Advisories ยป MGASA-2017-0276

Updated poppler packages fix security vulnerabilities

Publication date: 17 Aug 2017
Modification date: 17 Aug 2017
Type: security
Affected Mageia releases : 5
CVE: CVE-2017-7511 , CVE-2017-7515 , CVE-2017-9406 , CVE-2017-9408 , CVE-2017-9775 , CVE-2017-9776 , CVE-2017-9865

Description

Jiaqi Peng discovered that the poppler pdfunite tool incorrectly parsed
certain malformed PDF documents. If a user or automated system were tricked
into opening a crafted PDF file, an attacker could cause poppler to crash,
resulting in a denial of service (CVE-2017-7511).

It was discovered that the poppler pdfunite tool incorrectly parsed certain
malformed PDF documents. If a user or automated system were tricked into
opening a crafted PDF file, an attacker could cause poppler to hang,
resulting in a denial of service (CVE-2017-7515).

It was discovered that poppler incorrectly handled memory when processing
PDF documents. If a user or automated system were tricked into opening a
crafted PDF file, an attacker could cause poppler to consume resources,
resulting in a denial of service (CVE-2017-9406, CVE-2017-9408).

Alberto Garcia, Francisco Oca, and Suleman Ali discovered that the poppler
pdftocairo tool incorrectly parsed certain malformed PDF documents. If a
user or automated system were tricked into opening a crafted PDF file, an
attacker could cause poppler to crash, resulting in a denial of service
(CVE-2017-9775).

Integer overflow leading to Heap buffer overflow in JBIG2Stream.cc in
pdftocairo in Poppler allows attackers to cause a denial of service
(application crash) or possibly have unspecified other impact via a crafted
PDF document (CVE-2017-9776).

The function GfxImageColorMap::getGray in GfxState.cc in Poppler allows
attackers to cause a denial of service (stack-based buffer over-read and
application crash) via a crafted PDF document, related to missing color-map
validation in ImageOutputDev.cc (CVE-2017-9865).
                

References

SRPMS

5/core