Explore top 10 tips to secure your open-source projects now. Read More

×
Alerts This Week
Warning Icon 1 438
Alerts This Week
Warning Icon 1 438

Debian Jessie DLA-1562-1 Critical: Poppler DoS Attacks Addressed

debian lts
Calendar Grey October 31, 2018
Dist Debian Esm H88
Poppler library revised to address significant vulnerabilities. Users urged to upgrade for enhanced defense against potential threats.
Various security issues were discovered in the poppler PDF rendering shared library

Summary

CVE-2017-18267

The FoFiType1C::cvtGlyph function in fofi/FoFiType1C.cc in Poppler
through 0.64.0 allows remote attackers to cause a denial of service
(infinite recursion) via a crafted PDF file, as demonstrated by
pdftops.

The applied fix in FoFiType1C::cvtGlyph prevents infinite recursion
on such malformed documents.

CVE-2018-10768

A NULL pointer dereference in the AnnotPath::getCoordsLength function
in Annot.h in Poppler 0.24.5 had been discovered. A crafted input
will lead to a remote denial of service attack. Later versions of
Poppler such as 0.41.0 are not affected.

The applied patch fixes the crash on AnnotInk::draw for malformed
documents.

CVE-2018-13988

Poppler through 0.62 contains an out of bounds read vulnerability due
to an incorrect memory access that is not mapped in its memory space,
as demonstrated by pdfunite. This can result in memory corruption and
denial of service. This may be exploitable when a victim opens a

Read the Full Advisory


Severity
critical
Lowest
Low
Medium
High
Critical

<pre><font face="Courier">Package: poppler
Version: 0.26.5-2+deb8u5
CVE ID: CVE-2017-18267 CVE-2018-10768 CVE-2018-13988 CVE-2018-16646
Debian Bug: 898357 909802

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.