| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 12 Nov 2010 19:20:00 +0100 From: security@...driva.com To: full-disclosure@...ts.grok.org.uk Subject: [ MDVSA-2010:231 ] poppler -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2010:231 http://www.mandriva.com/security/ _______________________________________________________________________ Package : poppler Date : November 12, 2010 Affected: 2010.0, 2010.1 _______________________________________________________________________ Problem Description: Multiple vulnerabilities were discovered and corrected in poppler: The Gfx::getPos function in the PDF parser in poppler, allows context-dependent attackers to cause a denial of service (crash) via unknown vectors that trigger an uninitialized pointer dereference (CVE-2010-3702). The PostScriptFunction::PostScriptFunction function in poppler/Function.cc in the PDF parser in poppler, allows context-dependent attackers to cause a denial of service (crash) via a PDF file that triggers an uninitialized pointer dereference (CVE-2010-3703). The FoFiType1::parse function in fofi/FoFiType1.cc in the PDF parser in poppler, allows context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via a PDF file with a crafted Type1 font that contains a negative array index, which bypasses input validation and which triggers memory corruption (CVE-2010-3704). The updated packages have been patched to correct these issues. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3702 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3703 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3704 _______________________________________________________________________ Updated Packages: Mandriva Linux 2010.0: f8eeb85b978e98a9bfffce7ab584e9df 2010.0/i586/libpoppler5-0.12.4-1.2mdv2010.0.i586.rpm 11b9dfe9e37261bec174c25aae9d71b4 2010.0/i586/libpoppler-devel-0.12.4-1.2mdv2010.0.i586.rpm b9af206162c906094204ed13a4620318 2010.0/i586/libpoppler-glib4-0.12.4-1.2mdv2010.0.i586.rpm eea6fc72a55f119c2fe7aef2c37400f6 2010.0/i586/libpoppler-glib-devel-0.12.4-1.2mdv2010.0.i586.rpm d83f8f81d2cbb11a3a12e0654d63cd11 2010.0/i586/libpoppler-qt2-0.12.4-1.2mdv2010.0.i586.rpm 8e1f7d0278a299b55e1b213f90462610 2010.0/i586/libpoppler-qt4-3-0.12.4-1.2mdv2010.0.i586.rpm 6f1505518bb6a42bd017f4ed00ed5f3f 2010.0/i586/libpoppler-qt4-devel-0.12.4-1.2mdv2010.0.i586.rpm 6bfceb4bbb5565f829c765e15d9f84f8 2010.0/i586/libpoppler-qt-devel-0.12.4-1.2mdv2010.0.i586.rpm 69b87e12827e20261bcac5c1a9f6cc47 2010.0/i586/poppler-0.12.4-1.2mdv2010.0.i586.rpm b395b580e189eac53cec4cdce2ceaeeb 2010.0/SRPMS/poppler-0.12.4-1.2mdv2010.0.src.rpm Mandriva Linux 2010.0/X86_64: 5ac922ba77b7e24852b032cb96d66dcc 2010.0/x86_64/lib64poppler5-0.12.4-1.2mdv2010.0.x86_64.rpm a35fdb10aaaeda661082eea969c8cb10 2010.0/x86_64/lib64poppler-devel-0.12.4-1.2mdv2010.0.x86_64.rpm be4e55287976d6d9f0bc8acdd41dc371 2010.0/x86_64/lib64poppler-glib4-0.12.4-1.2mdv2010.0.x86_64.rpm 2e63d0dff69e958f0b926cf6d0026c61 2010.0/x86_64/lib64poppler-glib-devel-0.12.4-1.2mdv2010.0.x86_64.rpm b50e39d108dc2458c252fbf365e2aaff 2010.0/x86_64/lib64poppler-qt2-0.12.4-1.2mdv2010.0.x86_64.rpm 7b249ff04f794fb6a8dc8b05564143e4 2010.0/x86_64/lib64poppler-qt4-3-0.12.4-1.2mdv2010.0.x86_64.rpm 121f80f800f144eb489f0cdce287e7ef 2010.0/x86_64/lib64poppler-qt4-devel-0.12.4-1.2mdv2010.0.x86_64.rpm fb7297fbbd3758eca663813932d822fe 2010.0/x86_64/lib64poppler-qt-devel-0.12.4-1.2mdv2010.0.x86_64.rpm 5fbd9b1cbd0c18cc7f5a77ee8c9421e8 2010.0/x86_64/poppler-0.12.4-1.2mdv2010.0.x86_64.rpm b395b580e189eac53cec4cdce2ceaeeb 2010.0/SRPMS/poppler-0.12.4-1.2mdv2010.0.src.rpm Mandriva Linux 2010.1: 039272fbf964bf0cda8ee8be3f73d7f0 2010.1/i586/libpoppler5-0.12.4-2.1mdv2010.1.i586.rpm 4b8cd7ba4fcad0fdb13d498d9659353e 2010.1/i586/libpoppler-devel-0.12.4-2.1mdv2010.1.i586.rpm 0c8ecda02ad63275628fdf7dbb886d85 2010.1/i586/libpoppler-glib4-0.12.4-2.1mdv2010.1.i586.rpm a899985446082afaf7a552a9d093fa7b 2010.1/i586/libpoppler-glib-devel-0.12.4-2.1mdv2010.1.i586.rpm 98cc33b6085f8b5a3e450814217a87fc 2010.1/i586/libpoppler-qt2-0.12.4-2.1mdv2010.1.i586.rpm aca2798c969fe7e1ae41f8fda8c767bf 2010.1/i586/libpoppler-qt4-3-0.12.4-2.1mdv2010.1.i586.rpm 766c5b85413728af84378f56647f3d6e 2010.1/i586/libpoppler-qt4-devel-0.12.4-2.1mdv2010.1.i586.rpm e1af5e2dda8be30d3ac1e009ce856588 2010.1/i586/libpoppler-qt-devel-0.12.4-2.1mdv2010.1.i586.rpm e2060c17f1f8ece622fbcf94e50205d7 2010.1/i586/poppler-0.12.4-2.1mdv2010.1.i586.rpm a3495563ca96089190aef76b6c25df4d 2010.1/SRPMS/poppler-0.12.4-2.1mdv2010.1.src.rpm Mandriva Linux 2010.1/X86_64: 142bdd508c9c62480b467b3aa74a6eb1 2010.1/x86_64/lib64poppler5-0.12.4-2.1mdv2010.1.x86_64.rpm 423f44b8802e838afbdd9be973bee11b 2010.1/x86_64/lib64poppler-devel-0.12.4-2.1mdv2010.1.x86_64.rpm 88b25a582c2bf185196e8d68b2567bd9 2010.1/x86_64/lib64poppler-glib4-0.12.4-2.1mdv2010.1.x86_64.rpm 5ea3f17b45cdddf438d4642348f0133d 2010.1/x86_64/lib64poppler-glib-devel-0.12.4-2.1mdv2010.1.x86_64.rpm 11e9facfbca3b5d916f480e5053614cd 2010.1/x86_64/lib64poppler-qt2-0.12.4-2.1mdv2010.1.x86_64.rpm 51f3818574979e270265d94947b863ff 2010.1/x86_64/lib64poppler-qt4-3-0.12.4-2.1mdv2010.1.x86_64.rpm d7c2b054dd96ac00eb7caf957d290cf6 2010.1/x86_64/lib64poppler-qt4-devel-0.12.4-2.1mdv2010.1.x86_64.rpm 9533bb591cd679ba8f880b23605e837a 2010.1/x86_64/lib64poppler-qt-devel-0.12.4-2.1mdv2010.1.x86_64.rpm a6fd550b90857f4cbfcd97213d5e7918 2010.1/x86_64/poppler-0.12.4-2.1mdv2010.1.x86_64.rpm a3495563ca96089190aef76b6c25df4d 2010.1/SRPMS/poppler-0.12.4-2.1mdv2010.1.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team <security*mandriva.com> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iD8DBQFM3VkMmqjQ0CJFipgRAt1ZAKDMo9oWIQ/0cZWwYHte7+QQWtASZwCfTuRR Qp8m00pY+5aiMBWXOR3I64k= =VPTO -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists