6.5 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
6.5 Medium
AI Score
Confidence
High
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:N/I:N/A:P
0.015 Low
EPSS
Percentile
86.9%
Issue Overview:
There is a NULL pointer dereference in the AnnotPath::getCoordsLength function in Annot.h. A crafted input will lead to a remote denial of service attack. Poppler versions later than 0.41.0 are not affected.(CVE-2018-10768)
The FoFiType1C::cvtGlyph function in fofi/FoFiType1C.cc in Poppler allows remote attackers to cause a denial of service (infinite recursion) via a crafted PDF file, as demonstrated by pdftops.(CVE-2017-18267)
Poppler contains an out of bounds read vulnerability due to an incorrect memory access that is not mapped in its memory space, as demonstrated by pdfunite. This can result in memory corruption and denial of service. This may be exploitable when a victim opens a specially crafted PDF file.(CVE-2018-13988)
Affected Packages:
poppler
Note:
This advisory is applicable to Amazon Linux 2 (AL2) Core repository. Visit this FAQ section for the difference between AL2 Core and AL2 Extras advisories.
Issue Correction:
Run yum update poppler to update your system.
New Packages:
aarch64:
poppler-0.26.5-20.amzn2.aarch64
poppler-devel-0.26.5-20.amzn2.aarch64
poppler-glib-0.26.5-20.amzn2.aarch64
poppler-glib-devel-0.26.5-20.amzn2.aarch64
poppler-qt-0.26.5-20.amzn2.aarch64
poppler-qt-devel-0.26.5-20.amzn2.aarch64
poppler-cpp-0.26.5-20.amzn2.aarch64
poppler-cpp-devel-0.26.5-20.amzn2.aarch64
poppler-utils-0.26.5-20.amzn2.aarch64
poppler-demos-0.26.5-20.amzn2.aarch64
poppler-debuginfo-0.26.5-20.amzn2.aarch64
i686:
poppler-0.26.5-20.amzn2.i686
poppler-devel-0.26.5-20.amzn2.i686
poppler-glib-0.26.5-20.amzn2.i686
poppler-glib-devel-0.26.5-20.amzn2.i686
poppler-qt-0.26.5-20.amzn2.i686
poppler-qt-devel-0.26.5-20.amzn2.i686
poppler-cpp-0.26.5-20.amzn2.i686
poppler-cpp-devel-0.26.5-20.amzn2.i686
poppler-utils-0.26.5-20.amzn2.i686
poppler-demos-0.26.5-20.amzn2.i686
poppler-debuginfo-0.26.5-20.amzn2.i686
src:
poppler-0.26.5-20.amzn2.src
x86_64:
poppler-0.26.5-20.amzn2.x86_64
poppler-devel-0.26.5-20.amzn2.x86_64
poppler-glib-0.26.5-20.amzn2.x86_64
poppler-glib-devel-0.26.5-20.amzn2.x86_64
poppler-qt-0.26.5-20.amzn2.x86_64
poppler-qt-devel-0.26.5-20.amzn2.x86_64
poppler-cpp-0.26.5-20.amzn2.x86_64
poppler-cpp-devel-0.26.5-20.amzn2.x86_64
poppler-utils-0.26.5-20.amzn2.x86_64
poppler-demos-0.26.5-20.amzn2.x86_64
poppler-debuginfo-0.26.5-20.amzn2.x86_64
Red Hat: CVE-2017-18267, CVE-2018-10768, CVE-2018-13988
Mitre: CVE-2017-18267, CVE-2018-10768, CVE-2018-13988
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
Amazon Linux | 2 | aarch64 | poppler | < 0.26.5-20.amzn2 | poppler-0.26.5-20.amzn2.aarch64.rpm |
Amazon Linux | 2 | aarch64 | poppler-devel | < 0.26.5-20.amzn2 | poppler-devel-0.26.5-20.amzn2.aarch64.rpm |
Amazon Linux | 2 | aarch64 | poppler-glib | < 0.26.5-20.amzn2 | poppler-glib-0.26.5-20.amzn2.aarch64.rpm |
Amazon Linux | 2 | aarch64 | poppler-glib-devel | < 0.26.5-20.amzn2 | poppler-glib-devel-0.26.5-20.amzn2.aarch64.rpm |
Amazon Linux | 2 | aarch64 | poppler-qt | < 0.26.5-20.amzn2 | poppler-qt-0.26.5-20.amzn2.aarch64.rpm |
Amazon Linux | 2 | aarch64 | poppler-qt-devel | < 0.26.5-20.amzn2 | poppler-qt-devel-0.26.5-20.amzn2.aarch64.rpm |
Amazon Linux | 2 | aarch64 | poppler-cpp | < 0.26.5-20.amzn2 | poppler-cpp-0.26.5-20.amzn2.aarch64.rpm |
Amazon Linux | 2 | aarch64 | poppler-cpp-devel | < 0.26.5-20.amzn2 | poppler-cpp-devel-0.26.5-20.amzn2.aarch64.rpm |
Amazon Linux | 2 | aarch64 | poppler-utils | < 0.26.5-20.amzn2 | poppler-utils-0.26.5-20.amzn2.aarch64.rpm |
Amazon Linux | 2 | aarch64 | poppler-demos | < 0.26.5-20.amzn2 | poppler-demos-0.26.5-20.amzn2.aarch64.rpm |
6.5 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
6.5 Medium
AI Score
Confidence
High
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:N/I:N/A:P
0.015 Low
EPSS
Percentile
86.9%