Your message dated Sun, 11 Sep 2022 13:32:36 +0000 with message-id <e1oxn4e-005swq...@fasolo.debian.org> and subject line Bug#1018971: fixed in poppler 20.09.0-3.1+deb11u1 has caused the Debian Bug report #1018971, regarding poppler: CVE-2022-38784 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1018971: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1018971 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: poppler Version: 22.08.0-2 Severity: grave Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org> Hi, The following vulnerability was published for poppler. CVE-2022-38784[0]: | Poppler prior to and including 22.08.0 contains an integer overflow in | the JBIG2 decoder (JBIG2Stream::readTextRegionSeg() in JBIGStream.cc). | Processing a specially crafted PDF file or JBIG2 image could lead to a | crash or the execution of arbitrary code. This is similar to the | vulnerability described by CVE-2022-38171 in Xpdf. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2022-38784 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-38784 [1] https://gitlab.freedesktop.org/poppler/poppler/-/commit/27354e9d9696ee2bc063910a6c9a6b27c5184a52 [2] https://gist.github.com/zmanion/b2ed0d1a0cec163ecd07d5e3d9740dc6 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: poppler Source-Version: 20.09.0-3.1+deb11u1 Done: Salvatore Bonaccorso <car...@debian.org> We believe that the bug you reported is fixed in the latest version of poppler, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1018...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Salvatore Bonaccorso <car...@debian.org> (supplier of updated poppler package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sat, 03 Sep 2022 22:02:48 +0200 Source: poppler Architecture: source Version: 20.09.0-3.1+deb11u1 Distribution: bullseye-security Urgency: high Maintainer: Debian freedesktop.org maintainers <pkg-freedesktop-maintain...@lists.alioth.debian.org> Changed-By: Salvatore Bonaccorso <car...@debian.org> Closes: 1010695 1018971 Changes: poppler (20.09.0-3.1+deb11u1) bullseye-security; urgency=high . * Non-maintainer upload by the Security Team. * Hints::readTables: bail out if we run out of file when reading (CVE-2022-27337) (Closes: #1010695) * JBIG2Stream: Fix crash on broken file (CVE-2022-38784) (Closes: #1018971) Checksums-Sha1: 03834356afa669b3baf57836cb302163ca9448f6 3435 poppler_20.09.0-3.1+deb11u1.dsc 6ddce8fabce47d8c35ad602cb3ca2cfcef423dd9 1642932 poppler_20.09.0.orig.tar.xz 8259808ddac545592dc6a8f81020e0fc9f32cd6c 35228 poppler_20.09.0-3.1+deb11u1.debian.tar.xz fa128e73076bf452930669389ebe34b0ccae705f 7828 poppler_20.09.0-3.1+deb11u1_source.buildinfo Checksums-Sha256: f257d924e41bf7f8122e7ade844b9da40a08701b382c65ae012d70ae141dbb50 3435 poppler_20.09.0-3.1+deb11u1.dsc 4ed6eb5ddc4c37f2435c9d78ff9c7c4036455aea3507d1ce8400070aab745363 1642932 poppler_20.09.0.orig.tar.xz e5cadf157ade0d2d93d278f2bd25fdf2caadcc963b99bd5ff59cb24be8bd43d2 35228 poppler_20.09.0-3.1+deb11u1.debian.tar.xz d31e23d23ca08e68ca625a3b0f11133e7d9d876d41e266b287c7c17f4d020296 7828 poppler_20.09.0-3.1+deb11u1_source.buildinfo Files: 03d2deb3aa6dd81b7db3108c1e097ee4 3435 devel optional poppler_20.09.0-3.1+deb11u1.dsc 969328317ed60213f78b3502b074b72e 1642932 devel optional poppler_20.09.0.orig.tar.xz 9db3a79ba9b2e9246da56e78caf7fb4c 35228 devel optional poppler_20.09.0-3.1+deb11u1.debian.tar.xz 479fe47ad5f6d1379496b7283de3bfc4 7828 devel optional poppler_20.09.0-3.1+deb11u1_source.buildinfo -----BEGIN PGP SIGNATURE----- iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmMTs5FfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk ZWJpYW4ub3JnAAoJEAVMuPMTQ89ESS8P/3ZgoyGDxEXsQ2l0msSo9xucZazNTfJ1 81LV0bTKR8Z63ZRxPAr4HzhYEAw2rQrmh8aiQQfxWHTcXTSn7WRZ80odjFZmq0Qp k5aT3WPZdVcuaDof3IO1p+5ycdmVyGYhkKjWEfIhtPU5u2z4Ui5RClyscteICevH kxUQ+6aXiOkdiiHRiC3eEF9NJ3GSz7FiBxlyc9l/uEviSPqq5UEKZZdO/X+MheMR HZXbGuxAgVqB+pLIWnR7eJUP78qPixLvpZ3eCLaWnL0NvGdtDhqZUFokBZZ1ZwHr FqyKlB/p0NAZ4NMs5dUY6Xdpc1KvZqh3DdEVGg91++aRfqGCqn+uPob9gyua05lY 9bmg1S05Erv+qzJSLjBG++54gd4eFqhLLQ2IOMPqk2Zlaz4GRcg7PhgZ1KZssUpp maKoMAVhiN7pPlaUTlu+Q2fHXjSONWVpQeVgh9brrsHnmfc8bhwetyo+Dmt2340+ 0mtKrvk4SMyoB94cZwMh7YoB35LJ7uS70QmZHSyXSY+Y6JW3LXmZYWMd5jqsmL+u WQ4CYCD2gd9PH7cWweD8e39cU1UtecDs4bQbdnHI+i5yeNWvPOjp7qcbRWZ+fcFv ZSLtNEAlALfTdEE61O0sML6hmUu8T6qtqvHvvr426pYoJNMZqZGHVFCvVNF/Xpf5 RrW4Dlk3fWNe =tehu -----END PGP SIGNATURE-----
--- End Message ---
