Debian 10260 Published by

The following updates has been released for Debian GNU/Linux 8 LTS:

DLA 1561-1: phpldapadmin security update
DLA 1562-1: poppler security update



DLA 1561-1: phpldapadmin security update

Package : phpldapadmin
Version : 1.2.2-5.2+deb8u1
CVE ID : CVE-2017-11107
Debian Bug : 867719

It was discovered that there was a cross-site scripting (XSS) vulnerability in
phpldapadmin, a web-based interface for administering LDAP servers.

For Debian 8 "Jessie", this problem has been fixed in version
1.2.2-5.2+deb8u1.

Note: the package changelog mistakenly refers to the non-existent
CVE-2016-11107 identifier. The proper identifier to refer to this issue
is CVE-2017-11107.

We recommend that you upgrade your phpldapadmin packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

DLA 1562-1: poppler security update

Package : poppler
Version : 0.26.5-2+deb8u5
CVE ID : CVE-2017-18267 CVE-2018-10768 CVE-2018-13988 CVE-2018-16646
Debian Bug : 898357 909802


Various security issues were discovered in the poppler PDF rendering
shared library.

CVE-2017-18267

The FoFiType1C::cvtGlyph function in fofi/FoFiType1C.cc in Poppler
through 0.64.0 allows remote attackers to cause a denial of service
(infinite recursion) via a crafted PDF file, as demonstrated by
pdftops.

The applied fix in FoFiType1C::cvtGlyph prevents infinite recursion
on such malformed documents.

CVE-2018-10768

A NULL pointer dereference in the AnnotPath::getCoordsLength function
in Annot.h in Poppler 0.24.5 had been discovered. A crafted input
will lead to a remote denial of service attack. Later versions of
Poppler such as 0.41.0 are not affected.

The applied patch fixes the crash on AnnotInk::draw for malformed
documents.

CVE-2018-13988

Poppler through 0.62 contains an out of bounds read vulnerability due
to an incorrect memory access that is not mapped in its memory space,
as demonstrated by pdfunite. This can result in memory corruption and
denial of service. This may be exploitable when a victim opens a
specially crafted PDF file.

The applied patch fixes crashes when Object has negative number.
(Specs say, number has to be > 0 and gen >= 0).

For Poppler in Debian jessie, the original upstream patch has been
backported to Poppler's old Object API.


CVE-2018-16646

In Poppler 0.68.0, the Parser::getObj() function in Parser.cc may
cause infinite recursion via a crafted file. A remote attacker can
leverage this for a DoS attack.

A range of upstream patches has been applied to Poppler's XRef.cc in
Debian jessie to consolidate a fix for this issue.


For Debian 8 "Jessie", these problems have been fixed in version
0.26.5-2+deb8u5.

We recommend that you upgrade your poppler packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS