Basic search

K
suseSuseOPENSUSE-SU-2019:0066-1
HistoryJan 18, 2019 - 12:00 a.m.

Security update for podofo (important)

2019-01-1800:00:00
lists.opensuse.org
260

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

6.8 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

0.004 Low

EPSS

Percentile

70.4%

An update that fixes 20 vulnerabilities is now available.

Description:

This update for podofo version 0.9.6 fixes the following issues:

Security issues fixed:

  • CVE-2017-5852: Fix a infinite loop in
    PoDoFo::PdfPage::GetInheritedKeyFromObject (PdfPage.cpp) (boo#1023067)
  • CVE-2017-5854: Fix a NULL pointer dereference in PdfOutputStream.cpp
    (boo#1023070)
  • CVE-2017-5886: Fix a heap-based buffer overflow in
    PoDoFo::PdfTokenizer::GetNextToken (PdfTokenizer.cpp) (boo#1023380)
  • CVE-2017-6844: Fix a buffer overflow in
    PoDoFo::PdfParser::ReadXRefSubsection (PdfParser.cpp) (boo#1027782)
  • CVE-2017-6847: Fix a NULL pointer dereference in
    PoDoFo::PdfVariant::DelayedLoad (PdfVariant.h) (boo#1027778)
  • CVE-2017-7379: Fix a heap-based buffer overflow in
    PoDoFo::PdfSimpleEncoding::ConvertToEncoding (PdfEncoding.cpp)
    (boo#1032018)
  • CVE-2018-5296: Fix a denial of service in the ReadXRefSubsection
    function (boo#1075021)
  • CVE-2018-5309: Fix a integer overflow in the ReadObjectsFromStream
    function (boo#1075322)
  • CVE-2017-5853: Fix a signed integer overflow in PdfParser.cpp
    (boo#1023069)
  • CVE-2017-5855: Fix a NULL pointer dereference in the ReadXRefSubsection
    function (boo#1023071)
  • CVE-2017-6840: Fix a invalid memory read in the GetColorFromStack
    function (boo#1027787)
  • CVE-2017-6845: Fix a NULL pointer dereference in the
    SetNonStrokingColorSpace function (boo#1027779)
  • CVE-2017-7378: Fix a heap-based buffer overflow in the ExpandTabs
    function (boo#1032017)
  • CVE-2017-7380: Fix four null pointer dereferences (boo#1032019)
  • CVE-2017-8054: Fix a denial of service in the GetPageNodeFromArray
    function (boo#1035596)
  • CVE-2018-5295: Fix a integer overflow in the ParseStream function
    (boo#1075026)
  • CVE-2018-5308: Fix undefined behavior in the
    PdfMemoryOutputStream::Write function (boo#1075772)
  • CVE-2018-8001: Fix a heap overflow read vulnerability in the
    UnescapeName function (boo#1084894)
  • CVE-2017-7994, CVE-2017-8787: Fix a denial of service via a crafted PDF
    document (boo#1035534, boo#1037739)

Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or “zypper patch”.

Alternatively you can run the command listed for your product:

  • openSUSE Leap 42.3:

    zypper in -t patch openSUSE-2019-66=1

OSVersionArchitecturePackageVersionFilename
openSUSE Leap42.3i586< - openSUSE Leap 42.3 (i586 x86_64):- openSUSE Leap 42.3 (i586 x86_64):.i586.rpm
openSUSE Leap42.3x86_64< - openSUSE Leap 42.3 (i586 x86_64):- openSUSE Leap 42.3 (i586 x86_64):.x86_64.rpm

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

6.8 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

0.004 Low

EPSS

Percentile

70.4%

Related for OPENSUSE-SU-2019:0066-1