This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --===============8287230151923421005== Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="kqsFcFHB67B83vREhGmSLeaWskuiOOC3e"
This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --kqsFcFHB67B83vREhGmSLeaWskuiOOC3e Content-Type: multipart/mixed; boundary="MWPfNXrT2JBelG67EjQEqkVCWCv7SloC6"; protected-headers="v1" From: Marc Deslauriers <marc.deslauriers@canonical.com> Reply-To: Ubuntu Security <security@ubuntu.com> To: "ubuntu-security-announce@lists.ubuntu.com" <ubuntu-security-announce@lists.ubuntu.com> Message-ID: <778d75a5-30a0-2a3c-f421-9e80e0fb5fbf@canonical.com> Subject: [USN-3350-1] poppler vulnerabilities
--MWPfNXrT2JBelG67EjQEqkVCWCv7SloC6 Content-Type: text/plain; charset=utf-8 Content-Language: en-C Content-Transfer-Encoding: quoted-printable
========================================================================== Ubuntu Security Notice USN-3350-1 July 07, 2017
poppler vulnerabilities ==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 17.04 - Ubuntu 16.10 - Ubuntu 16.04 LTS - Ubuntu 14.04 LTS
Summary:
poppler could be made to crash or run programs as your login if it opened a specially crafted file.
Software Description: - poppler: PDF rendering library
Details:
Aleksandar Nikolic discovered that poppler incorrectly handled JPEG 2000 images. If a user or automated system were tricked into opening a crafted PDF file, an attacker could cause a denial of service or possibly execute arbitrary code with privileges of the user invoking the program. (CVE-2017-2820)
Jiaqi Peng discovered that the poppler pdfunite tool incorrectly parsed certain malformed PDF documents. If a user or automated system were tricked into opening a crafted PDF file, an attacker could cause poppler to crash, resulting in a denial of service. (CVE-2017-7511)
It was discovered that the poppler pdfunite tool incorrectly parsed certain malformed PDF documents. If a user or automated system were tricked into opening a crafted PDF file, an attacker could cause poppler to hang, resulting in a denial of service. (CVE-2017-7515)
It was discovered that poppler incorrectly handled JPEG 2000 images. If a user or automated system were tricked into opening a crafted PDF file, an attacker could cause cause poppler to crash, resulting in a denial of service. (CVE-2017-9083)
It was discovered that poppler incorrectly handled memory when processing PDF documents. If a user or automated system were tricked into opening a crafted PDF file, an attacker could cause poppler to consume resources, resulting in a denial of service. (CVE-2017-9406, CVE-2017-9408)
Alberto Garcia, Francisco Oca, and Suleman Ali discovered that the poppler pdftocairo tool incorrectly parsed certain malformed PDF documents. If a user or automated system were tricked into opening a crafted PDF file, an attacker could cause poppler to crash, resulting in a denial of service. (CVE-2017-9775)
Update instructions:
The problem can be corrected by updating your system to the following package versions:
Ubuntu 17.04: libpoppler-cpp0v5 0.48.0-2ubuntu2.1 libpoppler-glib8 0.48.0-2ubuntu2.1 libpoppler-qt4-4 0.48.0-2ubuntu2.1 libpoppler-qt5-1 0.48.0-2ubuntu2.1 libpoppler64 0.48.0-2ubuntu2.1 poppler-utils 0.48.0-2ubuntu2.1
Ubuntu 16.10: libpoppler-cpp0v5 0.44.0-3ubuntu2.1 libpoppler-glib8 0.44.0-3ubuntu2.1 libpoppler-qt4-4 0.44.0-3ubuntu2.1 libpoppler-qt5-1 0.44.0-3ubuntu2.1 libpoppler61 0.44.0-3ubuntu2.1 poppler-utils 0.44.0-3ubuntu2.1
Ubuntu 16.04 LTS: libpoppler-cpp0 0.41.0-0ubuntu1.2 libpoppler-glib8 0.41.0-0ubuntu1.2 libpoppler-qt4-4 0.41.0-0ubuntu1.2 libpoppler-qt5-1 0.41.0-0ubuntu1.2 libpoppler58 0.41.0-0ubuntu1.2 poppler-utils 0.41.0-0ubuntu1.2
Ubuntu 14.04 LTS: libpoppler-cpp0 0.24.5-2ubuntu4.5 libpoppler-glib8 0.24.5-2ubuntu4.5 libpoppler-qt4-4 0.24.5-2ubuntu4.5 libpoppler-qt5-1 0.24.5-2ubuntu4.5 libpoppler44 0.24.5-2ubuntu4.5 poppler-utils 0.24.5-2ubuntu4.5
In general, a standard system update will make all the necessary changes.
References: https://www.ubuntu.com/usn/usn-3350-1 CVE-2017-2820, CVE-2017-7511, CVE-2017-7515, CVE-2017-9083, CVE-2017-9406, CVE-2017-9408, CVE-2017-9775
Package Information: https://launchpad.net/ubuntu/+source/poppler/0.48.0-2ubuntu2.1 https://launchpad.net/ubuntu/+source/poppler/0.44.0-3ubuntu2.1 https://launchpad.net/ubuntu/+source/poppler/0.41.0-0ubuntu1.2 https://launchpad.net/ubuntu/+source/poppler/0.24.5-2ubuntu4.5
--MWPfNXrT2JBelG67EjQEqkVCWCv7SloC6--
--kqsFcFHB67B83vREhGmSLeaWskuiOOC3e Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE----- Version: GnuPG v2
iQIcBAEBCgAGBQJZX6FKAAoJEGVp2FWnRL6TjcUP/jqBancn04wrlda8donRx2K2 avYrNWOzYVFHMnvxJZnadfUJtmd5eReO7ZNOwNWSG2zBp8Ikd6k4wiwwIiGxGanw 1aUxE2WOGRW46qNqnBoXJVsrYzY0+iPKnkTBVKoCpJf8Q9YcgyFm8wweJJd38BR6 OzjhjqwwWuKzYzWfpjU5llINw096FmeWoxwB08Vi9OBHyIpprebnUVQBKLE6PPI5 /39REIrBaUXocqliDaPjjzYDDsgl2k6VhMKEXyP/HdEgLDAPbDd2cZUHYcUtJAY8 f7jatHROvSqCqcGZhsTrsb4deNBv2WRsi9iBpJwTP1m5QkE5Q2Bc5Ule8bJhhP+z IK1qucEmTym3MZSrs9bdIVvsQlSB2wNTVgyvCzA7iEU0sW7YwtADQPyb99cbP3rr mEQGuPO2McpMuZSQHqFDzeDR1bzR0nzXd7YTMv3cQ2Ymb5ji8I1yR2XCsIqUZFw9 OtbkX3y0XBUZUSh2kOAuKbYRDNa0CHr0xt/Qex9sA3pIQx5W6M6YaNt9/syaF9kM HT4wkVzbYQZ4htnmZ01GjTmUl/3WGXWT7eoD/KT5ZNq6Fu3GdSVaE8wVOMASWyHz Wxcx+m1G0CY9BO7ao/yvCqRCjESvFpg8SOyXEXVi1CLF8nSsPN+qYP/xdRtbtT0s IWl73/IWzb7af3gQxrw8 =no4O -----END PGP SIGNATURE-----
--kqsFcFHB67B83vREhGmSLeaWskuiOOC3e--
--===============8287230151923421005== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline
-- ubuntu-security-announce mailing list ubuntu-security-announce@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce
--===============8287230151923421005==--
|