|
|
Log in / Subscribe / Register

Debian alert DLA-1963-1 (poppler)



From:
              Brian May <bam@debian.org> 


To:
              debian-lts-announce@lists.debian.org 


Subject:
              [SECURITY] [DLA 1963-1] poppler security update 


Date:
              Fri, 18 Oct 2019 08:17:50 +1100


Message-ID:
              <20191017211750.GA22221@silverfish.pri>


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Package        : poppler
Version        : 0.26.5-2+deb8u12
CVE ID         : CVE-2019-9959 CVE-2019-10871

Two buffer allocation issues were identified in poppler.

CVE-2019-9959

    An unexpected negative length value can cause an integer
    overflow, which in turn making it possible to allocate a large
    memory chunk on the heap with size controlled by an attacker.

CVE-2019-10871

    The RGB data are considered CMYK data and hence it reads 4 bytes
    instead of 3 bytes at the end of the image. The fixed version
    defines SPLASH_CMYK which is the upstream recommended solution.

For Debian 8 "Jessie", these problems have been fixed in version
0.26.5-2+deb8u12.

We recommend that you upgrade your poppler packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEKpwfR8DOwu5vyB4TKpJZkldkSvoFAl2oB/kACgkQKpJZkldk
SvoF0Q/+OjXoWEtdIsbvkbkzBpRRTmQtp79lDyqsZl9A5M7Mt6XeHhxFjuOjF6rt
Zja0XcoinSoR6O8yKfAFRdD3WDJSWkHMK7yTIwMKYBoIv7nX9k6aPK006iYI1LUY
NaBFemG9sH91UoFdnZYt/bD6zvFKrJSNZeH0AkYf3iS6NX1uYUxEWBenM/+QjBAU
r6pfD/r2lfzj5h2RcGIqKpx2/Nxm8xgUKHp/GwDW17lLFNapWfpHpg4481WXe7eU
AViltQs9fIR6vCxZK4tK0e8r7M7K9PzqdEjwtLQ1Efl8yDl08PLPK0AJshvpvASW
EL0TW+dx+mJRrSgijhjKHc1LlnM0Tl7lqXbJFKO9pn2raLjgI/M8ZvDGbTQB3WCB
3H7bdC6VFzL8W390pyCHjSsmKINv9Qi2a81KhB8/X2cRdN5OauOEKw1xYE8SkC/t
w4BFJ3K/DyoPJ9EaftFJUhZPbG89zpmukPp/FSowN7DzDrdOSiRBJQGr1VblAGBU
D5s2QW2p3cOlLkWF6gBsyJvW6T3F6IQ/JGf8OR+dBfY4NghHMvLylSbgQl+4BvW1
VmJgK4vXi9wnjPTjRR34F16IPsU0tE6J8cbn2SAC+PyufScDZFeD84KTUHJfhXdy
LOPCTv+X0KPlSIm325keFHMJqCH7tlFS0qqPWcfC+4bMcBocAsY=
=Es0+
-----END PGP SIGNATURE-----
to post comments


Copyright © 2026, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds