Headline
Red Hat Security Advisory 2023-2259-01
Red Hat Security Advisory 2023-2259-01 - Poppler is a Portable Document Format rendering library, used by applications such as Evince. Issues addressed include an integer overflow vulnerability.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
====================================================================
Red Hat Security Advisory
Synopsis: Moderate: poppler security and bug fix update
Advisory ID: RHSA-2023:2259-01
Product: Red Hat Enterprise Linux
Advisory URL: https://access.redhat.com/errata/RHSA-2023:2259
Issue date: 2023-05-09
CVE Names: CVE-2022-38784
====================================================================
- Summary:
An update for poppler is now available for Red Hat Enterprise Linux 9.
Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.
- Relevant releases/architectures:
Red Hat Enterprise Linux AppStream (v. 9) - aarch64, ppc64le, s390x, x86_64
Red Hat Enterprise Linux CRB (v. 9) - aarch64, ppc64le, s390x, x86_64
- Description:
Poppler is a Portable Document Format (PDF) rendering library, used by
applications such as Evince.
Security Fix(es):
- poppler: integer overflow in JBIG2 decoder using malformed files
(CVE-2022-38784)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
Additional Changes:
For detailed information on changes in this release, see the Red Hat
Enterprise Linux 9.2 Release Notes linked from the References section.
- Solution:
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/11258
- Bugs fixed (https://bugzilla.redhat.com/):
2124527 - CVE-2022-38784 poppler: integer overflow in JBIG2 decoder using malformed files
2144768 - Please add various devel packages to CRB 9 to build Scribus in EPEL
- Package List:
Red Hat Enterprise Linux AppStream (v. 9):
Source:
poppler-21.01.0-14.el9.src.rpm
aarch64:
poppler-21.01.0-14.el9.aarch64.rpm
poppler-cpp-21.01.0-14.el9.aarch64.rpm
poppler-cpp-debuginfo-21.01.0-14.el9.aarch64.rpm
poppler-debuginfo-21.01.0-14.el9.aarch64.rpm
poppler-debugsource-21.01.0-14.el9.aarch64.rpm
poppler-glib-21.01.0-14.el9.aarch64.rpm
poppler-glib-debuginfo-21.01.0-14.el9.aarch64.rpm
poppler-qt5-21.01.0-14.el9.aarch64.rpm
poppler-qt5-debuginfo-21.01.0-14.el9.aarch64.rpm
poppler-utils-21.01.0-14.el9.aarch64.rpm
poppler-utils-debuginfo-21.01.0-14.el9.aarch64.rpm
ppc64le:
poppler-21.01.0-14.el9.ppc64le.rpm
poppler-cpp-21.01.0-14.el9.ppc64le.rpm
poppler-cpp-debuginfo-21.01.0-14.el9.ppc64le.rpm
poppler-debuginfo-21.01.0-14.el9.ppc64le.rpm
poppler-debugsource-21.01.0-14.el9.ppc64le.rpm
poppler-glib-21.01.0-14.el9.ppc64le.rpm
poppler-glib-debuginfo-21.01.0-14.el9.ppc64le.rpm
poppler-qt5-21.01.0-14.el9.ppc64le.rpm
poppler-qt5-debuginfo-21.01.0-14.el9.ppc64le.rpm
poppler-utils-21.01.0-14.el9.ppc64le.rpm
poppler-utils-debuginfo-21.01.0-14.el9.ppc64le.rpm
s390x:
poppler-21.01.0-14.el9.s390x.rpm
poppler-cpp-21.01.0-14.el9.s390x.rpm
poppler-cpp-debuginfo-21.01.0-14.el9.s390x.rpm
poppler-debuginfo-21.01.0-14.el9.s390x.rpm
poppler-debugsource-21.01.0-14.el9.s390x.rpm
poppler-glib-21.01.0-14.el9.s390x.rpm
poppler-glib-debuginfo-21.01.0-14.el9.s390x.rpm
poppler-qt5-21.01.0-14.el9.s390x.rpm
poppler-qt5-debuginfo-21.01.0-14.el9.s390x.rpm
poppler-utils-21.01.0-14.el9.s390x.rpm
poppler-utils-debuginfo-21.01.0-14.el9.s390x.rpm
x86_64:
poppler-21.01.0-14.el9.i686.rpm
poppler-21.01.0-14.el9.x86_64.rpm
poppler-cpp-21.01.0-14.el9.i686.rpm
poppler-cpp-21.01.0-14.el9.x86_64.rpm
poppler-cpp-debuginfo-21.01.0-14.el9.i686.rpm
poppler-cpp-debuginfo-21.01.0-14.el9.x86_64.rpm
poppler-debuginfo-21.01.0-14.el9.i686.rpm
poppler-debuginfo-21.01.0-14.el9.x86_64.rpm
poppler-debugsource-21.01.0-14.el9.i686.rpm
poppler-debugsource-21.01.0-14.el9.x86_64.rpm
poppler-glib-21.01.0-14.el9.i686.rpm
poppler-glib-21.01.0-14.el9.x86_64.rpm
poppler-glib-debuginfo-21.01.0-14.el9.i686.rpm
poppler-glib-debuginfo-21.01.0-14.el9.x86_64.rpm
poppler-qt5-21.01.0-14.el9.i686.rpm
poppler-qt5-21.01.0-14.el9.x86_64.rpm
poppler-qt5-debuginfo-21.01.0-14.el9.i686.rpm
poppler-qt5-debuginfo-21.01.0-14.el9.x86_64.rpm
poppler-utils-21.01.0-14.el9.x86_64.rpm
poppler-utils-debuginfo-21.01.0-14.el9.i686.rpm
poppler-utils-debuginfo-21.01.0-14.el9.x86_64.rpm
Red Hat Enterprise Linux CRB (v. 9):
aarch64:
poppler-cpp-debuginfo-21.01.0-14.el9.aarch64.rpm
poppler-cpp-devel-21.01.0-14.el9.aarch64.rpm
poppler-debuginfo-21.01.0-14.el9.aarch64.rpm
poppler-debugsource-21.01.0-14.el9.aarch64.rpm
poppler-devel-21.01.0-14.el9.aarch64.rpm
poppler-glib-debuginfo-21.01.0-14.el9.aarch64.rpm
poppler-glib-devel-21.01.0-14.el9.aarch64.rpm
poppler-qt5-debuginfo-21.01.0-14.el9.aarch64.rpm
poppler-qt5-devel-21.01.0-14.el9.aarch64.rpm
poppler-utils-debuginfo-21.01.0-14.el9.aarch64.rpm
ppc64le:
poppler-cpp-debuginfo-21.01.0-14.el9.ppc64le.rpm
poppler-cpp-devel-21.01.0-14.el9.ppc64le.rpm
poppler-debuginfo-21.01.0-14.el9.ppc64le.rpm
poppler-debugsource-21.01.0-14.el9.ppc64le.rpm
poppler-devel-21.01.0-14.el9.ppc64le.rpm
poppler-glib-debuginfo-21.01.0-14.el9.ppc64le.rpm
poppler-glib-devel-21.01.0-14.el9.ppc64le.rpm
poppler-qt5-debuginfo-21.01.0-14.el9.ppc64le.rpm
poppler-qt5-devel-21.01.0-14.el9.ppc64le.rpm
poppler-utils-debuginfo-21.01.0-14.el9.ppc64le.rpm
s390x:
poppler-cpp-debuginfo-21.01.0-14.el9.s390x.rpm
poppler-cpp-devel-21.01.0-14.el9.s390x.rpm
poppler-debuginfo-21.01.0-14.el9.s390x.rpm
poppler-debugsource-21.01.0-14.el9.s390x.rpm
poppler-devel-21.01.0-14.el9.s390x.rpm
poppler-glib-debuginfo-21.01.0-14.el9.s390x.rpm
poppler-glib-devel-21.01.0-14.el9.s390x.rpm
poppler-qt5-debuginfo-21.01.0-14.el9.s390x.rpm
poppler-qt5-devel-21.01.0-14.el9.s390x.rpm
poppler-utils-debuginfo-21.01.0-14.el9.s390x.rpm
x86_64:
poppler-cpp-debuginfo-21.01.0-14.el9.i686.rpm
poppler-cpp-debuginfo-21.01.0-14.el9.x86_64.rpm
poppler-cpp-devel-21.01.0-14.el9.i686.rpm
poppler-cpp-devel-21.01.0-14.el9.x86_64.rpm
poppler-debuginfo-21.01.0-14.el9.i686.rpm
poppler-debuginfo-21.01.0-14.el9.x86_64.rpm
poppler-debugsource-21.01.0-14.el9.i686.rpm
poppler-debugsource-21.01.0-14.el9.x86_64.rpm
poppler-devel-21.01.0-14.el9.i686.rpm
poppler-devel-21.01.0-14.el9.x86_64.rpm
poppler-glib-debuginfo-21.01.0-14.el9.i686.rpm
poppler-glib-debuginfo-21.01.0-14.el9.x86_64.rpm
poppler-glib-devel-21.01.0-14.el9.i686.rpm
poppler-glib-devel-21.01.0-14.el9.x86_64.rpm
poppler-qt5-debuginfo-21.01.0-14.el9.i686.rpm
poppler-qt5-debuginfo-21.01.0-14.el9.x86_64.rpm
poppler-qt5-devel-21.01.0-14.el9.i686.rpm
poppler-qt5-devel-21.01.0-14.el9.x86_64.rpm
poppler-utils-debuginfo-21.01.0-14.el9.i686.rpm
poppler-utils-debuginfo-21.01.0-14.el9.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
- References:
https://access.redhat.com/security/cve/CVE-2022-38784
https://access.redhat.com/security/updates/classification/#moderate
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/9.2_release_notes/index
- Contact:
The Red Hat security contact is [email protected]. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2023 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBZFo1C9zjgjWX9erEAQhAwQ//cfv5/zXlIjJrcAFRz+tzee74vEaDBPxp
UehYiSUH/JSa2UcKqV9rICA22UaefU8uCOVusmkzTxrwK2oDpeq+Zw/OHUhM1VYJ
l9jcMODBKUwqJov99AcJIKpCB8CU4CYmWoykc59RokgzHQdUorCDu4w4Es9GXuZo
9pZiT3iHFTngFuk4XKnIYe91npn2WJwYELxWyOM3UE1u7M66TCaeMLHDc6sCqwB2
wINr9CRarBc2cdQ7o+G4Y6VWAl3VGwEe582eTljEDYTxfLcE6CY588pjpzpfmt5j
kVuUdYYVaDAoNpqr5P6dzzdpAoQFY62MkXij5Mz9xV+ey0beP231cCBjwNdkfWE4
Uj7zMxzb6wpE9//bUIcRJkmjf+sO9Y1awffQAKX6sqmV6s/CdwgHNomxLPj+rgud
qN8gzP/b1Pr84DZo7VcBqdeySiqod9zFX95h5slmo+9m0h+BH3XGf5Va4HPfmkXu
6peoRfPnV0EHdkVxZ2zrIqs4dTpjF4qIhMe3fvrfoWppQas/HHEbD4M5x1YcD2MV
iIazPIWwLJSZcJv/8NP3HS0zltGjEDfd1UTjnXwAyEvQLfCwDGn9FNtY1eKxWhmZ
eRR4HwAnZfdg33DXinkn9ddwGTps6+y2dYYLx0mmSVWaYb1eiorGBFXJ5e4ALOA5
gT7mgghhSao=YdPw
-----END PGP SIGNATURE-----
–
RHSA-announce mailing list
[email protected]
https://listman.redhat.com/mailman/listinfo/rhsa-announce
Related news
An update for poppler is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-38784: An integer overflow issue was discovered in Popplers' JBIG2 decoder in the JBIG2Stream::readTextRegionSeg() function in JBIGStream.cc file. This flaw allows an attacker to trick a user into opening a malformed PDF file or JBIG2 image in the application, triggering an integer overflow, which could result in a crash or may lead to the execution of ...
An update for poppler is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-38784: An integer overflow issue was discovered in Popplers' JBIG2 decoder in the JBIG2Stream::readTextRegionSeg() function in JBIGStream.cc file. This flaw allows an attacker to trick a user into opening a malformed PDF file or JBIG2 image in the application, triggering an integer overflow, which could result in a crash or may lead to the execution of ...
Gentoo Linux Security Advisory 202209-21 - A vulnerability has been discovered in Poppler which could allow for arbitrary code execution. Versions less than 22.09.0 are affected.
Ubuntu Security Notice 5606-1 - It was discovered that poppler incorrectly handled certain PDF. An attacker could possibly use this issue to cause a denial of service or execute arbitrary code.
Poppler prior to and including 22.08.0 contains an integer overflow in the JBIG2 decoder (JBIG2Stream::readTextRegionSeg() in JBIGStream.cc). Processing a specially crafted PDF file or JBIG2 image could lead to a crash or the execution of arbitrary code. This is similar to the vulnerability described by CVE-2022-38171 in Xpdf.