rpms/poppler/F-7 poppler-0.5.4-CVE-2008-1693.patch, NONE, 1.1 poppler.spec, 1.39, 1.40
Tomas Hoger (thoger)
fedora-extras-commits at redhat.com
Thu Apr 24 15:59:30 UTC 2008
Author: thoger
Update of /cvs/extras/rpms/poppler/F-7
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv29513
Modified Files:
poppler.spec
Added Files:
poppler-0.5.4-CVE-2008-1693.patch
Log Message:
Security update: xpdf embedded font vulnerability CVE-2008-1693 (#441722)
poppler-0.5.4-CVE-2008-1693.patch:
--- NEW FILE poppler-0.5.4-CVE-2008-1693.patch ---
Upstream patch for CVE-2008-1693 - xpdf embedded font vulnerability
Upstream commit:
http://gitweb.freedesktop.org/?p=poppler/poppler.git;a=commitdiff;h=1a531dcfee1c6fc79a414c38cbe7327fbf9a59d8
by:
Carlos Garcia Campos <carlosgc at gnome.org>
diff -pruN poppler-0.5.4.orig/poppler-0.5.4/poppler/CairoFontEngine.cc poppler-0.5.4/poppler-0.5.4/poppler/CairoFontEngine.cc
--- poppler-0.5.4.orig/poppler-0.5.4/poppler/CairoFontEngine.cc 2006-05-30 22:41:37.000000000 +0200
+++ poppler-0.5.4/poppler-0.5.4/poppler/CairoFontEngine.cc 2008-04-21 17:48:28.000000000 +0200
@@ -79,6 +79,12 @@ CairoFont *CairoFont::create(GfxFont *gf
refObj.initRef(embRef.num, embRef.gen);
refObj.fetch(xref, &strObj);
refObj.free();
+ if (!strObj.isStream()) {
+ error(-1, "Embedded font object is wrong type");
+ strObj.free();
+ fclose(tmpFile);
+ goto err2;
+ }
strObj.streamReset();
while ((c = strObj.streamGetChar()) != EOF) {
fputc(c, tmpFile);
Index: poppler.spec
===================================================================
RCS file: /cvs/extras/rpms/poppler/F-7/poppler.spec,v
retrieving revision 1.39
retrieving revision 1.40
diff -u -r1.39 -r1.40
--- poppler.spec 7 Feb 2008 17:10:05 -0000 1.39
+++ poppler.spec 24 Apr 2008 15:58:51 -0000 1.40
@@ -3,7 +3,7 @@
Summary: PDF rendering library
Name: poppler
Version: 0.5.4
-Release: 8%{?dist}
+Release: 9%{?dist}
License: GPL
Group: Development/Libraries
URL: http://poppler.freedesktop.org/
@@ -16,6 +16,7 @@
Patch1: poppler-0.5.4-CVE-2007-4352.patch
Patch2: poppler-0.5.4-CVE-2007-5392.patch
Patch3: poppler-0.5.4-CVE-2007-5393.patch
+Patch4: poppler-0.5.4-CVE-2008-1693.patch
BuildRequires: gtk2-devel
BuildRequires: cairo-devel
@@ -80,6 +81,7 @@
%patch1 -p1 -b .CVE-2007-4352
%patch2 -p1 -b .CVE-2007-5392
%patch3 -p1 -b .CVE-2007-5393
+%patch4 -p1 -b .CVE-2008-1693
%build
( cd %{name}-%{version}
@@ -139,6 +141,11 @@
%{_mandir}/man1/*
%changelog
+* Thu Apr 24 2008 Tomas Hoger <thoger at redhat.com> - 0.5.4-9
+- Security update: xpdf embedded font vulnerability
+ CVE-2008-1693 (#441722)
+ (backport patch used in upstream poppler-0.6.2 and later)
+
* Thu Feb 7 2008 Tomas Hoger <thoger at redhat.com> - 0.5.4-8
- Backport patches to address security issues in xpdf code:
CVE-2007-3387 (#248194), CVE-2007-4352 (#345101),
More information about the fedora-extras-commits
mailing list