Updated poppler packages fix security vulnerabilities
Publication date: 17 Aug 2017Modification date: 17 Aug 2017
Type: security
Affected Mageia releases : 5
CVE: CVE-2017-7511 , CVE-2017-7515 , CVE-2017-9406 , CVE-2017-9408 , CVE-2017-9775 , CVE-2017-9776 , CVE-2017-9865
Description
Jiaqi Peng discovered that the poppler pdfunite tool incorrectly parsed certain malformed PDF documents. If a user or automated system were tricked into opening a crafted PDF file, an attacker could cause poppler to crash, resulting in a denial of service (CVE-2017-7511). It was discovered that the poppler pdfunite tool incorrectly parsed certain malformed PDF documents. If a user or automated system were tricked into opening a crafted PDF file, an attacker could cause poppler to hang, resulting in a denial of service (CVE-2017-7515). It was discovered that poppler incorrectly handled memory when processing PDF documents. If a user or automated system were tricked into opening a crafted PDF file, an attacker could cause poppler to consume resources, resulting in a denial of service (CVE-2017-9406, CVE-2017-9408). Alberto Garcia, Francisco Oca, and Suleman Ali discovered that the poppler pdftocairo tool incorrectly parsed certain malformed PDF documents. If a user or automated system were tricked into opening a crafted PDF file, an attacker could cause poppler to crash, resulting in a denial of service (CVE-2017-9775). Integer overflow leading to Heap buffer overflow in JBIG2Stream.cc in pdftocairo in Poppler allows attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted PDF document (CVE-2017-9776). The function GfxImageColorMap::getGray in GfxState.cc in Poppler allows attackers to cause a denial of service (stack-based buffer over-read and application crash) via a crafted PDF document, related to missing color-map validation in ImageOutputDev.cc (CVE-2017-9865).
References
- https://bugs.mageia.org/show_bug.cgi?id=21038
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/MPWSH7JKKVEIEQEEILCRHTF7HL7BSYW4/
- https://www.ubuntu.com/usn/usn-3350-1/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/7G2XFEFF6S2H4DRDPUXBUWPEEDGE37EG/
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7511
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7515
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9406
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9408
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9775
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9776
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9865
SRPMS
5/core
- poppler-0.26.5-2.3.mga5