Security Advisory Important: poppler security and bug fix update

Advisory: RHSA-2009:1504-1
Type: Security Advisory
Severity: Important
Issued on: 2009-10-15
Last updated on: 2009-10-15
Affected Products: RHEL Desktop Workstation (v. 5 client)
Red Hat Enterprise Linux (v. 5 server)
Red Hat Enterprise Linux Desktop (v. 5 client)
Red Hat Enterprise Linux EUS (v. 5.4.z server)
OVAL: com.redhat.rhsa-20091504.xml
CVEs (cve.mitre.org): CVE-2009-3603
CVE-2009-3608
CVE-2009-3609

Details

Updated poppler packages that fix multiple security issues and a bug are
now available for Red Hat Enterprise Linux 5.

This update has been rated as having important security impact by the Red
Hat Security Response Team.

Poppler is a Portable Document Format (PDF) rendering library, used by
applications such as Evince.

Multiple integer overflow flaws were found in poppler. An attacker could
create a malicious PDF file that would cause applications that use poppler
(such as Evince) to crash or, potentially, execute arbitrary code when
opened. (CVE-2009-3603, CVE-2009-3608, CVE-2009-3609)

Red Hat would like to thank Chris Rohlf for reporting the CVE-2009-3608
issue.

This update also corrects a regression introduced in the previous poppler
security update, RHSA-2009:0480, that prevented poppler from rendering
certain PDF documents correctly. (BZ#528147)

Users are advised to upgrade to these updated packages, which contain
backported patches to resolve these issues.


Solution

Before applying this update, make sure that all previously-released
errata relevant to your system have been applied.

This update is available via Red Hat Network. Details on how to use
the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/docs/DOC-11259

Updated packages

RHEL Desktop Workstation (v. 5 client)
SRPMS:
poppler-0.5.4-4.4.el5_4.11.src.rpm     594937542f07f2204f418e83149d53cd
 
IA-32:
poppler-devel-0.5.4-4.4.el5_4.11.i386.rpm     f44ff66ef34fc63350ea5cc55d610ac8
 
x86_64:
poppler-devel-0.5.4-4.4.el5_4.11.i386.rpm     f44ff66ef34fc63350ea5cc55d610ac8
poppler-devel-0.5.4-4.4.el5_4.11.x86_64.rpm     b6094ca8210ae2b8e2c44df53c5ca46c
 
Red Hat Enterprise Linux (v. 5 server)
SRPMS:
poppler-0.5.4-4.4.el5_4.11.src.rpm     594937542f07f2204f418e83149d53cd
 
IA-32:
poppler-0.5.4-4.4.el5_4.11.i386.rpm     3232ece506e2932a19f5442b6d4af45e
poppler-devel-0.5.4-4.4.el5_4.11.i386.rpm     f44ff66ef34fc63350ea5cc55d610ac8
poppler-utils-0.5.4-4.4.el5_4.11.i386.rpm     0b821d2a158b2c7f9126b783eb8d5f1c
 
IA-64:
poppler-0.5.4-4.4.el5_4.11.ia64.rpm     87a33c26812432564b9732c208a585fc
poppler-devel-0.5.4-4.4.el5_4.11.ia64.rpm     ece6628d9b292c006b754e451b000f60
poppler-utils-0.5.4-4.4.el5_4.11.ia64.rpm     996cc8114528b931f80d944d52c9b724
 
PPC:
poppler-0.5.4-4.4.el5_4.11.ppc.rpm     4cf313e36b1beee6d43c551002f9923d
poppler-0.5.4-4.4.el5_4.11.ppc64.rpm     770849396d8edae316d3c9b4405c7664
poppler-devel-0.5.4-4.4.el5_4.11.ppc.rpm     7571f27dc53969bdd79560db72b10765
poppler-devel-0.5.4-4.4.el5_4.11.ppc64.rpm     c51e17cb3e412ff0d7ed4807d3c1c4b5
poppler-utils-0.5.4-4.4.el5_4.11.ppc.rpm     f62c57581a4b5aa55fa4d9808e7fe9da
 
s390x:
poppler-0.5.4-4.4.el5_4.11.s390.rpm     2e77b7af51703f130e0b4fb6eb8b382a
poppler-0.5.4-4.4.el5_4.11.s390x.rpm     27f390629e31fc5983be025972d87991
poppler-devel-0.5.4-4.4.el5_4.11.s390.rpm     9093aa21c8b8256decea594f586845f5
poppler-devel-0.5.4-4.4.el5_4.11.s390x.rpm     af389da4ab49624fa09842218ea2b984
poppler-utils-0.5.4-4.4.el5_4.11.s390x.rpm     66281239438c19ecc0ddd8567a4ff5ce
 
x86_64:
poppler-0.5.4-4.4.el5_4.11.i386.rpm     3232ece506e2932a19f5442b6d4af45e
poppler-0.5.4-4.4.el5_4.11.x86_64.rpm     18269e1b077ef20d7496775ffb726539
poppler-devel-0.5.4-4.4.el5_4.11.i386.rpm     f44ff66ef34fc63350ea5cc55d610ac8
poppler-devel-0.5.4-4.4.el5_4.11.x86_64.rpm     b6094ca8210ae2b8e2c44df53c5ca46c
poppler-utils-0.5.4-4.4.el5_4.11.x86_64.rpm     7b9ac6305ba6350d8807aaa8df254a28
 
Red Hat Enterprise Linux Desktop (v. 5 client)
SRPMS:
poppler-0.5.4-4.4.el5_4.11.src.rpm     594937542f07f2204f418e83149d53cd
 
IA-32:
poppler-0.5.4-4.4.el5_4.11.i386.rpm     3232ece506e2932a19f5442b6d4af45e
poppler-utils-0.5.4-4.4.el5_4.11.i386.rpm     0b821d2a158b2c7f9126b783eb8d5f1c
 
x86_64:
poppler-0.5.4-4.4.el5_4.11.i386.rpm     3232ece506e2932a19f5442b6d4af45e
poppler-0.5.4-4.4.el5_4.11.x86_64.rpm     18269e1b077ef20d7496775ffb726539
poppler-utils-0.5.4-4.4.el5_4.11.x86_64.rpm     7b9ac6305ba6350d8807aaa8df254a28
 
Red Hat Enterprise Linux EUS (v. 5.4.z server)
SRPMS:
poppler-0.5.4-4.4.el5_4.11.src.rpm     594937542f07f2204f418e83149d53cd
 
IA-32:
poppler-0.5.4-4.4.el5_4.11.i386.rpm     3232ece506e2932a19f5442b6d4af45e
poppler-devel-0.5.4-4.4.el5_4.11.i386.rpm     f44ff66ef34fc63350ea5cc55d610ac8
poppler-utils-0.5.4-4.4.el5_4.11.i386.rpm     0b821d2a158b2c7f9126b783eb8d5f1c
 
IA-64:
poppler-0.5.4-4.4.el5_4.11.ia64.rpm     87a33c26812432564b9732c208a585fc
poppler-devel-0.5.4-4.4.el5_4.11.ia64.rpm     ece6628d9b292c006b754e451b000f60
poppler-utils-0.5.4-4.4.el5_4.11.ia64.rpm     996cc8114528b931f80d944d52c9b724
 
PPC:
poppler-0.5.4-4.4.el5_4.11.ppc.rpm     4cf313e36b1beee6d43c551002f9923d
poppler-0.5.4-4.4.el5_4.11.ppc64.rpm     770849396d8edae316d3c9b4405c7664
poppler-devel-0.5.4-4.4.el5_4.11.ppc.rpm     7571f27dc53969bdd79560db72b10765
poppler-devel-0.5.4-4.4.el5_4.11.ppc64.rpm     c51e17cb3e412ff0d7ed4807d3c1c4b5
poppler-utils-0.5.4-4.4.el5_4.11.ppc.rpm     f62c57581a4b5aa55fa4d9808e7fe9da
 
s390x:
poppler-0.5.4-4.4.el5_4.11.s390.rpm     2e77b7af51703f130e0b4fb6eb8b382a
poppler-0.5.4-4.4.el5_4.11.s390x.rpm     27f390629e31fc5983be025972d87991
poppler-devel-0.5.4-4.4.el5_4.11.s390.rpm     9093aa21c8b8256decea594f586845f5
poppler-devel-0.5.4-4.4.el5_4.11.s390x.rpm     af389da4ab49624fa09842218ea2b984
poppler-utils-0.5.4-4.4.el5_4.11.s390x.rpm     66281239438c19ecc0ddd8567a4ff5ce
 
x86_64:
poppler-0.5.4-4.4.el5_4.11.i386.rpm     3232ece506e2932a19f5442b6d4af45e
poppler-0.5.4-4.4.el5_4.11.x86_64.rpm     18269e1b077ef20d7496775ffb726539
poppler-devel-0.5.4-4.4.el5_4.11.i386.rpm     f44ff66ef34fc63350ea5cc55d610ac8
poppler-devel-0.5.4-4.4.el5_4.11.x86_64.rpm     b6094ca8210ae2b8e2c44df53c5ca46c
poppler-utils-0.5.4-4.4.el5_4.11.x86_64.rpm     7b9ac6305ba6350d8807aaa8df254a28
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

526637 - CVE-2009-3608 xpdf/poppler: integer overflow in ObjectStream::ObjectStream (oCERT-2009-016)
526893 - CVE-2009-3609 xpdf/poppler: ImageStream::ImageStream integer overflow
526915 - CVE-2009-3603 xpdf/poppler: SplashBitmap::SplashBitmap integer overflow
528147 - latest poppler security fix breaks compatibility with Xerox WorkCentre generated pdf documents


References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3603
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3608
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3609
http://www.redhat.com/security/updates/classification/#important

These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/