Ubuntu Security Notice 3350-1 - Aleksandar Nikolic discovered that poppler incorrectly handled JPEG 2000 images. If a user or automated system were tricked into opening a crafted PDF file, an attacker could cause a denial of service or possibly execute arbitrary code with privileges of the user invoking the program. Jiaqi Peng discovered that the poppler pdfunite tool incorrectly parsed certain malformed PDF documents. If a user or automated system were tricked into opening a crafted PDF file, an attacker could cause poppler to crash, resulting in a denial of service. Various other issues were also addressed.
52d790ac54064768358ec37b1553501b9e555e8c4d911d7636cbcb7a25c1132c
==========================================================================
Ubuntu Security Notice USN-3350-1
July 07, 2017
poppler vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 17.04
- Ubuntu 16.10
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS
Summary:
poppler could be made to crash or run programs as your login if it opened a
specially crafted file.
Software Description:
- poppler: PDF rendering library
Details:
Aleksandar Nikolic discovered that poppler incorrectly handled JPEG 2000
images. If a user or automated system were tricked into opening a crafted
PDF file, an attacker could cause a denial of service or possibly execute
arbitrary code with privileges of the user invoking the program.
(CVE-2017-2820)
Jiaqi Peng discovered that the poppler pdfunite tool incorrectly parsed
certain malformed PDF documents. If a user or automated system were tricked
into opening a crafted PDF file, an attacker could cause poppler to crash,
resulting in a denial of service. (CVE-2017-7511)
It was discovered that the poppler pdfunite tool incorrectly parsed certain
malformed PDF documents. If a user or automated system were tricked into
opening a crafted PDF file, an attacker could cause poppler to hang,
resulting in a denial of service. (CVE-2017-7515)
It was discovered that poppler incorrectly handled JPEG 2000 images. If a
user or automated system were tricked into opening a crafted PDF file, an
attacker could cause cause poppler to crash, resulting in a denial of
service. (CVE-2017-9083)
It was discovered that poppler incorrectly handled memory when processing
PDF documents. If a user or automated system were tricked into opening a
crafted PDF file, an attacker could cause poppler to consume resources,
resulting in a denial of service. (CVE-2017-9406, CVE-2017-9408)
Alberto Garcia, Francisco Oca, and Suleman Ali discovered that the poppler
pdftocairo tool incorrectly parsed certain malformed PDF documents. If a
user or automated system were tricked into opening a crafted PDF file, an
attacker could cause poppler to crash, resulting in a denial of service.
(CVE-2017-9775)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 17.04:
libpoppler-cpp0v5 0.48.0-2ubuntu2.1
libpoppler-glib8 0.48.0-2ubuntu2.1
libpoppler-qt4-4 0.48.0-2ubuntu2.1
libpoppler-qt5-1 0.48.0-2ubuntu2.1
libpoppler64 0.48.0-2ubuntu2.1
poppler-utils 0.48.0-2ubuntu2.1
Ubuntu 16.10:
libpoppler-cpp0v5 0.44.0-3ubuntu2.1
libpoppler-glib8 0.44.0-3ubuntu2.1
libpoppler-qt4-4 0.44.0-3ubuntu2.1
libpoppler-qt5-1 0.44.0-3ubuntu2.1
libpoppler61 0.44.0-3ubuntu2.1
poppler-utils 0.44.0-3ubuntu2.1
Ubuntu 16.04 LTS:
libpoppler-cpp0 0.41.0-0ubuntu1.2
libpoppler-glib8 0.41.0-0ubuntu1.2
libpoppler-qt4-4 0.41.0-0ubuntu1.2
libpoppler-qt5-1 0.41.0-0ubuntu1.2
libpoppler58 0.41.0-0ubuntu1.2
poppler-utils 0.41.0-0ubuntu1.2
Ubuntu 14.04 LTS:
libpoppler-cpp0 0.24.5-2ubuntu4.5
libpoppler-glib8 0.24.5-2ubuntu4.5
libpoppler-qt4-4 0.24.5-2ubuntu4.5
libpoppler-qt5-1 0.24.5-2ubuntu4.5
libpoppler44 0.24.5-2ubuntu4.5
poppler-utils 0.24.5-2ubuntu4.5
In general, a standard system update will make all the necessary changes.
References:
https://www.ubuntu.com/usn/usn-3350-1
CVE-2017-2820, CVE-2017-7511, CVE-2017-7515, CVE-2017-9083,
CVE-2017-9406, CVE-2017-9408, CVE-2017-9775
Package Information:
https://launchpad.net/ubuntu/+source/poppler/0.48.0-2ubuntu2.1
https://launchpad.net/ubuntu/+source/poppler/0.44.0-3ubuntu2.1
https://launchpad.net/ubuntu/+source/poppler/0.41.0-0ubuntu1.2
https://launchpad.net/ubuntu/+source/poppler/0.24.5-2ubuntu4.5