diff -u poppler-0.8.7/debian/changelog poppler-0.8.7/debian/changelog --- poppler-0.8.7/debian/changelog +++ poppler-0.8.7/debian/changelog @@ -1,3 +1,13 @@ +poppler (0.8.7-2lenny1) stable-security; urgency=high + + * Non-maintainer upload by the security team. + * Address incomplete fix for JBIG2 issues. + * Apply patches for CVE-2009-1187 and CVE-2009-1188, which was note done + * in the last upload. + * Apply patches for CVE-2009-0755. + + -- Michael Gilbert Sun, 16 Aug 2009 23:29:35 -0400 + poppler (0.8.7-2) stable; urgency=high * 11_JBIG2_CVEs.patch: backport several fixes related to parsing of only in patch2: unchanged: --- poppler-0.8.7.orig/debian/patches/12_jbig2_complete_CVE-2009-1187+1188.patch +++ poppler-0.8.7/debian/patches/12_jbig2_complete_CVE-2009-1187+1188.patch @@ -0,0 +1,67 @@ +diff -urp poppler-0.8.7-orig/poppler/CairoOutputDev.cc poppler-0.8.7-mod/poppler/CairoOutputDev.cc +--- poppler-0.8.7-orig/poppler/CairoOutputDev.cc 2009-08-16 22:17:44.000000000 -0400 ++++ poppler-0.8.7-mod/poppler/CairoOutputDev.cc 2009-08-16 22:30:14.000000000 -0400 +@@ -1567,7 +1567,7 @@ void CairoOutputDev::drawImage(GfxState + cairo_matrix_t matrix; + int is_identity_transform; + +- buffer = (unsigned char *)gmalloc (width * height * 4); ++ buffer = (unsigned char *)gmallocn (width, height * 4); // CVE-2009-1187 + + /* TODO: Do we want to cache these? */ + imgStr = new ImageStream(str, width, +diff -urp poppler-0.8.7-orig/poppler/Form.cc poppler-0.8.7-mod/poppler/Form.cc +--- poppler-0.8.7-orig/poppler/Form.cc 2009-08-16 22:17:44.000000000 -0400 ++++ poppler-0.8.7-mod/poppler/Form.cc 2009-08-16 23:11:53.000000000 -0400 +@@ -446,7 +446,9 @@ void FormWidgetChoice::loadDefaults () + obj3.free(); + obj4.free(); + } else { +- error(-1, "FormWidgetChoice:: invalid Opt entry\n"); ++ error(-1, "FormWidgetChoice:: invalid %d Opt entry\n", i); // CVE-2009-0755 ++ parent->_setChoiceExportVal(i, new GooString("")); // CVE-2009-0755 ++ parent->_setChoiceOptionName(i, new GooString("")); // CVE-2009-0755 + } + obj2.free(); + } +diff -urp poppler-0.8.7-orig/poppler/JBIG2Stream.cc poppler-0.8.7-mod/poppler/JBIG2Stream.cc +--- poppler-0.8.7-orig/poppler/JBIG2Stream.cc 2009-08-16 22:29:34.000000000 -0400 ++++ poppler-0.8.7-mod/poppler/JBIG2Stream.cc 2009-08-16 23:40:38.000000000 -0400 +@@ -1579,7 +1579,7 @@ GBool JBIG2Stream::readSymbolDictSeg(Gui + inputSymbolDict = NULL; + for (i = 0; i < nRefSegs; ++i) { + seg = findSegment(refSegs[i]); +- if (seg->getType() == jbig2SegSymbolDict) { ++ if (seg != NULL && seg->getType() == jbig2SegSymbolDict) { // fix incomplet fix for JBIG2 issues + inputSymbolDict = (JBIG2SymbolDict *)seg; + for (j = 0; j < inputSymbolDict->getSize(); ++j) { + bitmaps[k++] = inputSymbolDict->getBitmap(j); +@@ -2679,6 +2679,7 @@ void JBIG2Stream::readGenericRegionSeg(G + + eofError: + error(getPos(), "Unexpected EOF in JBIG2 stream"); ++ return; + } + + inline void JBIG2Stream::mmrAddPixels(int a1, int blackPixels, +@@ -3167,7 +3168,7 @@ void JBIG2Stream::readGenericRefinementR + } + if (nRefSegs == 1) { + seg = findSegment(refSegs[0]); +- if (seg->getType() != jbig2SegBitmap) { ++ if (seg == NULL || seg->getType() != jbig2SegBitmap) { // fix incomplet fix for JBIG2 issues + error(getPos(), "Bad bitmap reference in JBIG2 generic refinement segment"); + return; + } +diff -urp poppler-0.8.7-orig/splash/SplashBitmap.cc poppler-0.8.7-mod/splash/SplashBitmap.cc +--- poppler-0.8.7-orig/splash/SplashBitmap.cc 2009-08-16 22:17:44.000000000 -0400 ++++ poppler-0.8.7-mod/splash/SplashBitmap.cc 2009-08-16 22:31:17.000000000 -0400 +@@ -47,7 +47,7 @@ SplashBitmap::SplashBitmap(int widthA, i + } + rowSize += rowPad - 1; + rowSize -= rowSize % rowPad; +- data = (SplashColorPtr)gmalloc(rowSize * height); ++ data = (SplashColorPtr)gmallocn(rowSize, height); // CVE-2009-1188 + if (!topDown) { + data += (height - 1) * rowSize; + rowSize = -rowSize;