poppler (0.6.4-1ubuntu3.4) hardy-security; urgency=low * SECURITY UPDATE: regression in poppler security update (LP: #457985) - debian/patches/105_security_CVE-2009-3605.patch: update patch to use gmallocn_checkoverflow in splash/SplashFTFont.cc, as bitmap->h can be 0 and this could cause a regression with certain applications. - CVE-2009-3605 -- Marc Deslauriers Thu, 22 Oct 2009 10:14:11 -0400 poppler (0.6.4-1ubuntu3.3) hardy-security; urgency=low * SECURITY UPDATE: denial of service or arbitrary code execution via unsafe malloc usage - debian/patches/105_security_CVE-2009-3605.patch: introduce gmallocn3 in goo/gmem.{cc,h} and replace malloc calls with safe versions in glib/poppler-page.cc, poppler/{ArthurOutputDev,CairoOutputDev, GfxState,JBIG2Stream,PSOutputDev,SplashOutputDev}.cc, splash/{SplashBitmap,Splash,SplashFTFont}.cc. - CVE-2009-3605 * SECURITY UPDATE: denial of service via invalid Form Opt entry (LP: #321764) - debian/patches/106_security_CVE-2009-0755.patch: handle invalid Opt entry gracefully in poppler/Form.cc. - CVE-2009-0755 * SECURITY UPDATE: denial of service or arbitrary code execution via overflow in rowSize computation - debian/patches/107_security_CVE-2009-360x.patch: make sure width value is sane in splash/SplashBitmap.cc. - CVE-2009-3603 * SECURITY UPDATE: denial of service or arbitrary code execution via overflow in pixel buffer size calculation - debian/patches/107_security_CVE-2009-360x.patch: make sure yp value is sane in splash/Splash.cc, splash/SplashErrorCodes.h. - CVE-2009-3604 * SECURITY UPDATE: denial of service or arbitrary code execution via overflow in object stream handling - debian/patches/107_security_CVE-2009-360x.patch: limit number of nObjects in poppler/XRef.cc. - CVE-2009-3608 * SECURITY UPDATE: denial of service or arbitrary code execution via integer overflow in ImageStream::ImageStream - debian/patches/107_security_CVE-2009-360x.patch: check size of width and nComps in poppler/Stream.cc. - CVE-2009-3609 -- Marc Deslauriers Mon, 19 Oct 2009 11:14:11 -0400 poppler (0.6.4-1ubuntu3.2) hardy-security; urgency=low * SECURITY UPDATE: denial of service and possible code execution from multiple integer overflows, buffer overflows, and other issues with JBIG2 decoding. - debian/patches/104_security_jbig2.patch: prevent integer overflow in poppler/CairoOutputDev.cc and splash/SplashBitmap.cc, add overflow checking, improve error handling, and fix other issues in poppler/JBIG2Stream.*. - CVE-2009-0146 - CVE-2009-0147 - CVE-2009-0166 - CVE-2009-0799 - CVE-2009-0800 - CVE-2009-1179 - CVE-2009-1180 - CVE-2009-1181 - CVE-2009-1182 - CVE-2009-1183 -- Marc Deslauriers Thu, 09 Apr 2009 11:01:08 -0400 poppler (0.6.4-1ubuntu3.1) hardy-security; urgency=high * SECURITY UPDATE: crash via uninitialized pointer free(). * debian/patches/103_page_initialization.patch: upstream fix. * References CVE-2008-2950 -- Kees Cook Sat, 26 Jul 2008 10:23:32 -0700 poppler (0.6.4-1ubuntu3) hardy-proposed; urgency=low * debian/patches/081_from_upstream_fix_evince_reload_crasher.patch: - upstream change to fix evince crashing sometimes when reloading documents, the issue was a side effect of the previous change (lp: #242865) -- Sebastien Bacher Thu, 26 Jun 2008 17:11:45 +0200 poppler (0.6.4-1ubuntu2) hardy-proposed; urgency=low * debian/patches/080_from_upstream_fix_evince_printing_crasher.patch: - upstream change from Adrian Johnson, fix an evince printing crasher (lp: #208485) -- Sebastien Bacher Mon, 16 Jun 2008 12:44:01 +0200 poppler (0.6.4-1ubuntu1) hardy; urgency=low * SECURITY UPDATE: arbitrary code execution via malicious embedded fonts. * debian/patches/102_embedded-font-fixes.patch: stronger type-checking. * References CVE-2008-1693 -- Kees Cook Tue, 15 Apr 2008 13:04:21 -0700 poppler (0.6.4-1) unstable; urgency=medium * Add ${shlibs:Depends} to libpoppler-glib-dev, libpoppler-dev, libpoppler-qt-dev, libpoppler-qt4-dev. * Add ${misc:Depends}. * Cleanups. * New upstream releases; no API change; bug fixes; closes: #459342. * Fix copyright information to use version 2 of the GPL (instead of version 2 or later); thanks Timo Jyrinki for the patch; closes: #453865. * Urgency medium for RC bug fix. * List pdftohtml in poppler-utils' description; closes: #464439. * Drop libpoppler-qt-dev dependency from libpoppler-qt4-dev; thanks Pino Toscano; closes: #459922. * Bump up Standards-Version to 3.7.3. -- Loic Minier Fri, 18 Jan 2008 13:35:06 +0100 poppler (0.6.2-1) unstable; urgency=low * New upstream version. (Closes: #447992) * Dependency on xpdfrc was removed on 2007-02-25 (Closes: #347789, #440936) * Changes since 0.6.1: - Fix CVE-2007-4352, CVE-2007-5392 and CVE-2007-5393 (Closes: #450628) - Fix a crash on documents with wrong CCITTFaxStream - Fix a crash in the Cairo renderer with invalid embedded fonts - Fix a crash with invalid TrueType fonts - Check if font is inside the clip area before rendering it to a temporary bitmap in the Splash renderer. Fixes crashes on incorrect documents - Do not use exit(1) on DCTStream errors - Detect form fields at any depth level - Do not generate appearance stream for radio buttons that are not active -- Ondřej Surý Wed, 14 Nov 2007 11:20:07 +0100 poppler (0.6.1-2) unstable; urgency=low * Upload to unstable. -- Ondřej Surý Tue, 06 Nov 2007 09:07:10 +0100 poppler (0.6.1-1) experimental; urgency=low * New upstream version. * Changes since 0.6.0: - poppler core: + Fix printing with different x and y scale + Fix crash when Form Fields array contains references to non existent objects + Fix crash in CairoOutputDev::drawMaskedImage() + Fix embedded file description not working on some cases - Qt4 frontend: + Fix printing issue + Avoid double free + Fix memory leak when dealing with embedded files - glib frontend: + Fix build with --disable-cairo-output + Do not return unknown field type for signature form fields - build system: + Support automake-1.10 + More compatible sh code in qt.m4 - utils: + Fix build on Sun Studio compiler -- Ondřej Surý Thu, 25 Oct 2007 11:33:04 +0200 poppler (0.6-1) experimental; urgency=low * New upstream release. (Closes: #429700) - merged changes from Ubuntu, courtesy of Sebastien Bacher - Fix security issue MOAB-06-01-2007 - Fix security issue CVE-2007-3387 - Fix security issue CVE-2007-5049 (Closes: #443903) * debian/watch: - update (Closes: #441012) * debian/control, debian/libpoppler2.install, debian/libpoppler-glib2.install, debian/libpoppler-qt2.install, debian/libpoppler-qt4-2.install, debian/rules: - updated for soname change * debian/libpoppler-glib-dev.install: - install new test-poppler-glib * debian/patches/002_CVE-2006-0301.patch: - dropped, deprecated by the upstream changes * debian/patches/003_glib-2.0-configure.patch: * debian/patches/004_CVE-2007-0104.patch: * debian/patches/005_fix_inverted_text_from_bug_8944.patch: - dropped, fixed with the new version * debian/patches/006_pthreads_ldflags.patch: - updated -- Ondřej Surý Thu, 27 Sep 2007 09:03:33 +0200 poppler (0.5.4-6) unstable; urgency=low * Conflict with old library names from experimental. (Closes: #426023) -- Ondřej Surý Wed, 30 May 2007 08:42:32 +0200 poppler (0.5.4-5) unstable; urgency=low * Add missing poppler/poppler-link-qt3.h header to libpoppler-qt-dev; thanks Sune Vuorela; closes: #425486. * Let libpoppler-qt4-dev depend on libpoppler-qt-dev since some of its headers require poppler-page-transition.h which is clearly from the Qt bindings; thanks Sune Vuorela; closes: #425540. * Wrap build-deps and deps. * Drop useless debian/*.dirs. * Misc cleanups. * Build-dep on autotools-dev and drop bogus lintian overrides. -- Loic Minier Thu, 24 May 2007 23:09:23 +0200 poppler (0.5.4-4) unstable; urgency=low * The "Augean Stables" release. * 0.5.x branch fixes all kind of displaying errors Closes: #372169, #235360, #331380, #332426, #336616 Closes: #402647, #369164, #413953, #343654 * Add versioned conflict to pdftohtml (Closes: #393169) * We dropped .la files some time ago, libjpeg62-dev dependency not needed now (Closes: #413112) * Crash fixed in 0.5.4 (Closes: #418638) * [control.in]: dropped some time ago (Closes: #407818) * NMU 0.5.4-5.1 merged as 004_CVE-2007-0104.patch (Closes: #407810) * 0.5.x uploaded to unstable (Closes: #352522) * qt4 libraries are now part of build (Closes: #414643) * No longer depends on poppler-data (Closes: #389753) * [debian/patches/006_pthreads_ldflags.patch]: + Add -lpthread to poppler/Makefile.am (Closes: #399275) -- Ondřej Surý Wed, 16 May 2007 10:45:39 +0200 poppler (0.5.4-3) unstable; urgency=low * Upload to unstable. * Enable Cairo output again. * Enable gtk-doc build. * Add lintian override for outdated-autotools-helper-files (we use CDBS). * Change shared library packages names according to Library Packaging Guide. * Change ${Source-Version} to ${binary:Version} to allow binNMU * Drop (= ${Source-Version}) dependency in glib, qt3, qt4 libraries; we are adding that from debian/rules * Merge changes from Ubuntu: + Enable Qt4 library build (but change name to libpoppler-qt4-1). + [debian/patches/004_CVE-2007-0104.patch]: - Limit recursion depth of the parsing tree to 100 to avoid infinite loop with crafted documents. - Patch taken from koffice security update (which has a copy of xpdf sources). + [debian/patches/005_fix_inverted_text_from_bug_8944.patch]: - fixes "text is inverted in some PDFs" -- Ondřej Surý Wed, 16 May 2007 08:26:47 +0200 poppler (0.5.4-2) experimental; urgency=low * [debian/control]: poppler-data is non-free, do not depend on it (Closes: #389753) -- Ondřej Surý Mon, 2 Oct 2006 14:41:58 +0200 poppler (0.5.4-1) experimental; urgency=low * New upstrem release. * [debian/control.in]: remove file and add all pkg-freedesktop people to Uploaders: field * [debian/control]: Add dependency on poppler-data package. * [debian/patches/03_glib-2.0-configure.patch]: fix broken configure.ac -- Ondřej Surý Fri, 22 Sep 2006 16:49:17 +0200 poppler (0.5.3-1) experimental; urgency=low * New upstream release. * debian/lib{poppler,poppler-glib,poppler-qt}-dev.install: Stop shipping /usr/lib/*.la in libpoppler*-dev. -- Ondřej Surý Wed, 31 May 2006 17:19:34 +0200 poppler (0.5.2-1) experimental; urgency=low * New upstream release. * Remove patches adopted upstream: debian/patches/000_incorrect_define_fix.patch debian/patches/000_splash_build_fix.patch -- Ondřej Surý Tue, 23 May 2006 20:21:30 +0200 poppler (0.5.1-1) experimental; urgency=low * Merge back changes from Ubuntu. * Upload to experimental (Closes: 352522) -- Ondřej Surý Tue, 18 Apr 2006 15:08:26 +0200 poppler (0.5.1-0ubuntu6) dapper; urgency=low * Install poppler-page-transition into libpoppler-qt-dev (not libpoppler-dev), since it comes from the Qt bindings. Closes: LP#32179 -- Martin Pitt Mon, 10 Apr 2006 12:20:46 +0200 poppler (0.5.1-0ubuntu5) dapper; urgency=low * debian/patches/000_incorrect_define_fix.patch: - patch from the CVS, fix an incorrect boxes rendering (Ubuntu: #33239) -- Sebastien Bacher Thu, 23 Mar 2006 12:33:17 +0100 poppler (0.5.1-0ubuntu4) dapper; urgency=low * debian/control.in: libpoppler-dev needs to depend on libfontconfig1-dev, because we directly include in GlobalParams.h -- Adam Conrad Thu, 16 Mar 2006 11:23:00 +1100 poppler (0.5.1-0ubuntu3) dapper; urgency=low * debian/control.in: Have poppler-utils Replace: xpdf-reader, since both contain pdftoppm.1.gz. -- Martin Pitt Mon, 13 Mar 2006 09:10:12 +0100 poppler (0.5.1-0ubuntu2) dapper; urgency=low * debian/control.in: - fix the libpoppler1 package description -- Sebastien Bacher Thu, 9 Mar 2006 09:43:15 +0000 poppler (0.5.1-0ubuntu1) dapper; urgency=low * New upstream version: - Support for embedded files. - Handle 0-width lines correctly. - Avoid external file use when opening fonts. - Only use vector fonts returned from fontconfig (#5758). - Fix scaled 1x1 pixmaps use for drawing lines (#3387). - drawSoftMaskedImage support in cairo backend. - Misc bug fixes: #5922, #5946, #5749, #5952, #4030, #5420. * debian/control.in, debian/libpoppler0c2.dirs, debian/libpoppler0c2-glib.dirs, debian/libpoppler0c2-glib.install, debian/libpoppler0c2.install, debian/libpoppler0c2-qt.dirs, debian/libpoppler0c2-qt.install, debian/rules: - updated for the soname change * debian/patches/000_splash_build_fix.patch: - fix build when using splash * debian/patches/001_fixes_for_fonts_selection.patch: - fix with the new version -- Sebastien Bacher Mon, 6 Mar 2006 18:42:44 +0000 poppler (0.5.0-0ubuntu5) dapper; urgency=low * debian/control.in, debian/rules: - build without libcairo -- Sebastien Bacher Sun, 26 Feb 2006 20:05:10 +0100 poppler (0.5.0-0ubuntu4) dapper; urgency=low * debian/patches/001_fixes_for_fonts_selection.patch: - change from the CVS, fix some renderings issues and fonts selection -- Sebastien Bacher Tue, 7 Feb 2006 13:38:04 +0100 poppler (0.5.0-0ubuntu3) dapper; urgency=low * SECURITY UPDATE: Buffer overflow. * Add debian/patches/002_CVE-2006-0301.patch: - splash/Splash.cc, Splash::drawPixel(), Splash::drawSpan(), Splash::xorSpan(): Check coordinates for integer overflow. * CVE-2006-0301 -- Martin Pitt Fri, 3 Feb 2006 18:13:30 +0000 poppler (0.5.0-0ubuntu2) dapper; urgency=low * debian/rules: Bump shlibs version to 0.5.0. -- Martin Pitt Fri, 20 Jan 2006 16:56:40 +0100 poppler (0.5.0-0ubuntu1) dapper; urgency=low * New upstream release 0.5.0, required for new evince 0.5. * Merge with Debian. * Remove patches adopted upstream: - debian/patches/000_add-poppler-utils.patch - debian/patches/002-selection-crash-bug.patch * debian/libpoppler-dev.install: - Install poppler-page-transition.h. - Do not install poppler-config.h, it doesn't exist any more. - Upstream doesn't install legacy xpdf includes any more, fix path to install them into libpoppler-dev. * Add debian/patches/001_jpxstream_int_crash.patch: - poppler/JPXStream.h: Fix declaration of cbW to be signed. JPXStream.cc, readCodeBlockData() negates the value, which results in an invalid value on 64 bit platforms if using unsigned types. - Thanks to Vladimir Nadvornik for pointing at this. -- Martin Pitt Thu, 19 Jan 2006 23:49:52 +0100 poppler (0.4.4-1) unstable; urgency=high * New upstream security release - fixes CVE-2005-3624, CVE-2005-3625, CVE-2005-3627 * Remove debian/patches/003-CVE-2005-3624_5_7.patch: - Merged upstream * Remove debian/patches/004-fix-CVE-2005-3192.patch: - Merged upstream * Remove debian/patches/001-relibtoolize.patch - Upstream uses recent libtool -- Ondřej Surý Thu, 12 Jan 2006 20:40:27 +0100 poppler (0.4.3-3) unstable; urgency=low * Fix missing libcairo2-dev dependency (Closes: #346277) -- Ondřej Surý Fri, 6 Jan 2006 21:37:10 +0100 poppler (0.4.3-2) unstable; urgency=high [ Martin Pitt ] * SECURITY UPDATE: Multiple integer/buffer overflows. * Add debian/patches/003-CVE-2005-3624_5_7.patch: - poppler/Stream.cc, CCITTFaxStream::CCITTFaxStream(): + Check columns for negative or large values. + CVE-2005-3624 - poppler/Stream.cc, numComps checks introduced in CVE-2005-3191 patch: + Reset numComps to 0 since it's a global variable that is used later. + CVE-2005-3627 - poppler/Stream.cc, DCTStream::readHuffmanTables(): + Fix out of bounds array access in Huffman tables. + CVE-2005-3627 - poppler/Stream.cc, DCTStream::readMarker(): + Check for EOF in while loop to prevent endless loops. + CVE-2005-3625 - poppler/JBIG2Stream.cc, JBIG2Bitmap::JBIG2Bitmap(), JBIG2Bitmap::expand(), JBIG2Stream::readHalftoneRegionSeg(): + Check user supplied width and height against invalid values. + Allocate one extra byte to prevent out of bounds access in combine(). * Add debian/patches/004-fix-CVE-2005-3192.patch: - Fix nVals int overflow check in StreamPredictor::StreamPredictor(). - Forwarded upstream to https://bugs.freedesktop.org/show_bug.cgi?id=5514. [ Ondřej Surý ] * Merge changes from Ubuntu (Closes: #346076). * Enable Cairo output again. -- Ondřej Surý Thu, 5 Jan 2006 14:54:44 +0100 poppler (0.4.3-1) unstable; urgency=high * New upstream release. * New maintainer (Closes: #344738) * CVE-2005-3191 and CAN-2005-2097 fixes merged upstream. * Fixed some rendering bugs and disabled Cairo output (Closes: #314556, #322964, #328211) * Acknowledge NMU (Closes: #342288) * Add 001-selection-crash-bug.patch (Closes: #330544) * Add poppler-utils (merge patch from Ubuntu) -- Ondřej Surý Fri, 30 Dec 2005 11:34:07 +0100 poppler (0.4.2-1.1) unstable; urgency=high * SECURITY UPDATE: Multiple integer/buffer overflows. * NMU to fix RC security bug (closes: #342288) * Add debian/patches/04_CVE-2005-3191_2_3.patch taken from Ubuntu, thanks to Martin Pitt: * poppler/Stream.cc, DCTStream::readBaselineSOF(), DCTStream::readProgressiveSOF(), DCTStream::readScanInfo(): - Check numComps for invalid values. - http://www.idefense.com/application/poi/display?id=342&type=vulnerabilities - CVE-2005-3191 * poppler/Stream.cc, StreamPredictor::StreamPredictor(): - Check rowBytes for invalid values. - http://www.idefense.com/application/poi/display?id=344&type=vulnerabilities - CVE-2005-3192 * poppler/JPXStream.cc, JPXStream::readCodestream(): - Check img.nXTiles * img.nYTiles for integer overflow. - http://www.idefense.com/application/poi/display?id=345&type=vulnerabilities - CVE-2005-3193 -- Frank Küster Fri, 23 Dec 2005 16:36:30 +0100 poppler (0.4.2-1) unstable; urgency=low * GNOME Team upload. * New upstream version. * debian/control.in: - updated the Build-Depends on libqt (Closes: #326130). * debian/rules: - updated the shlibs. -- Sebastien Bacher Wed, 7 Sep 2005 12:41:48 +0200 poppler (0.4.0-1) unstable; urgency=low * GNOME Team Upload. * Rebuild for the CPP transition. * New upstream version (Closes: #311133): - fix some crashers (Closes: #315590, #312261, #309410). - fix some rendering defaults (Closes: #314441, #315383, #309697, #308785). * debian/control.in, debian/rules: - build with the current cairo version (Closes: #321368, #318293). - update for the renamed the packages. * debian/patches/01_CAN-2005-2097.patch: - Patch from Ubuntu, thanks Martin Pitt. - Check sanity of the TrueType "loca" table. Specially crafted broken tables caused disk space exhaustion due to very large generated glyph descriptions when attempting to fix the table. - Upstream patch scheduled for xpdf 3.01. - CAN-2005-2097 * debian/watch: - fixed, patch by Jerome Warnier (Closes: #310996). -- Sebastien Bacher Wed, 17 Aug 2005 21:54:07 +0200 poppler (0.3.1-1) unstable; urgency=low * New upstream release * Upstream fixed the Qt build bug, so now I can enable Qt build. (Closes:#307340) It leads two new binary packages libpoppler0-qt and libpoppler-qt-dev. * Excluded DEB_CONFIGURE_SYSCONFDIR setting, which is obsolete by the upstream removal of xpdfrc config. -- Changwoo Ryu Wed, 4 May 2005 00:19:35 +0900 poppler (0.3.0-2) unstable; urgency=high * Added shlib version info for libpoppler0-glib. * Corrected dependencies of libpoppler0-glib and libpoppler-glib-dev. (Closes: #306897) * Build-Depends on libgtk2.0-dev for -glib packages. (Closes: #306885) * Corrected descriptions of -glib packages. -- Changwoo Ryu Thu, 28 Apr 2005 02:41:25 +0900 poppler (0.3.0-1) unstable; urgency=low * New upstream release (Closes: #306573) * Added new binary packages libpoppler0-glib and libpoppler-glib-dev, which are GLib-based interfaces. Qt interface build is termporarily disabled, because of an upstream FTBFS. -- Changwoo Ryu Thu, 28 Apr 2005 02:07:23 +0900 poppler (0.1.2-1) unstable; urgency=low * Initial Release (Closes: #299518) -- Changwoo Ryu Tue, 15 Mar 2005 02:08:00 +0900