xpdf 3.02-1.4+lenny1ubuntu1 source package in Ubuntu

Changelog

xpdf (3.02-1.4+lenny1ubuntu1) lucid; urgency=low

  * Merge from Debian unstable, remaining changes:
    - patch 09_xpdfrc_manpage.dpatch for xpdfrc.5
    - debian/control: modified build-depends on a obsolete package (x-dev)
    - do-not-make-ps-arrays-bigger-than-64k-from-big-images-in-patterns.dpatch:
      pdftops produced wrong PostScript when a large image is in a
      pattern in the input file
  * Remove lesstif2 build hack. Patches 40_lesstif_copy.dpatch and
    41_lesstif_cpp.dpatch are dropped, configure parameter is changed to
    --with-Xm-includes=/usr/include/Xm, build dependency on lesstif2-dev
    is versioned. This fixes FTBFS. Patch from BTS 458763, thanks to
    Moritz Muehlenhoff.

xpdf (3.02-1.4+lenny1) stable-security; urgency=high

  * Non-maintainer upload.
  * This update fixes various security issues (Closes: #524809):
    - CVE-2009-0146: Multiple buffer overflows in the JBIG2 decoder in Xpdf
      3.02pl2 and earlier, CUPS 1.3.9 and earlier, and other products allow
      remote attackers to cause a denial of service (crash) via a crafted PDF
      file, related to (1) JBIG2SymbolDict::setBitmap and (2)
      JBIG2Stream::readSymbolDictSeg.
    - CVE-2009-0147: Multiple integer overflows in the JBIG2 decoder in Xpdf
      3.02pl2 and earlier, CUPS 1.3.9 and earlier, and other products allow
      remote attackers to cause a denial of service (crash) via a crafted PDF
      file, related to (1) JBIG2Stream::readSymbolDictSeg, (2)
      JBIG2Stream::readSymbolDictSeg, and (3) JBIG2Stream::readGenericBitmap.
    - CVE-2009-0165: Integer overflow in the JBIG2 decoder in Xpdf 3.02pl2 and
      earlier, as used in Poppler and other products, when running on Mac OS X,
      has unspecified impact, related to "g*allocn."
    - CVE-2009-0166: The JBIG2 decoder in Xpdf 3.02pl2 and earlier, CUPS 1.3.9
      and earlier, and other products allows remote attackers to cause a denial
      of service (crash) via a crafted PDF file that triggers a free of
      uninitialized memory.
    - CVE-2009-0799: The JBIG2 decoder in Xpdf 3.02pl2 and earlier, CUPS 1.3.9
      and earlier, Poppler before 0.10.6, and other products allows remote
      attackers to cause a denial of service (crash) via a crafted PDF file
      that triggers an out-of-bounds read.
    - CVE-2009-0800: Multiple "input validation flaws" in the JBIG2 decoder in
      Xpdf 3.02pl2 and earlier, CUPS 1.3.9 and earlier, Poppler before 0.10.6,
      and other products allow remote attackers to execute arbitrary code via
      a crafted PDF file.
    - CVE-2009-1179: Integer overflow in the JBIG2 decoder in Xpdf 3.02pl2 and
      earlier, CUPS 1.3.9 and earlier, Poppler before 0.10.6, and other products
      allows remote attackers to execute arbitrary code via a crafted PDF file.
    - CVE-2009-1180: The JBIG2 decoder in Xpdf 3.02pl2 and earlier, CUPS 1.3.9
      and earlier, Poppler before 0.10.6, and other products allows remote
      attackers to execute arbitrary code via a crafted PDF file that triggers
      a free of invalid data.
    - CVE-2009-1181: The JBIG2 decoder in Xpdf 3.02pl2 and earlier, CUPS 1.3.9
      and earlier, Poppler before 0.10.6, and other products allows remote
      attackers to cause a denial of service (crash) via a crafted PDF file that
      triggers a NULL pointer dereference.
    - CVE-2009-1182: Multiple buffer overflows in the JBIG2 MMR decoder in Xpdf
      3.02pl2 and earlier, CUPS 1.3.9 and earlier, Poppler before 0.10.6, and
      other products allow remote attackers to execute arbitrary code via a
      crafted PDF file.
    - CVE-2009-1183: The JBIG2 MMR decoder in Xpdf 3.02pl2 and earlier, CUPS
      1.3.9 and earlier, Poppler before 0.10.6, and other products allows remote
      attackers to cause a denial of service (infinite loop and hang) via a
      crafted PDF file.
 -- Ilya Barygin <email address hidden>   Wed, 20 Jan 2010 22:07:02 +0300