Alerts This Week
Warning Icon 1 646
Alerts This Week
Warning Icon 1 646

Mageia: 2020-0294 High: PoDoFo Denial Of Service Issues

mageia
Calendar Grey July 30, 2020
Dist Mageia Esm H88
New updates for Mageia resolve serious security flaws in the PoDoFo library, mitigating risks related to denial of service and buffer overflow weaknesses.
The updated packages fix security vulnerabilities: A stack-based buffer over-read in the PdfEncryptMD5Base::ComputeEncryptionKey() function in PdfEncrypt.cpp in PoDoFo 0.9.6-rc1 c...

Summary

The updated packages fix security vulnerabilities:
A stack-based buffer over-read in the PdfEncryptMD5Base::ComputeEncryptionKey() function in PdfEncrypt.cpp in PoDoFo 0.9.6-rc1 could be leveraged by remote attackers to cause a denial-of-service via a crafted pdf file. (CVE-2018-12983)
An issue was discovered in crop_page in PoDoFo 0.9.6. For a crafted PDF document, pPage->GetObject()->GetDictionary().AddKey(PdfName("MediaBox"),var) can be problematic due to the function GetObject() being called for the pPage NULL pointer object. The value of pPage at this point is 0x0, which causes a NULL pointer dereference. (CVE-2018-20751)
PoDoFo::Impose::PdfTranslator::setSource() in pdftranslator.cpp in PoDoFo 0.9.6 has a NULL pointer dereference that can (for example) be triggered by sending a crafted PDF file to the podofoimpose binary. It allows an attacker to cause Denial of Service (Segmentation fault) or possibly have unspecified other impact. (CVE-2019-9199)
PoDoFo 0.9.6 has a heap-bas...

Read the Full Advisory

References

- https://bugs.mageia.org/show_bug.cgi?id=24385

- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/Y6ZKYPW55PN6XV5XW6KZDIJLWRXON74N/

- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/5Z7UF3AC76HHLSAHVBUQWMYXHR33DR34/

- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/4K6FST3UH3WNUNCIAEEGZJJASCP5ZXUF/

- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/SSB4HRLHF7H3DPNTFPTXUE6EGXXZ5JSZ/

- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/WR6XY3TOLJPLXOGHYPCB42JW3SWRZNY4/

- https://www.cve.org/CVERecord?id=CVE-2018-12983

- https://www.cve.org/CVERecord?id=CVE-2018-20751

- https://www.cve.org/CVERecord?id=CVE-2019-9199

- https://www.cve.org/CVERecord?id=CVE-2019-9687

- https://www.cve.org/CVERecord?id=CVE-2019-20093

Topics%20covered

Topics Covered

security advisory denial of service security issue software update buffer over-read Mageia podofo

Resolution

SRPMS

- 7/core/podofo-0.9.6-1.1.mga7

Publication date: 30 Jul 2020
URL: https://advisories.mageia.org/MGASA-2020-0294.html
Type: security
CVE: CVE-2018-12983, CVE-2018-20751, CVE-2019-9199, CVE-2019-9687, CVE-2019-20093

Topics%20covered

Topics Covered

security advisory denial of service security issue software update buffer over-read Mageia podofo

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Related News

Your message here