Operating System:

[Debian]

Published:

21 October 2019

Protect yourself against future threats.

//Service

Phishing Take-Down

Drawing on our strong international CERT relationships we have a high success rate in delivering phishing take-downs.

Read more
Resources > Security Bulletins > ESB-2019.3903.2 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                              ESB-2019.3903.2
                          poppler security update
                              21 October 2019

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           poppler
Publisher:         Debian
Operating System:  Debian GNU/Linux 8
Impact/Access:     Denial of Service -- Remote with User Interaction
                   Reduced Security  -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2019-10871 CVE-2019-9959 

Reference:         ESB-2019.3467

Original Bulletin: 
   https://lists.debian.org/debian-lts-announce/2019/10/msg00024.html
   https://lists.debian.org/debian-lts-announce/2019/10/msg00025.html

Comment: This bulletin contains two (2) Debian security advisories.

Revision History:  October 21 2019: Vendor issued advisory DLA 1963-2 poppler regression update
                   October 18 2019: Initial Release

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Package        : poppler
Version        : 0.26.5-2+deb8u12
CVE ID         : CVE-2019-9959 CVE-2019-10871

Two buffer allocation issues were identified in poppler.

CVE-2019-9959

    An unexpected negative length value can cause an integer
    overflow, which in turn making it possible to allocate a large
    memory chunk on the heap with size controlled by an attacker.

CVE-2019-10871

    The RGB data are considered CMYK data and hence it reads 4 bytes
    instead of 3 bytes at the end of the image. The fixed version
    defines SPLASH_CMYK which is the upstream recommended solution.

For Debian 8 "Jessie", these problems have been fixed in version
0.26.5-2+deb8u12.

We recommend that you upgrade your poppler packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
- -----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEKpwfR8DOwu5vyB4TKpJZkldkSvoFAl2oB/kACgkQKpJZkldk
SvoF0Q/+OjXoWEtdIsbvkbkzBpRRTmQtp79lDyqsZl9A5M7Mt6XeHhxFjuOjF6rt
Zja0XcoinSoR6O8yKfAFRdD3WDJSWkHMK7yTIwMKYBoIv7nX9k6aPK006iYI1LUY
NaBFemG9sH91UoFdnZYt/bD6zvFKrJSNZeH0AkYf3iS6NX1uYUxEWBenM/+QjBAU
r6pfD/r2lfzj5h2RcGIqKpx2/Nxm8xgUKHp/GwDW17lLFNapWfpHpg4481WXe7eU
AViltQs9fIR6vCxZK4tK0e8r7M7K9PzqdEjwtLQ1Efl8yDl08PLPK0AJshvpvASW
EL0TW+dx+mJRrSgijhjKHc1LlnM0Tl7lqXbJFKO9pn2raLjgI/M8ZvDGbTQB3WCB
3H7bdC6VFzL8W390pyCHjSsmKINv9Qi2a81KhB8/X2cRdN5OauOEKw1xYE8SkC/t
w4BFJ3K/DyoPJ9EaftFJUhZPbG89zpmukPp/FSowN7DzDrdOSiRBJQGr1VblAGBU
D5s2QW2p3cOlLkWF6gBsyJvW6T3F6IQ/JGf8OR+dBfY4NghHMvLylSbgQl+4BvW1
VmJgK4vXi9wnjPTjRR34F16IPsU0tE6J8cbn2SAC+PyufScDZFeD84KTUHJfhXdy
LOPCTv+X0KPlSIm325keFHMJqCH7tlFS0qqPWcfC+4bMcBocAsY=
=Es0+
- -----END PGP SIGNATURE-----

===============================================================================

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Package        : poppler
Version        : 0.18_0.26.5-2+deb8u13
CVE ID         : CVE-2019-10871
Debian Bug     : 942503


The fix for CVE-2019-10871 broke xpdf. This change has been reverted
until a better fix can be developed.

For Debian 8 "Jessie", this problem has been fixed in version
0.18_0.26.5-2+deb8u13.

We recommend that you upgrade your poppler packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
- -----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEKpwfR8DOwu5vyB4TKpJZkldkSvoFAl2pVvUACgkQKpJZkldk
Svob0xAAjrhVRM0qdc62DzXRcAX6lz1Dl1CGrYzgDYquE/pmLD6hrne1uJhLi9Cd
pEX1/2kCRoWK1WFGTa3JRka6ZsgHtgxPmkgZ+XB1166QIpn+cC+TblgelesgTHwB
AvtCaS1Xic+0D+TNbuAADHVFaHXKhDPa9ULUzz28ZqRJAV3Fmhh/LtQYcsSJADSe
M1TXKoT8g9zPE/fwi78yQ8vPzvKiszD7y5eNF33LrC3tBF2NUuRBCyct1PHVXWFC
U1SLCwJsuG5eanjy14k8NNsvTc6+85z8MiJXJdK98s/ziqZPb79p4ArgmcWzEyG1
5dBaUOaoUP0xlMCP+kZAEwSDxoype5lq9dDenzinF2QP9V9FNaGOleoNx3C36pks
q9xG1lOUD5CSkO5O/XwKvHYVtujA7LtYldf4G4qlApmW7cvQirlHD2loXCoZmzbM
+D19lPZRSAStEV5wsuQ0lJrQHSIih8nxCr6yIQ6/8NDUbN+Xlklklwo/3vtmFl8d
znkMlrQxiQDCr0S3Dc1Ysl3r7kplilBt1mosGyXQxTRCRu+/G1r18nKhZK2NaV8E
Jqe22slR/B20peDxOLzW/+uu3OZpHqpZhTmtqlw9sSrRfyxDYGf/we52j1BwLpQz
VlO2VEtbPMPITK/Pp3ORGXgaEGHypIUSdbuJg1QcpfbrWTTCsBA=
=jbb9
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXaz6jWaOgq3Tt24GAQjyGA/+NDURRpkyfC7Y7GKDH/u8l5Q7++wtx1aE
3Tfl8x4IlbYwK/Tpm/8PXyrgQLRJ1Yhcj0TrVmeKB19yiaRri8FFLuMRyJAcXNhm
YruXIuAwFmkqUb+aF2ItjN2OxdiaRFvitK9rMMaHqfA6edPeApg5gdxTUp+mnTVG
WPpx6kCb/hQZDpZ0fvu4JjtyimQdarZMQ/QYC7NOHHcymKe9F2fb14kFFyleLJEs
0OLImC//5ShQvMTe/dVmLIVrkM7xIxTkxlJWD2wivNu7KJlzjBGF70t9xwUB7DVj
BnfWTOp+F1ZE6j3RzSzeVaSpK23R0Z5YU8++Q5TqZ6RR7OefUpQgB3iNpzsxKbbf
Ec595nftB2WHMboXESM9NzJs1RgHF2oIc4F0hv1tYSKozghfwTpe/eEnJRBa9cCM
oO7q5VPcSPmQkIZr6S6D3gIV+h63xWRIOucZwLcKVwKSke1iJemCexsAlf4fHzgy
Yc+taR5Slk2Me1+CsxhkkInho75mWU2hrl+lnfWSEbXPamewaEnbpg/p3g2rQsfV
YQMikkpgvNTnb1B4880mSS60dSptvc67VTx63MPbWk6C574TrxXtfg1tmNnUSndT
SeswCmcCgoGIJrIJGKvei3VfV7SkDz1FB+aheCkU4LvrZ63zYfqwppb6EaVB2CHd
/UbYz3OhS8w=
=wdBr
-----END PGP SIGNATURE-----