Opened 14 years ago

Closed 14 years ago

#2497 closed task (fixed)

Stream.cxx vulnerabilities (cups, poppler, xpdf)

Reported by: ken@… Owned by: ken@…
Priority: normal Milestone: 6.3
Component: BOOK Version: SVN
Severity: normal Keywords:
Cc:

Description (last modified by ken@…)

CVE-2008-0047 (heap overflow, cups versions up to 1.3.5).

I've been using 1.2.12 for a long while, and just started using 1.3.6 on newer systems. I've got the patches OpenSuse use on 1.2.12 (also CVE-2007-4352 and CVE-2007-5392), I can take a look at putting those in for 6.3.

Investigation also showed Suse patch for CVE-2007-3387 - all of these are in Stream.cxx, from xpdf, so I've renamed the ticket.

They variously affect xpdf-3.02 < pl2 (no comments on foolabs about what pl2 fixes, but some of these are against pl1), poppler < 0.5.91, also old gpdf which is not in the book, and kpdf, kgraphics - kde should be fixed by 3.5.9 or earlier, but I can see kdegraphics appeared to use poppler on one of my systems.

Change History (5)

comment:1 by ken@…, 14 years ago

Owner: changed from blfs-book@… to ken@…
Status: newassigned

comment:2 by ken@…, 14 years ago

Description: modified (diff)
Summary: cups latest vulnerabilityStream.cxx vulnerabilities (cups, poppler, xpdf)

comment:3 by ken@…, 14 years ago

First part (cups) updated in r7327. The headers seem stable within CUPS_VERSION_MINOR and in any case Stream.h is not installed.

comment:4 by ken@…, 14 years ago

Poppler updated in r7328.

comment:5 by ken@…, 14 years ago

Resolution: fixed
Status: assignedclosed

Xpdf updated in r7331.

Note: See TracTickets for help on using tickets.