-
poppler (0.41.0-0ubuntu1.16) xenial-security; urgency=medium
* SECURITY REGRESSION: broken Splash output (LP: #1905741)
- debian/rules: don't build with --enable-cmyk as this causes a
regression with xpdf and gdal. This reverts the fix for
CVE-2019-10871.
-- Marc Deslauriers <email address hidden> Thu, 26 Nov 2020 10:59:16 -0500
-
poppler (0.41.0-0ubuntu1.15) xenial-security; urgency=medium
* SECURITY UPDATE: integer overflow in Parser::makeStream
- debian/patches/CVE-2018-21009.patch: check for overflow in
poppler/Parser.cc.
- CVE-2018-21009
* SECURITY UPDATE: buffer overread in PSOutputDev::checkPageSlice
- debian/rules: build with --enable-cmyk.
- debian/patches/CVE-2019-10871-fix.patch: fix wrong width condition in
splash/SplashBitmap.cc.
- debian/patches/CVE-2019-10871-fix2.patch: add missing
splashModeDeviceN8 in two switch statements in
poppler/SplashOutputDev.cc.
- CVE-2019-10871
* SECURITY UPDATE: heap-based buffer over-read
- debian/patches/CVE-2019-13283.patch: fix invalid memory access in
fofi/FoFiType1.cc.
- CVE-2019-13283
* SECURITY UPDATE: integer overflow leading to large memory allocation
- debian/patches/CVE-2019-9959.patch: ignore dict Length if clearly
broken in poppler/JPEG2000Stream.cc.
- CVE-2019-9959
* SECURITY UPDATE: DoS via buffer overflow in pdftohtml
- debian/patches/CVE-2020-27778.patch: properly initialize
HtmlOutputDev::page in utils/HtmlOutputDev.cc.
- CVE-2020-27778
-- Marc Deslauriers <email address hidden> Wed, 25 Nov 2020 08:41:00 -0500
-
poppler (0.41.0-0ubuntu1.14) xenial-security; urgency=medium
* SECURITY UPDATE: DoS in GfxImageColorMap::getGray
- debian/patches/CVE-2017-9865.patch: clear buffers in
utils/HtmlOutputDev.cc, utils/ImageOutputDev.cc.
- CVE-2017-9865
* SECURITY UPDATE: memory leak in GfxColorSpace::setDisplayProfile
- debian/patches/CVE-2018-18897.patch: enforcing single initialization
in poppler/GfxState.cc, qt5/src/poppler-qt5.h.
- CVE-2018-18897
* SECURITY UPDATE: DoS via crafted PDF file
- debian/patches/CVE-2018-20662.patch: check XRef's Catalog for being a
Dict in utils/pdfunite.cc.
- CVE-2018-20662
* SECURITY UPDATE: buffer over-read in downsample_row_box_filter
- debian/patches/CVE-2019-9631-1.patch: compute correct coverage values
for box filter in poppler/CairoRescaleBox.cc.
- debian/patches/CVE-2019-9631-2.patch: constrain number of cycles in
rescale filter in poppler/CairoRescaleBox.cc.
- CVE-2019-9631
* SECURITY UPDATE: dict marking mishandling
- debian/patches/CVE-2019-9903.patch: fix stack overflow on broken file
in poppler/PDFDoc.cc.
- CVE-2019-9903
* SECURITY UPDATE: DoS via FPE
- debian/patches/CVE-2019-10018-10023.patch: check for zero in
poppler/Function.cc.
- CVE-2019-10018
- CVE-2019-10023
* SECURITY UPDATE: DoS via FPE
- debian/patches/CVE-2019-10019.patch: check nStripes in
poppler/PSOutputDev.cc.
- CVE-2019-10019
* SECURITY UPDATE: DoS via FPE
- debian/patches/CVE-2019-10021.patch: check nBits in
poppler/Stream.cc.
- CVE-2019-10021
* SECURITY UPDATE: heap-based buffer over-read
- debian/patches/CVE-2019-10872.patch: restrict filling of overlapping
boxes in splash/Splash.cc.
- CVE-2019-10872
* SECURITY UPDATE: buffer over-read in JPXStream::init
- debian/patches/CVE-2019-12293.patch: fail gracefully if not all
components have the same WxH in poppler/JPEG2000Stream.cc.
- CVE-2019-12293
-- Marc Deslauriers <email address hidden> Wed, 26 Jun 2019 10:14:59 -0400
-
poppler (0.41.0-0ubuntu1.13) xenial-security; urgency=medium
* SECURITY UPDATE: Denial of service
- debian/patches/CVE-2019-9200.patch: fix in
poppler/Stream.cc.
- CVE-2019-9200
-- <email address hidden> (Leonidas S. Barbosa) Thu, 28 Feb 2019 09:25:31 -0300
-
poppler (0.41.0-0ubuntu1.12) xenial-security; urgency=medium
* SECURITY UPDATE: Denial of service
- debian/patches/CVE-2018-20551.patch: fix in
poppler/Annot.cc.
- CVE-2018-20551
* SECURITY UPDATE: Denial of service
- debian/patches/CVE-2019-7310.patch: fix in
poppler/XRef.cc.
- CVE-2019-7310
-- <email address hidden> (Leonidas S. Barbosa) Wed, 06 Feb 2019 14:44:16 -0300
-
poppler (0.41.0-0ubuntu1.11) xenial-security; urgency=medium
* SECURITY UPDATE: Denial of service
- debian/patches/CVE-2018-20481.patch: fix in
poppler/XRef.cc.
- CVE-2018-20481
* SECURITY UPDATE: Denial of service
- debian/patches/CVE-2018-20650.patch: fix in
poppler/FileSpec.cc.
- CVE-2018-20650
-- <email address hidden> (Leonidas S. Barbosa) Mon, 21 Jan 2019 12:10:09 -0300
-
poppler (0.41.0-0ubuntu1.10) xenial-security; urgency=medium
* SECURITY REGRESSION: fixing patch applied previously
for CVE-2018-19149
- debian/patch/CVE-2018-19149-fixing-previous.patch
* SECURITY REGRESSION: fixing regression in check entry
- debian/patches/CVE-2018-16646-fix-regression-p1.patch
- debian/patches/CVE-2018-16646-fix-regression-p2.patch
-- <email address hidden> (Leonidas S. Barbosa) Mon, 10 Dec 2018 16:08:10 -0300
-
poppler (0.41.0-0ubuntu1.9) xenial-security; urgency=medium
* SECURITY UPDATE: Denial of service
- debian/patches/CVE-2018-19149.patch: "check whether
and embedded file is actually present in the PDF and
show warning in that case" in glib/poppler-attachment.cc,
glib/poppler-document.cc.
- CVE-2018-19149
[ Marc Deslauriers ]
* SECURITY UPDATE: infinite recursion via crafted file
- debian/patches/CVE-2018-16646.patch: avoid cycles in PDF parsing in
poppler/Parser.cc, poppler/XRef.h.
- CVE-2018-16646
* SECURITY UPDATE: denial of service via reachable abort
- debian/patches/CVE-2018-19058.patch: check for stream before calling
stream methods when saving an embedded file in poppler/FileSpec.cc.
- CVE-2018-19058
* SECURITY UPDATE: denial of service via out-of-bounds read
- debian/patches/CVE-2018-19059.patch: check for valid embedded file
before trying to save it in utils/pdfdetach.cc.
- CVE-2018-19059
* SECURITY UPDATE: denial of service via NULL pointer dereference
- debian/patches/CVE-2018-19060.patch: check for valid file name of
embedded file in utils/pdfdetach.cc.
- CVE-2018-19060
-- <email address hidden> (Leonidas S. Barbosa) Fri, 30 Nov 2018 14:07:17 -0300
-
poppler (0.41.0-0ubuntu1.8) xenial-security; urgency=medium
* SECURITY UPDATE: Out of bounds read
- debian/patches/CVE-2018-13988.patch: fix in poppler/Parser.cc.
- CVE-2018-13988
-- <email address hidden> (Leonidas S. Barbosa) Mon, 27 Aug 2018 14:02:34 -0300
-
poppler (0.41.0-0ubuntu1.7) xenial-security; urgency=medium
* SECURITY UPDATE: Denial of service
- debian/patches/CVE-2017-18267.patch: fix issue for malformed
documents in fofi/FoFiType1C.cc.
- CVE-2017-18267
-- <email address hidden> (Leonidas S. Barbosa) Mon, 14 May 2018 12:00:46 -0300
-
poppler (0.41.0-0ubuntu1.6) xenial-security; urgency=medium
* SECURITY UPDATE: fails to validate boundaries in TextPool::addWord
leading to overflow
- debian/patches/CVE-2017-1000456.patch: fix crash in fuzzed file in
poppler/TextOutputDev.cc.
- CVE-2017-1000456
* SECURITY UPDATE: has a heap-based buffer over-read vulnerability
- debian/patches/CVE-2017-14976.patch: fix crash in broken files in
fofi/FoFiType1C.cc.
- CVE-2017-14976
-- <email address hidden> (Leonidas S. Barbosa) Thu, 04 Jan 2018 13:58:32 -0300
-
poppler (0.41.0-0ubuntu1.5) xenial-security; urgency=medium
* SECURITY UPDATE: pointer dereference can cause a DoS attack
- debian/patches/CVE-2017-15565.patch: fix crash in broken files caused by
a dereference pointer in poppler/CairoOutputDev.cc.
- CVE-2017-15565
-- <email address hidden> (Leonidas S. Barbosa) Thu, 26 Oct 2017 11:20:13 -0300
-
poppler (0.41.0-0ubuntu1.4) xenial-security; urgency=medium
* SECURITY UPDATE: Floating point exception
- debian/patches/CVE-2017-14518.patch: Fix divide by 0 on broken
documents in splash/Splash.cc.
- CVE-2017-14518
* SECURITY UPDATE: Floating point exception
- debian/patches/CVE-2017-14520.patch: don't try to scale if srcHeight or
srcWidth is less than 1 in splash/Splash.cc.
- CVE-2017-14520
* SECURITY UPDATE: Floating point exception in ImageStream
- debian/patches/CVE-2017-14617.patch: Fix crash in broken files in
poppler/Stream.cc.
- CVE-2017-14617
* SECURITY UPDATE: NULL pointer dereference
- debian/patches/CVE-2017-14926.patch: Fix crash on broken files
in poppler/Annot.cc.
- CVE-2017-14926
* SECURITY UPDATE: NULL pointer dereference
- debian/patches/CVE-2017-14928.patch: Fix crash broken files
in poppler/Annot.cc.
- CVE-2017-14928
* SECURITY UPDATE: Memory corruption
- debian/patches/CVE-2017-14929.patch: Fix infinite recursion
in poppler/Gfx.cc, poppler/GfxState.cc, poppler/GfxState.h.
- CVE-2017-14929
* SECURITY UPDATE: NULL pointer dereference
- debian/patches/CVE-2017-14975.patch: fix crash in convertToType0 in
fofi/FoFiType1C.cc.
- CVE-2017-14975
* SECURITY UPDATE: NULL pointer dereference
- debian/patches/CVE-2017-14977.patch: fix NULL deference pointer in
fofi/FoFiTrueType.cc.
- CVE-2017-14977
* SECURITY UPDATE: Integer overflow and heap overflow
- debian/patches/CVE-2017-9776.patch: fix malformed documents
in poppler/JBIG2Stream.cc.
- CVE-2017-9776
-- <email address hidden> (Leonidas S. Barbosa) Wed, 04 Oct 2017 12:12:46 -0300
-
poppler (0.41.0-0ubuntu1.3) xenial-security; urgency=medium
* SECURITY UPDATE: Memory corruption - infinite loop
- debian/patches/CVE-2017-14519.patch: fix infinite recursion in
poppler/Gfx.cc, poppler/Gfx.h, poppler/GfxFont.cc, poppler/GfxFont.h
- CVE-2017-14519
-- <email address hidden> (Leonidas S. Barbosa) Fri, 29 Sep 2017 12:30:32 -0300
-
poppler (0.41.0-0ubuntu1.2) xenial-security; urgency=medium
* SECURITY UPDATE: NULL pointer dereference in pdfunite
- debian/patches/CVE-2017-7511.patch: add extra checks to
utils/pdfunite.cc.
- CVE-2017-7511
* SECURITY UPDATE: uncontrolled recursion in pdfunite
- debian/patches/CVE-2017-7515.patch: fix recursion in
poppler/PDFDoc.cc, poppler/PDFDoc.h.
- CVE-2017-7515
* SECURITY UPDATE: NULL pointer dereference in JPXStream::readUByte
- debian/patches/CVE-2017-9083.patch: check nComps in
poppler/JPXStream.cc.
- CVE-2017-9083
* SECURITY UPDATE: memory leak in gmalloc
- debian/patches/CVE-2017-9406.patch: fix leak in poppler/XRef.cc.
- CVE-2017-9406
* SECURITY UPDATE: memory leak in Object::initArray
- debian/patches/CVE-2017-9408.patch: fix leak in poppler/XRef.cc.
- CVE-2017-9408
* SECURITY UPDATE: stack buffer overflow in GfxState.cc
- debian/patches/CVE-2017-9775.patch: add extra checks to
poppler/GfxState.cc.
- CVE-2017-9775
* SECURITY UPDATE: integer overflow in JPXStream::readTilePart
- debian/patches/CVE-2017-2820.patch: check for overflow in
poppler/JPXStream.cc.
- CVE-2017-2820
-- Marc Deslauriers <email address hidden> Thu, 06 Jul 2017 11:27:07 -0400
-
poppler (0.41.0-0ubuntu1.1) xenial; urgency=medium
* debian/patches/fix-fillToStrokePathClip-crash-and-rendering.patch
- Fix crash in _cairo_gstate_set_dash (LP: #1610714)
-- Jean-Louis Dupond <email address hidden> Sun, 07 Aug 2016 18:45:07 +0200
-
poppler (0.41.0-0ubuntu1) xenial; urgency=medium
* New upstream version (soname update 57->58)
* debian/patchres/revert_api_change.patch:
- revert upstream commit that removed an enum, they claim it's
not an abi change because it's unused, but other packages (bindings)
rely on it to build still, we can drop the patch later once the
redpends have been updated
-- Sebastien Bacher <email address hidden> Mon, 22 Feb 2016 18:45:00 +0100
-
poppler (0.38.0-0ubuntu1) xenial; urgency=medium
* New upstream release
* debian/libpoppler-qt4-4.symbols.in:
- Updated
* Updated for soname change libpoppler56 -> 57
-- Robert Ancell <email address hidden> Mon, 23 Nov 2015 10:47:58 +1300
-
poppler (0.37.0-0ubuntu1) xenial; urgency=medium
* New upstream version
* Updated for soname change libpoppler52 -> 56
-- Sebastien Bacher <email address hidden> Fri, 23 Oct 2015 17:38:30 +0200
-
poppler (0.33.0-0ubuntu3) wily; urgency=medium
* Set hardening flags to "+all,-pie" to build with all hardening flags
except -fPIE.
-- Iain Lane <email address hidden> Mon, 20 Jul 2015 12:53:12 +0100
