| Name | CVE-2009-0146 |
| Description | Multiple buffer overflows in the JBIG2 decoder in Xpdf 3.02pl2 and earlier, CUPS 1.3.9 and earlier, and other products allow remote attackers to cause a denial of service (crash) via a crafted PDF file, related to (1) JBIG2SymbolDict::setBitmap and (2) JBIG2Stream::readSymbolDictSeg. |
| Source | CVE (at NVD; oss-sec, fulldisc, OSVDB, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SuSE, Mageia, more) |
| References | DSA-1790-1, DSA-1793-1 |
| NVD severity | medium (attack range: remote, user-initiated) |
| Debian Bugs | 524806, 524809, 524810 |
| Debian/oldstable | not vulnerable. |
| Debian/stable | not vulnerable. |
| Debian/testing | not vulnerable. |
| Debian/unstable | not vulnerable. |
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|---|---|---|
| cups (PTS) | squeeze | 1.4.4-7+squeeze5 | fixed |
| squeeze (security) | 1.4.4-7+squeeze4 | fixed | |
| squeeze (lts) | 1.4.4-7+squeeze7 | fixed | |
| wheezy | 1.5.3-5+deb7u4 | fixed | |
| wheezy (security) | 1.5.3-5+deb7u5 | fixed | |
| jessie, sid | 1.7.5-11 | fixed | |
| kdegraphics (PTS) | squeeze | 4:4.4.5-2 | fixed |
| poppler (PTS) | squeeze (security), squeeze | 0.12.4-1.2+squeeze3 | fixed |
| squeeze (lts) | 0.12.4-1.2+squeeze4 | fixed | |
| wheezy | 0.18.4-6 | fixed | |
| jessie, sid | 0.26.5-2 | fixed | |
| swftools (PTS) | wheezy | 0.9.2+ds1-3 | fixed |
| jessie, sid | 0.9.2+git20130725-2 | fixed | |
| xpdf (PTS) | squeeze | 3.02-12+squeeze1 | fixed |
| wheezy | 3.03-10 | fixed | |
| jessie, sid | 3.03-17 | fixed |
The information above is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|---|---|---|---|---|---|
| cups | source | (unstable) | (not affected) | |||
| kdegraphics | source | (unstable) | 4:4.0 | medium | 524810 | |
| kdegraphics | source | etch | 4:3.5.5-3etch3 | medium | DSA-1793-1 | |
| kdegraphics | source | lenny | 4:3.5.9-3+lenny1 | medium | DSA-1793-1 | |
| poppler | source | (unstable) | 0.10.6-1 | medium | 524806 | |
| poppler | source | lenny | 0.8.7-2 | medium | ||
| swftools | source | (unstable) | 0.9.2+ds1-2 | medium | ||
| xpdf | source | (unstable) | 3.02-1.4+lenny1 | medium | 524809 | |
| xpdf | source | etch | 3.01-9.1+etch6 | medium | DSA-1790-1 | |
| xpdf | source | lenny | 3.02-1.4+lenny1 | medium | DSA-1790-1 | |
| xpdf | source | squeeze | 3.02-1.4+lenny1 | medium |
- cups <not-affected> (Uses poppler's pdftops)