Alerts This Week
Warning Icon 1 714
Alerts This Week
Warning Icon 1 714

Fedora 29: 2019-0ea42f074e Critical: Poppler Buffer Over-Read

fedora
Calendar Grey June 21, 2019
Dist Fedora Esm H88
Important security patch for poppler resolves various buffer over-read vulnerabilities in Fedora 29. Upgrade is advised.
Security fix for CVE-2019-12293, CVE-2019-10872 and CVE-2019-10871.

Summary

poppler is a PDF rendering library.

Security fix for CVE-2019-12293, CVE-2019-10872 and CVE-2019-10871.

* Thu May 30 2019 Marek Kasik - 0.67.0-21

- Don't read outside of image buffer in PSOutputDev

- Resolves: #1696640

* Thu May 30 2019 Marek Kasik - 0.67.0-20

- Restrict filling of overlapping boxes in Splash

- Resolves: #1696640

* Thu May 30 2019 Marek Kasik - 0.67.0-19

- Fail gracefully if not all components of JPEG2000Stream

- have the same size

- Resolves: #1713585

* Wed Apr 17 2019 Marek Kasik - 0.67.0-18

- Fix stack overflow on broken file

- Resolves: #1691725

* Wed Apr 17 2019 Marek Kasik - 0.67.0-17

- Fix infinite loop in broken files

- Resolves: #1699863

* Mon Apr 1 2019 Marek Kasik - 0.67.0-16

- Constrain number of cycles in rescale filter

- Compute correct coverage values for box filter

- Resolves: #1686803

* Mon Apr 1 2019 Marek Kasik - 0.67.0-15

- Check for Ref type before unwrapping Object

- Resolves: #1694457

* Mon Mar 11 2019 Marek Kasik - 0.67.0-14

- Fix possible crash on broken files in ImageStream::getLine()

- Resolves: #1683633

* Fri Mar 8 2019 Marek Kasik - 0.67.0-13

- Synchronize previous patch with upstream

- Related: #1665274

* Wed Feb 20 2019 Marek Kasik - 0.67.0-12

- Check Catalog from XRef for being a Dict

- Resolves: #1665274

* Wed Feb 20 2019 Marek Kasik - 0.67.0-11

- Defend against requests for negative XRef indices

- Resolves: #1672420

* Tue Jan 22 2019 Marek Kasik - 0.67.0-10

- Avoid global display profile state becoming an uncontrolled

- memory leak

- Resolves: #1646549

* Mon Jan 21 2019 Marek Kasik - 0.67.0-9

- Do not try to parse into unallocated XRef entry

- Resolves: #1665268

* Mon Jan 21 2019 Marek Kasik - 0.67.0-8

- Move the fileSpec.dictLookup call inside fileSpec.isDict if

- Resolves: #1665264

* Mon Jan 21 2019 Marek Kasik - 0.67.0-7

- Do not try to construct invalid rich media annotation assets

- Resolves: #1665260

* Thu Nov 15 2018 Marek Kasik - 0.67.0-6

- Check for valid file name of embedded file

- Resolves: #1649451

* Thu Nov 15 2018 Marek Kasik - 0.67.0-5

- Check for valid embedded file before trying to save it

- Resolves: #1649441

* Thu Nov 15 2018 Marek Kasik - 0.67.0-4

- Check for stream before calling stream methods

- when saving an embedded file

- Resolves: #1649436

* Mon Nov 12 2018 Marek Kasik - 0.67.0-3

- Avoid cycles in PDF parsing

- Resolves: #1626620

* Wed Oct 17 2018 Marek Kasik - 0.67.0-2

- Fix crash on missing embedded file

- Resolves: #1569334

[ 1 ] Bug #1713582 - CVE-2019-12293 poppler: heap-based buffer over-read in JPXStream::init in JPEG2000Stream.cc

https://bugzilla.redhat.com/show_bug.cgi?id=1713582

[ 2 ] Bug #1696638 - CVE-2019-10872 poppler: heap-based buffer over-read in function Splash::blitTransparent in splash/Splash.cc

https://bugzilla.redhat.com/show_bug.cgi?id=1696638

[ 3 ] Bug #1696636 - CVE-2019-10871 poppler: heap-based buffer over-read in function PSOutputDev::checkPageSlice in PSOutputDev.cc

https://bugzilla.redhat.com/show_bug.cgi?id=1696636

su -c 'dnf upgrade --advisory FEDORA-2019-0ea42f074e' at the command

line. For more information, refer to the dnf documentation available at

https://dnf.readthedocs.io/en/latest/command_ref.html

All packages are signed with the Fedora Project GPG key. More details on the

GPG keys used by the Fedora Project can be found at

https://fedoraproject.org/security/

package-announce mailing list -- package-announce@lists.fedoraproject.org

To unsubscribe send an email to package-announce-leave@lists.fedoraproject.org

Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/

List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines

List Archives: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/

Topics%20covered

Topics Covered

security advisory security issue critical software update Fedora poppler buffer over-read

Change Log

References

Update Instructions

Severity
critical
Lowest
Low
Medium
High
Critical

Product: Fedora 29
Version: 0.67.0
Release: 21.fc29
URL: http://poppler.freedesktop.org/
Summary: PDF rendering library

Topics%20covered

Topics Covered

security advisory security issue critical software update Fedora poppler buffer over-read

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Your message here