poppler / CVE-2019-9959
Proposed patch:
diff -Nru poppler-0.26.5/debian/changelog poppler-0.26.5/debian/changelog
--- poppler-0.26.5/debian/changelog 2019-09-27 03:13:02.000000000 +1000
+++ poppler-0.26.5/debian/changelog 2019-10-14 17:24:52.000000000 +1100
@@ -1,3 +1,13 @@
+poppler (0.26.5-2+deb8u12) jessie-security; urgency=high
+
+ * Non-maintainer upload by the LTS Team.
+ * CVE-2019-9959
+ JPXStream::init function doesn't check for negative values of
+ stream length, leading to an Integer Overflow, leading to large
+ memory request causing DOS.
+
+ -- Brian May <bam@debian.org> Mon, 14 Oct 2019 17:24:52 +1100
+
poppler (0.26.5-2+deb8u11) jessie-security; urgency=medium
* Non-maintainer upload by the LTS Team.
diff -Nru poppler-0.26.5/debian/patches/CVE-2019-9959.patch poppler-0.26.5/debian/patches/CVE-2019-9959.patch
--- poppler-0.26.5/debian/patches/CVE-2019-9959.patch 1970-01-01 10:00:00.000000000 +1000
+++ poppler-0.26.5/debian/patches/CVE-2019-9959.patch 2019-10-14 17:19:03.000000000 +1100
@@ -0,0 +1,21 @@
+From 68ef84e5968a4249c2162b839ca6d7975048a557 Mon Sep 17 00:00:00 2001
+From: Albert Astals Cid <aacid@kde.org>
+Date: Mon, 15 Jul 2019 23:24:22 +0200
+Subject: [PATCH] JPXStream::init: ignore dict Length if clearly broken
+
+Fixes issue #805
+---
+ poppler/JPEG2000Stream.cc | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/poppler/JPEG2000Stream.cc
++++ b/poppler/JPEG2000Stream.cc
+@@ -72,7 +72,7 @@
+ if (getDict()) getDict()->lookup("Length", &oLen);
+
+ int bufSize = BUFFER_INITIAL_SIZE;
+- if (oLen.isInt()) bufSize = oLen.getInt();
++ if (oLen.isInt() && oLen.getInt() > 0) bufSize = oLen.getInt();
+ oLen.free();
+
+
diff -Nru poppler-0.26.5/debian/patches/series poppler-0.26.5/debian/patches/series
--- poppler-0.26.5/debian/patches/series 2019-09-27 03:13:02.000000000 +1000
+++ poppler-0.26.5/debian/patches/series 2019-10-14 17:17:34.000000000 +1100
@@ -40,3 +40,4 @@
CVE-2018-21009.patch
CVE-2019-12493.patch
CVE-2018-20650.patch
+CVE-2019-9959.patch
--
Brian May <bam@debian.org>
Reply to: