--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
Hi,
I just uploaded poppler/0.18.4-6 fixing CVE-2013-1788 and CVE-2013-1790
(#702071). Could you please unblock it?
(Also, I noticed during the upload to have left urgency=low, maybe
is it worth urgency=medium.)
unblock poppler/0.18.4-6
Thanks,
--
Pino
diff -Nru poppler-0.18.4/debian/changelog poppler-0.18.4/debian/changelog
--- poppler-0.18.4/debian/changelog 2013-01-31 15:20:54.000000000 +0100
+++ poppler-0.18.4/debian/changelog 2013-03-25 21:43:14.000000000 +0100
@@ -1,3 +1,18 @@
+poppler (0.18.4-6) unstable; urgency=low
+
+ * Backport upstream commits 0388837f01bc467045164f9ddaff787000a8caaa (patch
+ upstream_Fix-another-invalid-memory-access-in-1091.pdf.asan.7.patch),
+ 8b6dc55e530b2f5ede6b9dfb64aafdd1d5836492 (adapted patch
+ upstream_Fix-invalid-memory-access-in-1150.pdf.asan.8.69.patch), and
+ e14b6e9c13d35c9bd1e0c50906ace8e707816888 (adapted patch
+ upstream_Fix-invalid-memory-access-in-2030.pdf.asan.69.463.patch) to fix
+ CVE-2013-1788.
+ * Backport upstream commit b1026b5978c385328f2a15a2185c599a563edf91 to fix
+ CVE-2013-1790 (patch upstream_Initialize-refLine-totally.patch).
+ * With the changes above, this upload closes: #702071.
+
+ -- Pino Toscano <pino@debian.org> Mon, 25 Mar 2013 21:43:07 +0100
+
poppler (0.18.4-5) unstable; urgency=low
* Correctly initialize PSOutputDev::fontFileNameLen and
diff -Nru poppler-0.18.4/debian/patches/series poppler-0.18.4/debian/patches/series
--- poppler-0.18.4/debian/patches/series 2013-01-31 13:58:17.000000000 +0100
+++ poppler-0.18.4/debian/patches/series 2013-03-23 07:48:04.000000000 +0100
@@ -4,3 +4,7 @@
upstream_Change-nnnnnn-to-number.patch
upstream_fix-GooString-insert.diff
psoutputdev-initialize-vars.diff
+upstream_Fix-another-invalid-memory-access-in-1091.pdf.asan.7.patch
+upstream_Fix-invalid-memory-access-in-2030.pdf.asan.69.463.patch
+upstream_Fix-invalid-memory-access-in-1150.pdf.asan.8.69.patch
+upstream_Initialize-refLine-totally.patch
diff -Nru poppler-0.18.4/debian/patches/upstream_Fix-another-invalid-memory-access-in-1091.pdf.asan.7.patch poppler-0.18.4/debian/patches/upstream_Fix-another-invalid-memory-access-in-1091.pdf.asan.7.patch
--- poppler-0.18.4/debian/patches/upstream_Fix-another-invalid-memory-access-in-1091.pdf.asan.7.patch 1970-01-01 01:00:00.000000000 +0100
+++ poppler-0.18.4/debian/patches/upstream_Fix-another-invalid-memory-access-in-1091.pdf.asan.7.patch 2013-03-23 07:48:04.000000000 +0100
@@ -0,0 +1,40 @@
+From 0388837f01bc467045164f9ddaff787000a8caaa Mon Sep 17 00:00:00 2001
+From: Albert Astals Cid <aacid@kde.org>
+Date: Thu, 10 Jan 2013 20:29:06 +0100
+Subject: [PATCH] Fix another invalid memory access in 1091.pdf.asan.72.42
+
+---
+ poppler/Stream.cc | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/poppler/Stream.cc b/poppler/Stream.cc
+index d118ddd..4cb3326 100644
+--- a/poppler/Stream.cc
++++ b/poppler/Stream.cc
+@@ -2132,7 +2132,8 @@ GBool CCITTFaxStream::isBinary(GBool last) {
+
+ // clip [-256,511] --> [0,255]
+ #define dctClipOffset 256
+-static Guchar dctClip[768];
++#define dctClipLength 768
++static Guchar dctClip[dctClipLength];
+ static int dctClipInit = 0;
+
+ // zig zag decode map
+@@ -3078,7 +3079,12 @@ void DCTStream::transformDataUnit(Gushort *quantTable,
+
+ // convert to 8-bit integers
+ for (i = 0; i < 64; ++i) {
+- dataOut[i] = dctClip[dctClipOffset + 128 + ((dataIn[i] + 8) >> 4)];
++ const int ix = dctClipOffset + 128 + ((dataIn[i] + 8) >> 4);
++ if (unlikely(ix < 0 || ix >= dctClipLength)) {
++ dataOut[i] = 0;
++ } else {
++ dataOut[i] = dctClip[ix];
++ }
+ }
+ }
+
+--
+1.7.10.4
+
diff -Nru poppler-0.18.4/debian/patches/upstream_Fix-invalid-memory-access-in-1150.pdf.asan.8.69.patch poppler-0.18.4/debian/patches/upstream_Fix-invalid-memory-access-in-1150.pdf.asan.8.69.patch
--- poppler-0.18.4/debian/patches/upstream_Fix-invalid-memory-access-in-1150.pdf.asan.8.69.patch 1970-01-01 01:00:00.000000000 +0100
+++ poppler-0.18.4/debian/patches/upstream_Fix-invalid-memory-access-in-1150.pdf.asan.8.69.patch 2013-03-23 07:48:04.000000000 +0100
@@ -0,0 +1,27 @@
+From 8b6dc55e530b2f5ede6b9dfb64aafdd1d5836492 Mon Sep 17 00:00:00 2001
+From: Albert Astals Cid <aacid@kde.org>
+Date: Thu, 10 Jan 2013 22:31:52 +0100
+Subject: [PATCH] Fix invalid memory access in 1150.pdf.asan.8.69
+
+---
+ splash/Splash.cc | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/splash/Splash.cc
++++ b/splash/Splash.cc
+@@ -1521,11 +1521,14 @@ SplashPath *Splash::makeDashedPath(Splas
+ lineDashStartPhase -= (SplashCoord)i * lineDashTotal;
+ lineDashStartOn = gTrue;
+ lineDashStartIdx = 0;
+- while (lineDashStartPhase >= state->lineDash[lineDashStartIdx]) {
++ while (lineDashStartIdx < state->lineDashLength && lineDashStartPhase >= state->lineDash[lineDashStartIdx]) {
+ lineDashStartOn = !lineDashStartOn;
+ lineDashStartPhase -= state->lineDash[lineDashStartIdx];
+ ++lineDashStartIdx;
+ }
++ if (unlikely(lineDashStartIdx == state->lineDashLength)) {
++ return new SplashPath();
++ }
+
+ dPath = new SplashPath();
+
diff -Nru poppler-0.18.4/debian/patches/upstream_Fix-invalid-memory-access-in-2030.pdf.asan.69.463.patch poppler-0.18.4/debian/patches/upstream_Fix-invalid-memory-access-in-2030.pdf.asan.69.463.patch
--- poppler-0.18.4/debian/patches/upstream_Fix-invalid-memory-access-in-2030.pdf.asan.69.463.patch 1970-01-01 01:00:00.000000000 +0100
+++ poppler-0.18.4/debian/patches/upstream_Fix-invalid-memory-access-in-2030.pdf.asan.69.463.patch 2013-03-23 07:48:04.000000000 +0100
@@ -0,0 +1,31 @@
+From e14b6e9c13d35c9bd1e0c50906ace8e707816888 Mon Sep 17 00:00:00 2001
+From: Albert Astals Cid <aacid@kde.org>
+Date: Thu, 10 Jan 2013 20:52:02 +0100
+Subject: [PATCH] Fix invalid memory access in 2030.pdf.asan.69.463
+
+---
+ poppler/Function.cc | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/poppler/Function.cc
++++ b/poppler/Function.cc
+@@ -13,7 +13,7 @@
+ // All changes made under the Poppler project to this file are licensed
+ // under GPL version 2 or later
+ //
+-// Copyright (C) 2006, 2008-2010 Albert Astals Cid <aacid@kde.org>
++// Copyright (C) 2006, 2008-2010, 2013 Albert Astals Cid <aacid@kde.org>
+ // Copyright (C) 2006 Jeff Muizelaar <jeff@infidigm.net>
+ // Copyright (C) 2010 Christian Feuersänger <cfeuersaenger@googlemail.com>
+ // Copyright (C) 2011 Andrea Canciani <ranma42@gmail.com>
+@@ -1002,6 +1002,10 @@ void PSStack::copy(int n) {
+ error(-1, "Stack underflow in PostScript function");
+ return;
+ }
++ if (unlikely(sp - n > psStackSize)) {
++ error(-1, "Stack underflow in PostScript function");
++ return;
++ }
+ if (!checkOverflow(n)) {
+ return;
+ }
diff -Nru poppler-0.18.4/debian/patches/upstream_Initialize-refLine-totally.patch poppler-0.18.4/debian/patches/upstream_Initialize-refLine-totally.patch
--- poppler-0.18.4/debian/patches/upstream_Initialize-refLine-totally.patch 1970-01-01 01:00:00.000000000 +0100
+++ poppler-0.18.4/debian/patches/upstream_Initialize-refLine-totally.patch 2013-03-23 07:48:04.000000000 +0100
@@ -0,0 +1,24 @@
+From b1026b5978c385328f2a15a2185c599a563edf91 Mon Sep 17 00:00:00 2001
+From: Albert Astals Cid <aacid@kde.org>
+Date: Wed, 9 Jan 2013 22:17:09 +0100
+Subject: [PATCH] Initialize refLine totally
+
+Fixes uninitialized memory read in 1004.pdf.asan.7.3
+---
+ poppler/Stream.cc | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+--- a/poppler/Stream.cc
++++ b/poppler/Stream.cc
+@@ -1595,8 +1595,9 @@ int CCITTFaxStream::lookChar() {
+ for (i = 0; codingLine[i] < columns; ++i) {
+ refLine[i] = codingLine[i];
+ }
+- refLine[i++] = columns;
+- refLine[i] = columns;
++ for (; i < columns + 2; ++i) {
++ refLine[i] = columns;
++ }
+ codingLine[0] = 0;
+ a0i = 0;
+ b1i = 0;
--- End Message ---