Bug#822616: marked as done (jessie-pu: package poppler/0.26.5-2+deb8u1)

To: Julien Cristau <jcristau@debian.org>
Subject: Bug#822616: marked as done (jessie-pu: package poppler/0.26.5-2+deb8u1)
From: owner@bugs.debian.org (Debian Bug Tracking System)
Date: Wed, 27 Apr 2016 09:33:05 +0000
Message-id: <[🔎] handler.822616.D822616.146174935921837.ackdone@bugs.debian.org>
References: <20160427092915.GH2718@betterave.cristau.org> <[🔎] 146160456284.31594.5713324907489901406.reportbug@drak>

Your message dated Wed, 27 Apr 2016 11:29:15 +0200
with message-id <20160427092915.GH2718@betterave.cristau.org>
and subject line Re: Bug#822616: jessie-pu: package poppler/0.26.5-2+deb8u1
has caused the Debian Bug report #822616,
regarding jessie-pu: package poppler/0.26.5-2+deb8u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
822616: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=822616
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: jessie-pu: package poppler/0.26.5-2+deb8u1
From: Pino Toscano <pino@debian.org>
Date: Mon, 25 Apr 2016 19:16:02 +0200
Message-id: <[🔎] 146160456284.31594.5713324907489901406.reportbug@drak>

Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian.org@packages.debian.org
Usertags: pu

Hi,

simple jessie-pu for poppler, just fixed in unstable, which fixes
CVE-2015-8868; attached debdiff.

I guess I need to do binary uploads in (old-)stable, right?

Thanks,
-- 
Pino

diff -Nru poppler-0.26.5/debian/changelog poppler-0.26.5/debian/changelog
--- poppler-0.26.5/debian/changelog	2014-10-19 18:24:18.000000000 +0200
+++ poppler-0.26.5/debian/changelog	2016-04-25 19:02:20.000000000 +0200
@@ -1,3 +1,11 @@
+poppler (0.26.5-2+deb8u1) stable; urgency=medium
+
+  * Backport upstream commit b3425dd3261679958cd56c0f71995c15d2124433 to fix
+    a crash on invalid files, reported also as CVE-2015-8868; patch
+    upstream_Do-not-crash-on-invalid-files.patch. (Closes: #822578)
+
+ -- Pino Toscano <pino@debian.org>  Mon, 25 Apr 2016 19:02:11 +0200
+
 poppler (0.26.5-2) unstable; urgency=medium
 
   * Backport upstream commit 01723aa17e836e818158dbdc56df642a290be300 to map
diff -Nru poppler-0.26.5/debian/patches/series poppler-0.26.5/debian/patches/series
--- poppler-0.26.5/debian/patches/series	2014-10-19 17:45:40.000000000 +0200
+++ poppler-0.26.5/debian/patches/series	2016-04-25 18:39:35.000000000 +0200
@@ -1,2 +1,3 @@
 upstream_Map-Standard-Expert-encoding-ligatures-to-AGLFN-name.patch
 qt-visibility.diff
+upstream_Do-not-crash-on-invalid-files.patch
diff -Nru poppler-0.26.5/debian/patches/upstream_Do-not-crash-on-invalid-files.patch poppler-0.26.5/debian/patches/upstream_Do-not-crash-on-invalid-files.patch
--- poppler-0.26.5/debian/patches/upstream_Do-not-crash-on-invalid-files.patch	1970-01-01 01:00:00.000000000 +0100
+++ poppler-0.26.5/debian/patches/upstream_Do-not-crash-on-invalid-files.patch	2016-04-25 18:39:35.000000000 +0200
@@ -0,0 +1,28 @@
+From b3425dd3261679958cd56c0f71995c15d2124433 Mon Sep 17 00:00:00 2001
+From: Albert Astals Cid <aacid@kde.org>
+Date: Tue, 22 Dec 2015 22:50:33 +0100
+Subject: [PATCH] Do not crash on invalid files
+
+Bug #93476
+---
+ poppler/Function.cc | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/poppler/Function.cc b/poppler/Function.cc
+index 67283df..ee5afc1 100644
+--- a/poppler/Function.cc
++++ b/poppler/Function.cc
+@@ -577,6 +577,10 @@ ExponentialFunction::ExponentialFunction(Object *funcObj, Dict *dict) {
+       goto err2;
+     }
+     n = obj1.arrayGetLength();
++    if (unlikely(n > funcMaxOutputs)) {
++      error(errSyntaxError, -1, "Function's C0 array is wrong length");
++      n = funcMaxOutputs;
++    }
+     for (i = 0; i < n; ++i) {
+       obj1.arrayGet(i, &obj2);
+       if (!obj2.isNum()) {
+-- 
+2.8.0.rc3
+

--- End Message ---

--- Begin Message ---

To: Moritz Mühlenhoff <jmm@inutil.org>, 822616-done@bugs.debian.org

Cc: Pino Toscano <pino@debian.org>, team@security.debian.org

Subject: Re: Bug#822616: jessie-pu: package poppler/0.26.5-2+deb8u1

From: Julien Cristau <jcristau@debian.org>

Date: Wed, 27 Apr 2016 11:29:15 +0200

Message-id: <20160427092915.GH2718@betterave.cristau.org>

In-reply-to: <[🔎] 20160426073846.GA14450@pisco.westfalen.local>

References: <[🔎] 146160456284.31594.5713324907489901406.reportbug@drak> <[🔎] 20160426073846.GA14450@pisco.westfalen.local>
On Tue, Apr 26, 2016 at 09:38:46 +0200, Moritz Mühlenhoff wrote:

> On Mon, Apr 25, 2016 at 07:16:02PM +0200, Pino Toscano wrote:
> > Package: release.debian.org
> > Severity: normal
> > Tags: jessie
> > User: release.debian.org@packages.debian.org
> > Usertags: pu
> > 
> > Hi,
> > 
> > simple jessie-pu for poppler, just fixed in unstable, which fixes
> > CVE-2015-8868; attached debdiff.
> > 
> > I guess I need to do binary uploads in (old-)stable, right?
> 
> Let's fix this via security.debian.org. Please change the distribution
> target to "jessie-security" and build with "-sa" to include the orig
> tarball (since poppler is new in the jessie security suite). security-master
> needs binary uploads.
> 
Closing the pu bug per the above.

Cheers,
Julien
--- End Message ---

Reply to:

References:
- Bug#822616: jessie-pu: package poppler/0.26.5-2+deb8u1
  - From: Pino Toscano <pino@debian.org>

Prev by Date: Processed: Re: Bug#822744: transition: gloox
Next by Date: Next IRC meeting
Previous by thread: Bug#822616: jessie-pu: package poppler/0.26.5-2+deb8u1
Next by thread: Bug#822652: nmu: pinba-engine-mysql_1.1.0-2
Index(es):
- Date
- Thread