns.dpatch:
      pdftops produced wrong PostScript when a large image is in a
      pattern in the input file
  * Remove lesstif2 build hack. Patches 40_lesstif_copy.dpatch and
    41_lesstif_cpp.dpatch are dropped, configure parameter is changed to
    --with-Xm-includes=/usr/include/Xm, build dependency on lesstif2-dev
    is versioned. This fixes FTBFS. Patch from BTS 458763, thanks to
    Moritz Muehlenhoff.

xpdf (3.02-1.4+lenny1) stable-security; urgency=high

  * Non-maintainer upload.
  * This update fixes various security issues (Closes: #524809):
    - CVE-2009-0146: Multiple buffer overflows in the JBIG2 decoder in Xpdf
      3.02pl2 and earlier, CUPS 1.3.9 and earlier, and other products allow
      remote attackers to cause a denial of service (crash) via a crafted PDF
      file, related to (1) JBIG2SymbolDict::setBitmap and (2)
      JBIG2Stream::readSymbolDictSeg.
    - CVE-2009-0147: Multiple integer overflows in the JBIG2 decoder in Xpdf
      3.02pl2 and earlier, CUPS 1.3.9 and earlier, and other products allow
      remote attackers to cause a denial of service (crash) via a crafted PDF
      file, related to (1) JBIG2Stream::readSymbolDictSeg, (2)
      JBIG2Stream::readSymbolDictSeg, and (3) JBIG2Stream::readGenericBitmap.
    - CVE-2009-0165: Integer overflow in the JBIG2 decoder in Xpdf 3.02pl2 and
      earlier, as used in Poppler and other products, when running on Mac OS X,
      has unspecified impact, related to "g*allocn."
    - CVE-2009-0166: The JBIG2 decoder in Xpdf 3.02pl2 and earlier, CUPS 1.3.9
      and earlier, and other products allows remote attackers to cause a denial
      of service (crash) via a crafted PDF file that triggers a free of
      uninitialized memory.
    - CVE-2009-0799: The JBIG2 decoder in Xpdf 3.02pl2 and earlier, CUPS 1.3.9
      and earlier, Poppler before 0.10.6, and other products allows remote
      attackers to cause a denial of service (crash) via a crafted PDF file
      that triggers an out-of-bounds read.
    - CVE-2009-0800: Multiple "input validation flaws" in the JBIG2 decoder in
      Xpdf 3.02pl2 and earlier, CUPS 1.3.9 and earlier, Poppler before 0.10.6,
      and other products allow remote attackers to execute arbitrary code via
      a crafted PDF file.
    - CVE-2009-1179: Integer overflow in the JBIG2 decoder in Xpdf 3.02pl2 and
      earlier, CUPS 1.3.9 and earlier, Poppler before 0.10.6, and other products
      allows remote attackers to execute arbitrary code via a crafted PDF file.
    - CVE-2009-1180: The JBIG2 decoder in Xpdf 3.02pl2 and earlier, CUPS 1.3.9
      and earlier, Poppler before 0.10.6, and other products allows remote
      attackers to execute arbitrary code via a crafted PDF file that triggers
      a free of invalid data.
    - CVE-2009-1181: The JBIG2 decoder in Xpdf 3.02pl2 and earlier, CUPS 1.3.9
      and earlier, Poppler before 0.10.6, and other products allows remote
      attackers to cause a denial of service (crash) via a crafted PDF file that
      triggers a NULL pointer dereference.
    - CVE-2009-1182: Multiple buffer overflows in the JBIG2 MMR decoder in Xpdf
      3.02pl2 and earlier, CUPS 1.3.9 and earlier, Poppler before 0.10.6, and
      other products allow remote attackers to execute arbitrary code via a
      crafted PDF file.
    - CVE-2009-1183: The JBIG2 MMR decoder in Xpdf 3.02pl2 and earlier, CUPS
      1.3.9 and earlier, Poppler before 0.10.6, and other products allows remote
      attackers to cause a denial of service (infinite loop and hang) via a
      crafted PDF file.

Date: Wed, 20 Jan 2010 22:07:02 +0300
Changed-By: Ilya Barygin <barygin at gmail.com>
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
https://launchpad.net/ubuntu/lucid/+source/xpdf/3.02-1.4+lenny1ubuntu1
-------------- next part --------------
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Wed, 20 Jan 2010 22:07:02 +0300
Source: xpdf
Binary: xpdf xpdf-common xpdf-reader xpdf-utils
Architecture: source
Version: 3.02-1.4+lenny1ubuntu1
Distribution: lucid
Urgency: high
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
Changed-By: Ilya Barygin <barygin at gmail.com>
Description: 
 xpdf       - Portable Document Format (PDF) suite
 xpdf-common - Portable Document Format (PDF) suite -- common files
 xpdf-reader - Portable Document Format (PDF) suite -- viewer for X11
 xpdf-utils - Portable Document Format (PDF) suite -- utilities
Closes: 524809
Changes: 
 xpdf (3.02-1.4+lenny1ubuntu1) lucid; urgency=low
 .
   * Merge from Debian unstable, remaining changes:
     - patch 09_xpdfrc_manpage.dpatch for xpdfrc.5
     - debian/control: modified build-depends on a obsolete package (x-dev)
     - do-not-make-ps-arrays-bigger-than-64k-from-big-images-in-patterns.dpatch:
       pdftops produced wrong PostScript when a large image is in a
       pattern in the input file
   * Remove lesstif2 build hack. Patches 40_lesstif_copy.dpatch and
     41_lesstif_cpp.dpatch are dropped, configure parameter is changed to
     --with-Xm-includes=/usr/include/Xm, build dependency on lesstif2-dev
     is versioned. This fixes FTBFS. Patch from BTS 458763, thanks to
     Moritz Muehlenhoff.
 .
 xpdf (3.02-1.4+lenny1) stable-security; urgency=high
 .
   * Non-maintainer upload.
   * This update fixes various security issues (Closes: #524809):
     - CVE-2009-0146: Multiple buffer overflows in the JBIG2 decoder in Xpdf
       3.02pl2 and earlier, CUPS 1.3.9 and earlier, and other products allow
       remote attackers to cause a denial of service (crash) via a crafted PDF
       file, related to (1) JBIG2SymbolDict::setBitmap and (2)
       JBIG2Stream::readSymbolDictSeg.
     - CVE-2009-0147: Multiple integer overflows in the JBIG2 decoder in Xpdf
       3.02pl2 and earlier, CUPS 1.3.9 and earlier, and other products allow
       remote attackers to cause a denial of service (crash) via a crafted PDF
       file, related to (1) JBIG2Stream::readSymbolDictSeg, (2)
       JBIG2Stream::readSymbolDictSeg, and (3) JBIG2Stream::readGenericBitmap.
     - CVE-2009-0165: Integer overflow in the JBIG2 decoder in Xpdf 3.02pl2 and
       earlier, as used in Poppler and other products, when running on Mac OS X,
       has unspecified impact, related to "g*allocn."
     - CVE-2009-0166: The JBIG2 decoder in Xpdf 3.02pl2 and earlier, CUPS 1.3.9
       and earlier, and other products allows remote attackers to cause a denial
       of service (crash) via a crafted PDF file that triggers a free of
       uninitialized memory.
     - CVE-2009-0799: The JBIG2 decoder in Xpdf 3.02pl2 and earlier, CUPS 1.3.9
       and earlier, Poppler before 0.10.6, and other products allows remote
       attackers to cause a denial of service (crash) via a crafted PDF file
       that triggers an out-of-bounds read.
     - CVE-2009-0800: Multiple "input validation flaws" in the JBIG2 decoder in
       Xpdf 3.02pl2 and earlier, CUPS 1.3.9 and earlier, Poppler before 0.10.6,
       and other products allow remote attackers to execute arbitrary code via
       a crafted PDF file.
     - CVE-2009-1179: Integer overflow in the JBIG2 decoder in Xpdf 3.02pl2 and
       earlier, CUPS 1.3.9 and earlier, Poppler before 0.10.6, and other products
       allows remote attackers to execute arbitrary code via a crafted PDF file.
     - CVE-2009-1180: The JBIG2 decoder in Xpdf 3.02pl2 and earlier, CUPS 1.3.9
       and earlier, Poppler before 0.10.6, and other products allows remote
       attackers to execute arbitrary code via a crafted PDF file that triggers
       a free of invalid data.
     - CVE-2009-1181: The JBIG2 decoder in Xpdf 3.02pl2 and earlier, CUPS 1.3.9
       and earlier, Poppler before 0.10.6, and other products allows remote
       attackers to cause a denial of service (crash) via a crafted PDF file that
       triggers a NULL pointer dereference.
     - CVE-2009-1182: Multiple buffer overflows in the JBIG2 MMR decoder in Xpdf
       3.02pl2 and earlier, CUPS 1.3.9 and earlier, Poppler before 0.10.6, and
       other products allow remote attackers to execute arbitrary code via a
       crafted PDF file.
     - CVE-2009-1183: The JBIG2 MMR decoder in Xpdf 3.02pl2 and earlier, CUPS
       1.3.9 and earlier, Poppler before 0.10.6, and other products allows remote
       attackers to cause a denial of service (infinite loop and hang) via a
       crafted PDF file.
Checksums-Sha1: 
 c45e28dbfb0d82f7531a4d0173f04d8061a6d6d3 1702 xpdf_3.02-1.4+lenny1ubuntu1.dsc
 798b2767e453935c7f54694dc3f09a698a679d16 44890 xpdf_3.02-1.4+lenny1ubuntu1.diff.gz
Checksums-Sha256: 
 28d8a394c688257e25674d66d3b8c8f510ff43cdcfe317d9ffe544efc32b5514 1702 xpdf_3.02-1.4+lenny1ubuntu1.dsc
 45375dedd79cc7d6c99b67b9d0d8fbfdaf34895d3e1be66b5f2b0ef4f9367f7f 44890 xpdf_3.02-1.4+lenny1ubuntu1.diff.gz
Files: 
 41b790a89d4d7caffec2062a9b11da85 1702 text optional xpdf_3.02-1.4+lenny1ubuntu1.dsc
 ddfa792475a927de732b9595e340a585 44890 text optional xpdf_3.02-1.4+lenny1ubuntu1.diff.gz
Original-Maintainer: Hamish Moffatt <hamish at debian.org>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQEcBAEBAgAGBQJLV1f0AAoJEP+gcEe5E+Jx2MkIAJWhAvT1aE8pTeh6AGJVStHD
mwYAyrq9mB8KQRgdtGn7gczkq1SwJRON4NlAR8M25F52usGWAxmgNU/3rn91kfeY
SXoVq3TNoaDxi+gLv9qgwgBzvOkm++RH1s7tyqxTaMwTXQRU4Z6kgVb1n7BqYSdz
/l1+hC1wJ49BJkwkfrBab7MgbqwAhxnVJkZfBt2hwZ4qr0UhxfGEFi2wy6/gT8Ha
Ctay0MkM415hP5bwxPltnk/yEUwf4DqVJ8KdZZuO+XzEihhQeuIjeV5rt60LL9AX
YwDURQwqgeTSmYVijPtKkWH73d5YukCCXG2s8UPPOEz0uAmFJ/jkrkghbM2kJrs=
=zPD3
-----END PGP SIGNATURE-----


More information about the Lucid-changes mailing list