Advisories ยป MGASA-2019-0117

Updated poppler packages fix security vulnerabilities

Publication date: 29 Mar 2019
Type: security
Affected Mageia releases : 6
CVE: CVE-2018-20662 , CVE-2019-9200


The updated poppler packages fix security vulnerabilities:

In Poppler 0.72.0, PDFDoc::setup in allows attackers to cause a
denial-of-service (application crash caused by Object.h SIGABRT, because
of a wrong return value from PDFDoc::setup) by crafting a PDF file in
which an xref data structure is mishandled during extractPDFSubtype
processing. (CVE-2018-20662)

A heap-based buffer underwrite exists in ImageStream::getLine() located
at in Poppler 0.74.0 that can (for example) be triggered by
sending a crafted PDF file to the pdfimages binary. It allows an attacker
to cause Denial of Service (Segmentation fault) or possibly have
unspecified other impact. (CVE-2019-9200)