Your message dated Tue, 27 Nov 2012 16:02:57 +0000
with message-id <[email protected]>
and subject line Bug#693817: fixed in poppler 0.18.4-4
has caused the Debian Bug report #693817,
regarding Bugs in GooString::insert() leading to unterminated strings
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
693817: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=693817
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: poppler
Version: 0.20.5-1
Severity: important
Tags: patch
GooString::insert(int i, char c)
GooString::insert(int i, const char* s)
as exported by libpoppler are both buggy. They both cause the resulting
strings to be not properly 0-terminated, breaking
GooString::getCString().
This was noted in bug #649047 for xpdf:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=649047
I sincerely hope these functions are mainly/only used by xpdf, and _not_
by libpoppler internally or other packages using libpoppler. If they
are in fact more widely used, I would suggest to upgrade Severity to
grave because of the possible security implications.
Squeeze is also affected, and the same patch applies.
Regards,
Wolfram.
--- goo/GooString.cc.orig 2012-08-30 22:31:05.000000000 +0200
+++ goo/GooString.cc 2012-11-20 17:50:04.000000000 +0100
@@ -719,7 +719,9 @@
}
GooString *GooString::insert(int i, char c) {
- return insert(i, (const char*)&c, 1);
+ char buf[2] = { c, '\0' };
+
+ return insert(i, buf, 1);
}
GooString *GooString::insert(int i, GooString *str) {
@@ -733,7 +735,9 @@
lengthA = strlen(str);
resize(length + lengthA);
- for (j = prevLen; j >= i; --j)
+ // If resize() has enlarged the buffer, the old string is no
+ // longer 0-terminated, therefore start copying at prevLen-1
+ for (j = prevLen-1; j >= i; --j)
s[j+lengthA] = s[j];
memcpy(s+i, str, lengthA);
return this;
--- End Message ---
--- Begin Message ---
Source: poppler
Source-Version: 0.18.4-4
We believe that the bug you reported is fixed in the latest version of
poppler, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Pino Toscano <[email protected]> (supplier of updated poppler package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Tue, 27 Nov 2012 16:24:17 +0100
Source: poppler
Binary: libpoppler19 libpoppler-dev libpoppler-private-dev libpoppler-glib8
libpoppler-glib-dev gir1.2-poppler-0.18 libpoppler-qt4-3 libpoppler-qt4-dev
libpoppler-cpp0 libpoppler-cpp-dev poppler-utils poppler-dbg
Architecture: source amd64
Version: 0.18.4-4
Distribution: unstable
Urgency: low
Maintainer: Loic Minier <[email protected]>
Changed-By: Pino Toscano <[email protected]>
Description:
gir1.2-poppler-0.18 - GObject introspection data for poppler-glib
libpoppler-cpp-dev - PDF rendering library -- development files (CPP interface)
libpoppler-cpp0 - PDF rendering library (CPP shared library)
libpoppler-dev - PDF rendering library -- development files
libpoppler-glib-dev - PDF rendering library -- development files (GLib
interface)
libpoppler-glib8 - PDF rendering library (GLib-based shared library)
libpoppler-private-dev - PDF rendering library -- private development files
libpoppler-qt4-3 - PDF rendering library (Qt 4 based shared library)
libpoppler-qt4-dev - PDF rendering library -- development files (Qt 4
interface)
libpoppler19 - PDF rendering library
poppler-dbg - PDF rendering library -- debugging symbols
poppler-utils - PDF utilities (based on Poppler)
Closes: 693817
Changes:
poppler (0.18.4-4) unstable; urgency=low
.
* Backport upstream commits 7ba15d11e56175601104d125d5e4a47619c224bf and
55940e989701eb9118015e30f4f48eb654fa34c4 to fix GooString::insert;
patch upstream_fix-GooString-insert.diff. (Closes: #693817)
* Add a libcairo2-doc build dependency to fix cross-references to cairo
methods in the poppler-glib apidox.
Checksums-Sha1:
f237db9014ae225650e09f5f0511f109aa7430bb 2356 poppler_0.18.4-4.dsc
7d573dd814d597ee252052a495a0a5989dc94c3f 19498 poppler_0.18.4-4.debian.tar.gz
4eec79deefc87e4016a0630fc1198a180c8e9121 1109012
libpoppler19_0.18.4-4_amd64.deb
6c3ef2be8237010e5d7f06e859ac246b67fb2adc 917618
libpoppler-dev_0.18.4-4_amd64.deb
af8e2be5709ea7de1b244d7ee259fef859d189d4 208900
libpoppler-private-dev_0.18.4-4_amd64.deb
e28184aa8d831a26053f8fd6ccd389ca8938bc2f 106020
libpoppler-glib8_0.18.4-4_amd64.deb
a421ce7d0e30b5296f79aa8b89c86ab103598220 232168
libpoppler-glib-dev_0.18.4-4_amd64.deb
747d322552e899e6fa51e9c9c182dc15986e5930 28526
gir1.2-poppler-0.18_0.18.4-4_amd64.deb
64f0986fddcdaa1bbba070fb5cc718065cb759f3 140242
libpoppler-qt4-3_0.18.4-4_amd64.deb
077d902c857efe2b9479c4d1d19ac6f46b5575bd 190286
libpoppler-qt4-dev_0.18.4-4_amd64.deb
c835bcb0518f4a05db765e76f5681729f0b8d087 47530
libpoppler-cpp0_0.18.4-4_amd64.deb
6710a18122271f56d1179dff792093133de862d2 55914
libpoppler-cpp-dev_0.18.4-4_amd64.deb
5de68a7817cd9f2d8da4bdedc353fdc326b3355b 161668
poppler-utils_0.18.4-4_amd64.deb
b0f0c793e346148a1581a25004c40d3916bee4db 5139708 poppler-dbg_0.18.4-4_amd64.deb
Checksums-Sha256:
271c59fa3f7859b73011db18781e4fcb09b3b9f197a83d811709980ff075f69e 2356
poppler_0.18.4-4.dsc
3616ce6c086f2aa32d34c4784882559819ef1054db0777f2ff1faef8ec24b2b2 19498
poppler_0.18.4-4.debian.tar.gz
766e319121b1962380f53facf7a1b137765dabc18745a1349e2771dc861f4abc 1109012
libpoppler19_0.18.4-4_amd64.deb
fb4d425e340275e35762b4ae69d178388a1a5296cc50a976d2c5c3c50ab26bc6 917618
libpoppler-dev_0.18.4-4_amd64.deb
f02519664b9a7c59ae417d5f142dc40c9e98798b2ab246d6c8891be931341db3 208900
libpoppler-private-dev_0.18.4-4_amd64.deb
ec270095da3806853094b9e435137c51822256bc61abcdb9c189ea610f03d616 106020
libpoppler-glib8_0.18.4-4_amd64.deb
7a50aabb58ff644a703fac683b4bf0517dd4ff109ddd40bc510a60e6a8845553 232168
libpoppler-glib-dev_0.18.4-4_amd64.deb
c0e446b61771fc385f12efd0cc7fe3f5e8bbf5e06368f7393e6d97f3d8641913 28526
gir1.2-poppler-0.18_0.18.4-4_amd64.deb
a9a54ab558718aaa313a819eb2e6a4ea99f09b70b85f7ea5230c6da2c29a87b5 140242
libpoppler-qt4-3_0.18.4-4_amd64.deb
c9584c0e2db5bb9b254599e7bca49e333362d7abb11422b1eea677242055fc0a 190286
libpoppler-qt4-dev_0.18.4-4_amd64.deb
e2d4ab4de4455dc4dd49a195cc9befe86f58861f75171b6e4f412a79c7ed702a 47530
libpoppler-cpp0_0.18.4-4_amd64.deb
988542199b4437897ba78ad2f2704dd96dd20f572764a4863b58fa3010778636 55914
libpoppler-cpp-dev_0.18.4-4_amd64.deb
219e47b8d3d3e52479885ad80bf963c96ed8b585f0bb3af1e3b2c8d42b73bbd6 161668
poppler-utils_0.18.4-4_amd64.deb
e347ec7a07000275c8546e71a3807e8f997c11213a49499745a6163c4b1fc905 5139708
poppler-dbg_0.18.4-4_amd64.deb
Files:
0a4499a2c43ecdee8ed1faa266a1f1e7 2356 devel optional poppler_0.18.4-4.dsc
574120ca4d0568ec76880721646570ad 19498 devel optional
poppler_0.18.4-4.debian.tar.gz
c80e197d4f954a7d972d9620cbae1a1a 1109012 libs optional
libpoppler19_0.18.4-4_amd64.deb
dcab20493e0934e3d2ed1ddd9f4be95b 917618 libdevel optional
libpoppler-dev_0.18.4-4_amd64.deb
d051f52fd6ff8af65c09665ee53b5d1b 208900 libdevel optional
libpoppler-private-dev_0.18.4-4_amd64.deb
4ad54147a3f800b58e5a54b18fd2abd8 106020 libs optional
libpoppler-glib8_0.18.4-4_amd64.deb
b2f180e5cf76bfd0ddcede5093482960 232168 libdevel optional
libpoppler-glib-dev_0.18.4-4_amd64.deb
b6a8a64d007c37090de47f879028ef2b 28526 introspection optional
gir1.2-poppler-0.18_0.18.4-4_amd64.deb
d5e7170c94ad21e6c2d626df0be62161 140242 libs optional
libpoppler-qt4-3_0.18.4-4_amd64.deb
6b1fa074368e3d264b9d5f25f5361887 190286 libdevel optional
libpoppler-qt4-dev_0.18.4-4_amd64.deb
8379bb68dcf938abb3b08f0718e28ab2 47530 libs optional
libpoppler-cpp0_0.18.4-4_amd64.deb
8f1abc06d2831d76b651a4b6a4f4a424 55914 libdevel optional
libpoppler-cpp-dev_0.18.4-4_amd64.deb
a6ee78b73dd9144aacaf2dc9af336c35 161668 utils optional
poppler-utils_0.18.4-4_amd64.deb
af8b9c562e882b06be1fac94c4ff4ceb 5139708 debug extra
poppler-dbg_0.18.4-4_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iD8DBQFQtN7wTNH2piB/L3oRAmayAJ9ZKDgvRSRMicb/amPgIPBH6hOHpgCgw9+D
Nw8Cck1LxR9gZSJnaEYZ87k=
=ldec
-----END PGP SIGNATURE-----
--- End Message ---
