Advisories ยป MGASA-2018-0290

Updated poppler packages fix security vulnerability

Publication date: 19 Jun 2018
Type: security
Affected Mageia releases : 5 , 6
CVE: CVE-2017-18267 , CVE-2018-10768


The updated packages fix security vulnerabilities:

The FoFiType1C::cvtGlyph function in fofi/ in Poppler through 
0.64.0 allows remote attackers to cause a denial of service (infinite recursion) 
via a crafted PDF file, as demonstrated by pdftops. (CVE-2017-18267)

There is a NULL pointer dereference in the AnnotPath::getCoordsLength function 
in Annot.h in an Ubuntu package for Poppler 0.24.5. A crafted input will lead to 
a remote denial of service attack. Later Ubuntu packages such as for Poppler 
0.41.0 are not affected. (CVE-2018-10768)