-
poppler (0.62.0-2ubuntu2.14) bionic-security; urgency=medium
* SECURITY REGRESSION: Adding missing install header
- debian/patches/0001-Install-goo-GooCheckedOps.h.patch:
this add goo/GooCheckedOps.h to the CMakeLists.txt in order
to it be distributed in the libpoppler-private-dev that was
missing in the previous fix for CVE-2022-38784. (LP: #1989515)
-- Leonidas Da Silva Barbosa <email address hidden> Wed, 14 Sep 2022 13:46:18 -0300
-
poppler (0.62.0-2ubuntu2.13) bionic-security; urgency=medium
* SECURITY UPDATE: Integer Overflow
- debian/patches/CVE-2022-38784-pre.patch: add checks in
goo/GooCheckedOps.h, goo/gmem.h.
- debian/patches/CVE-2022-38784.patch:Fix crash on broken file
in poppler/JBIG2Stream.cc.
- CVE-2022-38784
-- Leonidas Da Silva Barbosa <email address hidden> Tue, 06 Sep 2022 08:10:42 -0300
-
poppler (0.62.0-2ubuntu2.12) bionic-security; urgency=medium
* SECURITY REGRESSION: broken Splash output (LP: #1905741)
- debian/rules: don't build with SPLASH_CMYK=ON as this causes a
regression with xpdf and gdal. This reverts the fix for
CVE-2019-10871.
-- Marc Deslauriers <email address hidden> Thu, 26 Nov 2020 10:55:59 -0500
-
poppler (0.62.0-2ubuntu2.11) bionic-security; urgency=medium
* SECURITY UPDATE: integer overflow in Parser::makeStream
- debian/patches/CVE-2018-21009.patch: check for overflow in
poppler/Parser.cc.
- CVE-2018-21009
* SECURITY UPDATE: buffer overread in PSOutputDev::checkPageSlice
- debian/rules: build with SPLASH_CMYK=ON.
- debian/patches/CVE-2019-10871-fix.patch: fix wrong width condition in
splash/SplashBitmap.cc.
- debian/patches/CVE-2019-10871-fix2.patch: add missing
splashModeDeviceN8 in two switch statements in
poppler/SplashOutputDev.cc.
- CVE-2019-10871
* SECURITY UPDATE: integer overflow leading to large memory allocation
- debian/patches/CVE-2019-9959.patch: ignore dict Length if clearly
broken in poppler/JPEG2000Stream.cc.
- CVE-2019-9959
* SECURITY UPDATE: DoS via buffer overflow in pdftohtml
- debian/patches/CVE-2020-27778.patch: properly initialize
HtmlOutputDev::page in utils/HtmlOutputDev.cc.
- CVE-2020-27778
-- Marc Deslauriers <email address hidden> Wed, 25 Nov 2020 07:34:40 -0500
-
poppler (0.62.0-2ubuntu2.10) bionic-security; urgency=medium
* SECURITY UPDATE: Divide-by-zero error
- debian/patches/CVE-2019-14494.patch: Fix crash on broken file
in poppler/SplashOutputDev.cc.
- CVE-2019-14494
-- <email address hidden> (Leonidas S. Barbosa) Wed, 07 Aug 2019 14:12:48 -0300
-
poppler (0.62.0-2ubuntu2.9) bionic-security; urgency=medium
* SECURITY UPDATE: memory leak in GfxColorSpace::setDisplayProfile
- debian/patches/CVE-2018-18897.patch: enforcing single initialization
in poppler/GfxState.cc, qt5/src/poppler-qt5.h.
- CVE-2018-18897
* SECURITY UPDATE: DoS via crafted PDF file
- debian/patches/CVE-2018-20662.patch: check XRef's Catalog for being a
Dict in utils/pdfunite.cc.
- CVE-2018-20662
* SECURITY UPDATE: buffer over-read in downsample_row_box_filter
- debian/patches/CVE-2019-9631-1.patch: compute correct coverage values
for box filter in poppler/CairoRescaleBox.cc.
- debian/patches/CVE-2019-9631-2.patch: constrain number of cycles in
rescale filter in poppler/CairoRescaleBox.cc.
- CVE-2019-9631
* SECURITY UPDATE: dict marking mishandling
- debian/patches/CVE-2019-9903.patch: fix stack overflow on broken file
in poppler/PDFDoc.cc.
- CVE-2019-9903
* SECURITY UPDATE: heap-based buffer over-read
- debian/patches/CVE-2019-10872.patch: restrict filling of overlapping
boxes in splash/Splash.cc.
- CVE-2019-10872
* SECURITY UPDATE: buffer over-read in JPXStream::init
- debian/patches/CVE-2019-12293.patch: fail gracefully if not all
components have the same WxH in poppler/JPEG2000Stream.cc.
- CVE-2019-12293
-- Marc Deslauriers <email address hidden> Wed, 26 Jun 2019 09:59:06 -0400
-
poppler (0.62.0-2ubuntu2.8) bionic-security; urgency=medium
* SECURITY UPDATE: Denial of service
- debian/patches/CVE-2019-9200.patch: fix in
poppler/Stream.cc.
- CVE-2019-9200
-- <email address hidden> (Leonidas S. Barbosa) Thu, 28 Feb 2019 09:28:47 -0300
-
poppler (0.62.0-2ubuntu2.7) bionic-security; urgency=medium
* SECURITY UPDATE: Denial of service
- debian/patches/CVE-2018-20551.patch: fix in
poppler/Annot.cc.
- CVE-2018-20551
* SECURITY UPDATE: Denial of service
- debian/patches/CVE-2019-7310.patch: fix in
poppler/XRef.cc.
- CVE-2019-7310
-- <email address hidden> (Leonidas S. Barbosa) Fri, 08 Feb 2019 09:50:52 -0300
-
poppler (0.62.0-2ubuntu2.6) bionic-security; urgency=medium
* SECURITY UPDATE: Denial of service
- debian/patches/CVE-2018-20481.patch: fix in
poppler/XRef.cc.
- CVE-2018-20481
* SECURITY UPDATE: Denial of service
- debian/patches/CVE-2018-20650.patch: fix in
poppler/FileSpec.cc.
- CVE-2018-20650
-- <email address hidden> (Leonidas S. Barbosa) Mon, 21 Jan 2019 10:55:43 -0300
-
poppler (0.62.0-2ubuntu2.5) bionic-security; urgency=medium
* SECURITY REGRESSION: fixing regression in check entry
- debian/patches/CVE-2018-16646-fix-regression-p1.patch
- debian/patches/CVE-2018-16646-fix-regression-p2.patch
-- <email address hidden> (Leonidas S. Barbosa) Mon, 10 Dec 2018 14:14:38 -0300
-
poppler (0.62.0-2ubuntu2.4) bionic-security; urgency=medium
[ Marc Deslauriers ]
* SECURITY UPDATE: infinite recursion via crafted file
- debian/patches/CVE-2018-16646.patch: avoid cycles in PDF parsing in
poppler/Parser.cc, poppler/XRef.h.
- CVE-2018-16646
* SECURITY UPDATE: denial of service via reachable abort
- debian/patches/CVE-2018-19058.patch: check for stream before calling
stream methods when saving an embedded file in poppler/FileSpec.cc.
- CVE-2018-19058
* SECURITY UPDATE: denial of service via out-of-bounds read
- debian/patches/CVE-2018-19059.patch: check for valid embedded file
before trying to save it in utils/pdfdetach.cc.
- CVE-2018-19059
* SECURITY UPDATE: denial of service via NULL pointer dereference
- debian/patches/CVE-2018-19060.patch: check for valid file name of
embedded file in utils/pdfdetach.cc.
- CVE-2018-19060
-- <email address hidden> (Leonidas S. Barbosa) Fri, 30 Nov 2018 14:36:01 -0300
-
poppler (0.62.0-2ubuntu2.3) bionic; urgency=medium
* debian/patches/git_embed_segfault.patch:
- "Check whether an embedded file is actually present in the PDF
and show warning in that case." (lp: #1803059)
-- Sebastien Bacher <email address hidden> Fri, 23 Nov 2018 11:07:19 +0100
-
poppler (0.62.0-2ubuntu2.2) bionic-security; urgency=medium
* SECURITY UPDATE: Out of bounds read
- debian/patches/CVE-2018-13988.patch: fix in poppler/Parser.cc.
- CVE-2018-13988
-- <email address hidden> (Leonidas S. Barbosa) Tue, 28 Aug 2018 10:49:09 -0300
-
poppler (0.62.0-2ubuntu2.1) bionic-security; urgency=medium
* SECURITY UPDATE: Denial of service
- debian/patches/CVE-2017-18267.patch: fix issue for malformed
documents in fofi/FoFiType1C.cc.
- CVE-2017-18267
-- <email address hidden> (Leonidas S. Barbosa) Mon, 14 May 2018 12:44:58 -0300
-
poppler (0.62.0-2ubuntu2) bionic; urgency=medium
* Cherry-pick cairo-good-filter.patch from 0.63:
Use cairo's GOOD filter instead of BEST to significantly improve
performance. Thanks Rogério Brito for suggesting this patch.
(Closes: #895487) (LP: #1763874)
-- Jeremy Bicha <email address hidden> Fri, 13 Apr 2018 22:08:42 -0400
-
poppler (0.62.0-2ubuntu1) bionic; urgency=low
* Merge with Debian; remaining changes:
- d/p/proper-init.patch: Fix thumbnailer crash
- d/rules: Use --enable-libopenjpeg=unmaintained, it's in universe
- debian/patches/CVE-2017-2820.patch: check for overflow in
poppler/JPXStream.cc.
- debian/patches/CVE-2017-9083.patch: check nComps in
poppler/JPXStream.cc.
poppler (0.62.0-2) unstable; urgency=medium
* 01-new-gtk-doc.patch: patch from upstream git, fix FTBFS with new
gtk-doc-tools. Closes: #887525.
* rules: don't hardcode CXXFLAGS when setting -g, instead append to it
so that we also get dpkg's buildflags.
* rules: pass CFLAGS down to CMake. This should get x32 the required flags
from dpkg to build with hardening=pie. This was lost during the switch
to CMake as it doesn't use CFLAGS directly. Closes: #883881.
* debian/tests/test-qt4.cpp: drop, the qt4 build is gone.
* qt-visibility.diff: drop qt4 hunk.
* control: Switch Vcs to salsa.
* Upload to unstable.
-- Iain Lane <email address hidden> Mon, 09 Apr 2018 16:17:17 +0100
-
poppler (0.62.0-1ubuntu1) bionic; urgency=medium
* Merge with Debian; remaining changes:
- d/p/proper-init.patch: Fix thumbnailer crash
- d/rules: Use --enable-libopenjpeg=unmaintained, it's in universe
- debian/patches/CVE-2017-2820.patch: check for overflow in
poppler/JPXStream.cc.
- debian/patches/CVE-2017-9083.patch: check nComps in
poppler/JPXStream.cc.
poppler (0.62.0-1) experimental; urgency=medium
* New upstream release.
* Drop libpoppler-qt4 library, removed upstream. Closes: #875096.
* libpoppler72 -> libpoppler73.
* control: Bump Standards-Version to 4.1.2.
poppler (0.61.1-2) unstable; urgency=medium
* debian/patches/qt-visibility.diff: forward upstream.
* Upload to unstable.
poppler (0.61.1-1) experimental; urgency=medium
* New upstream release.
* CVE-2017-14517: null pointer dereference on broken files. Closes: #876079.
* CVE-2017-14518: division by 0 on broken files. Closes: #876082.
* CVE-2017-14519: infinite recursion on broken files. Closes: #876086.
* CVE-2017-14520: floating point exception on broken files. Closes: #876081.
* CVE-2017-14617: floating point exception on broken files. Closes: #876385.
* CVE-2017-14926: null pointer dereference on broken files. Closes: #877239.
* CVE-2017-14927: null pointer dereference on broken files. Closes: #877237.
* CVE-2017-14928: null pointer dereference on broken files. Closes: #877231.
* CVE-2017-14929: infinite recursion on broken files. Closes: #877222.
* CVE-2017-14975: null pointer dereference on broken files. Closes: #877957.
* CVE-2017-14976: heap-based buffer over-read. Closes: #877954.
* CVE-2017-14977: null pointer dereference on broken files. Closes: #877952.
* CVE-2017-15565: null pointer dereference on broken files. Closes: #879066.
* Switch to cmake; the autotools build system is gone.
* rules: set libdir to the multiarch dir.
* Don't install static libs, they are not built with cmake.
* rules: Build with -g to get useful debugging symbols.
* control: Bump Standards-Version to 4.1.1.
* control: Drop Testsuite header, no longer needed.
* libpoppler70 -> libpoppler72.
* qt-visibility.diff: Port to cmake, but disable for now. Some Qt tests
use some of the private symbols and they are built now with the cmake
build system, which causes the build to fail. This makes the Qt
libraries export way more symbols, but they are not exported in the
headers, so this is fine for now.
poppler (0.59.0-1) experimental; urgency=medium
* New upstream release.
* libpoppler68 -> libpoppler70.
* Update symbols.
* control: Downgrade libpoppler-glib-doc dependency on other -doc packages
to a recommends.
* control: Remove ancient breaks/replaces.
* control: Bump Standards-Version to 4.1.0.
* copyright: Update copyright holders.
* rules: Switch to dh_missing as dh_install --list-missing is now deprecated.
* rules: Qt 3 is long gone, no need to try to use qt4's moc over it.
* rules: Drop V=1, no longer needed.
-- Matthias Klose <email address hidden> Thu, 25 Jan 2018 03:12:39 +0100
-
poppler (0.57.0-2ubuntu5) bionic; urgency=medium
* SECURITY UPDATE: pointer dereference can cause a DoS attack
- debian/patches/CVE-2017-15565.patch: fix crash in broken files caused by
a dereference pointer in poppler/CairoOutputDev.cc.
- CVE-2017-15565
-- <email address hidden> (Leonidas S. Barbosa) Thu, 26 Oct 2017 11:14:37 -0300
-
poppler (0.57.0-2ubuntu4) artful; urgency=medium
* SECURITY UPDATE: Floating point exception
- debian/patches/CVE-2017-14518.patch: Fix divide by 0 on broken
documents in splash/Splash.cc.
- CVE-2017-14518
* SECURITY UPDATE: Floating point exception
- debian/patches/CVE-2017-14520.patch: don't try to scale if srcHeight or
srcWidth is less than 1 in splash/Splash.cc.
- CVE-2017-14520
* SECURITY UPDATE: Floating point exception in ImageStream
- debian/patches/CVE-2017-14617.patch: Fix crash in broken files in
poppler/Stream.cc.
- CVE-2017-14617
* SECURITY UPDATE: NULL pointer dereference
- debian/patches/CVE-2017-14926.patch: Fix crash on broken files
in poppler/Annot.cc.
- CVE-2017-14926
* SECURITY UPDATE: NULL pointer dereferencem
- debian/patches/CVE-2017-14927.patch: Fix crash in broken files in
poppler/SplashOutputDev.cc
- CVE-2017-14927
* SECURITY UPDATE: NULL pointer dereference
- debian/patches/CVE-2017-14928.patch: Fix crash broken files
in poppler/Annot.cc.
- CVE-2017-14928
* SECURITY UPDATE: Memory corruption
- debian/patches/CVE-2017-14929.patch: Fix infinite recursion
in poppler/Gfx.cc, poppler/GfxState.cc, poppler/GfxState.h.
- CVE-2017-14929
* SECURITY UPDATE: NULL pointer dereference
- debian/patches/CVE-2017-14975.patch: fix crash in convertToType0 in
fofi/FoFiType1C.cc.
- CVE-2017-14975
* SECURITY UPDATE: heap-based buffer over-read
- debian/patches/CVE-2017-14976.patch: fix crash in convertToType0 in
fofi/FoFiType1C.cc.
- CVE-2017-14976
* SECURITY UPDATE: NULL pointer dereference
- debian/patches/CVE-2017-14977.patch: fix NULL deference pointer in
fofi/FoFiTrueType.cc.
- CVE-2017-14977
-- <email address hidden> (Leonidas S. Barbosa) Thu, 05 Oct 2017 15:20:07 -0300