Alerts This Week
Warning Icon 1 770
Alerts This Week
Warning Icon 1 770

Arch Linux ASA-201706-33 High Severity: Poppler Code Execution Threat

Calendar Jun 26, 2017 User Avatar LinuxSecurity Advisories
1 - 2 min read
Archlinux Large Esm H500
Topics%20covered

Topics Covered

security advisory high severity security issue software update arbitrary code execution poppler Arch Linux
The package poppler before version 0.56.0-1 is vulnerable to arbitrary code execution. 
Arch Linux Security Advisory ASA-201706-33
=========================================
Severity: High
Date    : 2017-06-26
CVE-ID  : CVE-2017-9775 CVE-2017-9776
Package : poppler
Type    : arbitrary code execution
Remote  : Yes
Link    : https://security.archlinux.org/AVG-326

Summary
======
The package poppler before version 0.56.0-1 is vulnerable to arbitrary
code execution.

Resolution
=========
Upgrade to 0.56.0-1.

# pacman -Syu "poppler>=0.56.0-1"

The problems have been fixed upstream in version 0.56.0.

Workaround
=========
None.

Description
==========
- CVE-2017-9775 (arbitrary code execution)

A stack buffer overflow in has been found in GfxState.cc's module of
poppler. Due to some restrictions in the lines after the bug, an
attacker can't control the values written in the stack so it unlikely
this could lead to a code execution.

- CVE-2017-9776 (arbitrary code execution)

Integer overflow leading to heap overflow in JBIG2Stream.cc.

Impact
=====
An attacker might be able to execute arbitrary code on the affected
host by tricking the user into opening a crafted PDF document.

References
=========

https://bugs.freedesktop.org/show_bug.cgi?id=101540
https://security.archlinux.org/CVE-2017-9775
https://security.archlinux.org/CVE-2017-9776
Your message here