Advisories » MGASA-2018-0290

Updated poppler packages fix security vulnerability

Publication date: 19 Jun 2018
Modification date: 19 Jun 2018
Type: security
Affected Mageia releases : 5 , 6
CVE: CVE-2017-18267 , CVE-2018-10768

Description

The updated packages fix security vulnerabilities:

The FoFiType1C::cvtGlyph function in fofi/FoFiType1C.cc in Poppler through 
0.64.0 allows remote attackers to cause a denial of service (infinite recursion) 
via a crafted PDF file, as demonstrated by pdftops. (CVE-2017-18267)

There is a NULL pointer dereference in the AnnotPath::getCoordsLength function 
in Annot.h in an Ubuntu package for Poppler 0.24.5. A crafted input will lead to 
a remote denial of service attack. Later Ubuntu packages such as for Poppler 
0.41.0 are not affected. (CVE-2018-10768)
                

References

• https://bugs.mageia.org/show_bug.cgi?id=23138
• https://bugzilla.redhat.com/show_bug.cgi?id=1578777
• https://usn.ubuntu.com/3647-1/
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18267
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10768

SRPMS

5/core

• poppler-0.26.5-2.9.mga5

6/core

• poppler-0.52.0-3.7.mga6