Red Hat Product Errata RHSA-2009:0480 - Security Advisory

Issued:: 2009-05-13
Updated:: 2009-05-13

RHSA-2009:0480 - Security Advisory

Overview
Updated Packages

Synopsis

Important: poppler security update

Type/Severity

Security Advisory: Important

Topic

Updated poppler packages that fix multiple security issues are now
available for Red Hat Enterprise Linux 5.

This update has been rated as having important security impact by the Red
Hat Security Response Team.

Description

Poppler is a Portable Document Format (PDF) rendering library, used by
applications such as Evince.

Multiple integer overflow flaws were found in poppler. An attacker could
create a malicious PDF file that would cause applications that use poppler
(such as Evince) to crash or, potentially, execute arbitrary code when
opened. (CVE-2009-0147, CVE-2009-1179, CVE-2009-1187, CVE-2009-1188)

Multiple buffer overflow flaws were found in poppler's JBIG2 decoder. An
attacker could create a malicious PDF file that would cause applications
that use poppler (such as Evince) to crash or, potentially, execute
arbitrary code when opened. (CVE-2009-0146, CVE-2009-1182)

Multiple flaws were found in poppler's JBIG2 decoder that could lead to the
freeing of arbitrary memory. An attacker could create a malicious PDF file
that would cause applications that use poppler (such as Evince) to crash
or, potentially, execute arbitrary code when opened. (CVE-2009-0166,
CVE-2009-1180)

Multiple input validation flaws were found in poppler's JBIG2 decoder. An
attacker could create a malicious PDF file that would cause applications
that use poppler (such as Evince) to crash or, potentially, execute
arbitrary code when opened. (CVE-2009-0800)

Multiple denial of service flaws were found in poppler's JBIG2 decoder. An
attacker could create a malicious PDF file that would cause applications
that use poppler (such as Evince) to crash when opened. (CVE-2009-0799,
CVE-2009-1181, CVE-2009-1183)

Red Hat would like to thank Braden Thomas and Drew Yao of the Apple Product
Security team, and Will Dormann of the CERT/CC for responsibly reporting
these flaws.

Users are advised to upgrade to these updated packages, which contain
backported patches to resolve these issues.

Solution

Before applying this update, make sure that all previously-released
errata relevant to your system have been applied.

This update is available via Red Hat Network. Details on how to use
the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/docs/DOC-11259

Affected Products

Red Hat Enterprise Linux Server 5 x86_64
Red Hat Enterprise Linux Server 5 ia64
Red Hat Enterprise Linux Server 5 i386
Red Hat Enterprise Linux Server - Extended Update Support 5.3 x86_64
Red Hat Enterprise Linux Server - Extended Update Support 5.3 ia64
Red Hat Enterprise Linux Server - Extended Update Support 5.3 i386
Red Hat Enterprise Linux Workstation 5 x86_64
Red Hat Enterprise Linux Workstation 5 i386
Red Hat Enterprise Linux Desktop 5 i386
Red Hat Enterprise Linux for IBM z Systems 5 s390x
Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 5.3 s390x
Red Hat Enterprise Linux for Power, big endian 5 ppc
Red Hat Enterprise Linux Server from RHUI 5 x86_64
Red Hat Enterprise Linux Server from RHUI 5 i386
Red Hat Enterprise Linux Server - AUS 5.3 x86_64
Red Hat Enterprise Linux Server - AUS 5.3 ia64
Red Hat Enterprise Linux Server - AUS 5.3 i386
Red Hat Enterprise Linux Desktop 5 x86_64
Red Hat Enterprise Linux for Power, big endian - Extended Update Support 5.3 ppc

Fixes

BZ - 490612 - CVE-2009-0146 xpdf: Multiple buffer overflows in JBIG2 decoder (setBitmap, readSymbolDictSeg) (CVE-2009-0195)
BZ - 490614 - CVE-2009-0147 xpdf: Multiple integer overflows in JBIG2 decoder
BZ - 490625 - CVE-2009-0166 xpdf: Freeing of potentially uninitialized memory in JBIG2 decoder
BZ - 495886 - CVE-2009-0799 PDF JBIG2 decoder OOB read
BZ - 495887 - CVE-2009-0800 PDF JBIG2 multiple input validation flaws
BZ - 495889 - CVE-2009-1179 PDF JBIG2 integer overflow
BZ - 495892 - CVE-2009-1180 PDF JBIG2 invalid free()
BZ - 495894 - CVE-2009-1181 PDF JBIG2 NULL dereference
BZ - 495896 - CVE-2009-1182 PDF JBIG2 MMR decoder buffer overflows
BZ - 495899 - CVE-2009-1183 PDF JBIG2 MMR infinite loop DoS
BZ - 495906 - CVE-2009-1187 poppler CairoOutputDev integer overflow
BZ - 495907 - CVE-2009-1188 poppler SplashBitmap integer overflow

CVEs

References

http://www.redhat.com/security/updates/classification/#important

Note: More recent versions of these packages may be available. Click a package name for more details.

Red Hat Enterprise Linux Server 5

SRPM
poppler-0.5.4-4.4.el5_3.9.src.rpm	SHA-256: f1b1fce9c2c64c48b0ae3ab9f03aec74fc786759a25187e8be918b0947692777
x86_64
poppler-0.5.4-4.4.el5_3.9.i386.rpm	SHA-256: c5274d67c8605ab8109ed4807ea51a1fcf85243feade61a1bbf6361addbb5fd5
poppler-0.5.4-4.4.el5_3.9.x86_64.rpm	SHA-256: b442b751e8308a3e9f6a58dd63986c4327d2fb8ff01ff9e12d629fbbc4bd1af2
poppler-devel-0.5.4-4.4.el5_3.9.i386.rpm	SHA-256: 1c931da776af85a8ea50edc363ee137a9c6a74577b1521c2ce532d83c93e56cc
poppler-devel-0.5.4-4.4.el5_3.9.x86_64.rpm	SHA-256: 16ad578ccc5d0cb54c792c4d1f24f1f7fabf8591c257b3c17d4ad5e4cc588165
poppler-utils-0.5.4-4.4.el5_3.9.x86_64.rpm	SHA-256: d8e65e0374fdbfbffec8b567079011c892ecfd5b780fb2574b57ff1ab18c99e7
ia64
poppler-0.5.4-4.4.el5_3.9.ia64.rpm	SHA-256: 9a894c6f8bcf734f3b563273bacdf0a64b41f9f80e6342cd0f4b52b9194a56ba
poppler-devel-0.5.4-4.4.el5_3.9.ia64.rpm	SHA-256: 96c9a950c2050a5444689745b88b6dcee6e3d9b1d52222bac1dc12ce748aed57
poppler-utils-0.5.4-4.4.el5_3.9.ia64.rpm	SHA-256: a36078ac2905b1b4a873e4a7170985c3784b672be0c41e3938a2cfa1c5b4e2b7
i386
poppler-0.5.4-4.4.el5_3.9.i386.rpm	SHA-256: c5274d67c8605ab8109ed4807ea51a1fcf85243feade61a1bbf6361addbb5fd5
poppler-devel-0.5.4-4.4.el5_3.9.i386.rpm	SHA-256: 1c931da776af85a8ea50edc363ee137a9c6a74577b1521c2ce532d83c93e56cc
poppler-utils-0.5.4-4.4.el5_3.9.i386.rpm	SHA-256: 0ccefeeb5c46e9e07e7562318f8613b7a1bf8cf3179de7d5d8b2ffb93a3e8533

Red Hat Enterprise Linux Workstation 5

SRPM
poppler-0.5.4-4.4.el5_3.9.src.rpm	SHA-256: f1b1fce9c2c64c48b0ae3ab9f03aec74fc786759a25187e8be918b0947692777
x86_64
poppler-0.5.4-4.4.el5_3.9.i386.rpm	SHA-256: c5274d67c8605ab8109ed4807ea51a1fcf85243feade61a1bbf6361addbb5fd5
poppler-0.5.4-4.4.el5_3.9.x86_64.rpm	SHA-256: b442b751e8308a3e9f6a58dd63986c4327d2fb8ff01ff9e12d629fbbc4bd1af2
poppler-devel-0.5.4-4.4.el5_3.9.i386.rpm	SHA-256: 1c931da776af85a8ea50edc363ee137a9c6a74577b1521c2ce532d83c93e56cc
poppler-devel-0.5.4-4.4.el5_3.9.x86_64.rpm	SHA-256: 16ad578ccc5d0cb54c792c4d1f24f1f7fabf8591c257b3c17d4ad5e4cc588165
poppler-utils-0.5.4-4.4.el5_3.9.x86_64.rpm	SHA-256: d8e65e0374fdbfbffec8b567079011c892ecfd5b780fb2574b57ff1ab18c99e7
i386
poppler-0.5.4-4.4.el5_3.9.i386.rpm	SHA-256: c5274d67c8605ab8109ed4807ea51a1fcf85243feade61a1bbf6361addbb5fd5
poppler-devel-0.5.4-4.4.el5_3.9.i386.rpm	SHA-256: 1c931da776af85a8ea50edc363ee137a9c6a74577b1521c2ce532d83c93e56cc
poppler-utils-0.5.4-4.4.el5_3.9.i386.rpm	SHA-256: 0ccefeeb5c46e9e07e7562318f8613b7a1bf8cf3179de7d5d8b2ffb93a3e8533

Red Hat Enterprise Linux Desktop 5

SRPM
poppler-0.5.4-4.4.el5_3.9.src.rpm	SHA-256: f1b1fce9c2c64c48b0ae3ab9f03aec74fc786759a25187e8be918b0947692777
x86_64
poppler-0.5.4-4.4.el5_3.9.i386.rpm	SHA-256: c5274d67c8605ab8109ed4807ea51a1fcf85243feade61a1bbf6361addbb5fd5
poppler-0.5.4-4.4.el5_3.9.x86_64.rpm	SHA-256: b442b751e8308a3e9f6a58dd63986c4327d2fb8ff01ff9e12d629fbbc4bd1af2
poppler-utils-0.5.4-4.4.el5_3.9.x86_64.rpm	SHA-256: d8e65e0374fdbfbffec8b567079011c892ecfd5b780fb2574b57ff1ab18c99e7
i386
poppler-0.5.4-4.4.el5_3.9.i386.rpm	SHA-256: c5274d67c8605ab8109ed4807ea51a1fcf85243feade61a1bbf6361addbb5fd5
poppler-utils-0.5.4-4.4.el5_3.9.i386.rpm	SHA-256: 0ccefeeb5c46e9e07e7562318f8613b7a1bf8cf3179de7d5d8b2ffb93a3e8533

Red Hat Enterprise Linux for IBM z Systems 5

SRPM
poppler-0.5.4-4.4.el5_3.9.src.rpm	SHA-256: f1b1fce9c2c64c48b0ae3ab9f03aec74fc786759a25187e8be918b0947692777
s390x
poppler-0.5.4-4.4.el5_3.9.s390.rpm	SHA-256: 0c75ea7e63b822aeb9e3e3bd6685317bf217ee38acbc878334a702e403ef9843
poppler-0.5.4-4.4.el5_3.9.s390x.rpm	SHA-256: 082172f67bdf3429a3e2c032fed240d86ae8dad1e478a65c152b316798aff57c
poppler-devel-0.5.4-4.4.el5_3.9.s390.rpm	SHA-256: f9e63b389c658937239f1a59698879a4be1115722f0650984f7965781dc53c9c
poppler-devel-0.5.4-4.4.el5_3.9.s390x.rpm	SHA-256: 64aa1eeed374398f597d639f1ef6914405c669befa07b9421a58be6622646a9d
poppler-utils-0.5.4-4.4.el5_3.9.s390x.rpm	SHA-256: 9d3b1a5b2baef5a7ccb8055ccd6614348c6003966e8970f89a1a0143d1470944

Red Hat Enterprise Linux for Power, big endian 5

SRPM
poppler-0.5.4-4.4.el5_3.9.src.rpm	SHA-256: f1b1fce9c2c64c48b0ae3ab9f03aec74fc786759a25187e8be918b0947692777
ppc
poppler-0.5.4-4.4.el5_3.9.ppc.rpm	SHA-256: dfc7339b0c6549d5d369c27a6c9d5d474883e397fde3b4cbd2e94b15d9e3ee1a
poppler-0.5.4-4.4.el5_3.9.ppc64.rpm	SHA-256: 71037f28f7f8dd5a4f8079ba47e0829205e00ebb650e5109345b763e2bf99727
poppler-devel-0.5.4-4.4.el5_3.9.ppc.rpm	SHA-256: 5c8e8b3921c1ac69d21c20aaf33db5bb8f79224b7b01db45ee2a1e854b10f919
poppler-devel-0.5.4-4.4.el5_3.9.ppc64.rpm	SHA-256: fca5bd40a5da6dc97713b6dee67bf6e43401d7c4c55ba9be94b6bf93e14c2dc1
poppler-utils-0.5.4-4.4.el5_3.9.ppc.rpm	SHA-256: 9c090bc82fd7b34ea1f6451df2565a37f033cd6109c0383165c4b5678dcee98d

Red Hat Enterprise Linux Server from RHUI 5

SRPM
poppler-0.5.4-4.4.el5_3.9.src.rpm	SHA-256: f1b1fce9c2c64c48b0ae3ab9f03aec74fc786759a25187e8be918b0947692777
x86_64
poppler-0.5.4-4.4.el5_3.9.i386.rpm	SHA-256: c5274d67c8605ab8109ed4807ea51a1fcf85243feade61a1bbf6361addbb5fd5
poppler-0.5.4-4.4.el5_3.9.x86_64.rpm	SHA-256: b442b751e8308a3e9f6a58dd63986c4327d2fb8ff01ff9e12d629fbbc4bd1af2
poppler-devel-0.5.4-4.4.el5_3.9.i386.rpm	SHA-256: 1c931da776af85a8ea50edc363ee137a9c6a74577b1521c2ce532d83c93e56cc
poppler-devel-0.5.4-4.4.el5_3.9.x86_64.rpm	SHA-256: 16ad578ccc5d0cb54c792c4d1f24f1f7fabf8591c257b3c17d4ad5e4cc588165
poppler-utils-0.5.4-4.4.el5_3.9.x86_64.rpm	SHA-256: d8e65e0374fdbfbffec8b567079011c892ecfd5b780fb2574b57ff1ab18c99e7
i386
poppler-0.5.4-4.4.el5_3.9.i386.rpm	SHA-256: c5274d67c8605ab8109ed4807ea51a1fcf85243feade61a1bbf6361addbb5fd5
poppler-devel-0.5.4-4.4.el5_3.9.i386.rpm	SHA-256: 1c931da776af85a8ea50edc363ee137a9c6a74577b1521c2ce532d83c93e56cc
poppler-utils-0.5.4-4.4.el5_3.9.i386.rpm	SHA-256: 0ccefeeb5c46e9e07e7562318f8613b7a1bf8cf3179de7d5d8b2ffb93a3e8533

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.

Log in to Your Red Hat Account

Red Hat Account

Customer Portal

Select Your Language

Infrastructure and Management

Cloud Computing

Storage

JBoss Development and Management

JBoss Integration and Automation

Mobile

Services

Tools

Red Hat Product Security Center

Security Updates

Resources

Customer Portal Community

Customer Events

Stories