Headline
Ubuntu Security Notice USN-6508-1
Ubuntu Security Notice 6508-1 - It was discovered that poppler incorrectly handled certain malformed PDF files. If a user or an automated system were tricked into opening a specially crafted PDF file, a remote attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 16.04 LTS, Ubuntu 18.04 LTS and Ubuntu 20.04 LTS. It was discovered that poppler incorrectly handled certain malformed PDF files. If a user or an automated system were tricked into opening a specially crafted PDF file, a remote attacker could possibly use this issue to cause a denial of service.
==========================================================================Ubuntu Security Notice USN-6508-1November 23, 2023poppler vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 22.04 LTS- Ubuntu 20.04 LTS- Ubuntu 18.04 LTS (Available with Ubuntu Pro)- Ubuntu 16.04 LTS (Available with Ubuntu Pro)Summary:Several security issues were fixed in poppler.Software Description:- poppler: PDF rendering libraryDetails:It was discovered that poppler incorrectly handled certain malformed PDFfiles. If a user or an automated system were tricked into opening aspecially crafted PDF file, a remote attacker could possibly use thisissue to cause a denial of service. This issue only affected Ubuntu 16.04LTS, Ubuntu 18.04 LTS and Ubuntu 20.04 LTS. (CVE-2020-23804)It was discovered that poppler incorrectly handled certain malformed PDFfiles. If a user or an automated system were tricked into opening aspecially crafted PDF file, a remote attacker could possibly use thisissue to cause a denial of service. (CVE-2022-37050, CVE-2022-37051,CVE-2022-37052, CVE-2022-38349)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 22.04 LTS: libpoppler118 22.02.0-2ubuntu0.3 poppler-utils 22.02.0-2ubuntu0.3Ubuntu 20.04 LTS: libpoppler97 0.86.1-0ubuntu1.4 poppler-utils 0.86.1-0ubuntu1.4Ubuntu 18.04 LTS (Available with Ubuntu Pro): libpoppler73 0.62.0-2ubuntu2.14+esm2 poppler-utils 0.62.0-2ubuntu2.14+esm2Ubuntu 16.04 LTS (Available with Ubuntu Pro): libpoppler58 0.41.0-0ubuntu1.16+esm4 poppler-utils 0.41.0-0ubuntu1.16+esm4In general, a standard system update will make all the necessary changes.References: https://ubuntu.com/security/notices/USN-6508-1 CVE-2020-23804, CVE-2022-37050, CVE-2022-37051, CVE-2022-37052, CVE-2022-38349Package Information: https://launchpad.net/ubuntu/+source/poppler/22.02.0-2ubuntu0.3 https://launchpad.net/ubuntu/+source/poppler/0.86.1-0ubuntu1.4Related news
Uncontrolled Recursion in pdfinfo, and pdftops in poppler 0.89.0 allows remote attackers to cause a denial of service via crafted input.
In Poppler 22.07.0, PDFDoc::savePageAs in PDFDoc.c callows attackers to cause a denial-of-service (application crashes with SIGABRT) by crafting a PDF file in which the xref data structure is mishandled in getCatalog processing. Note that this vulnerability is caused by the incomplete patch of CVE-2018-20662.
An issue was discovered in Poppler 22.07.0. There is a reachable abort which leads to denial of service because the main function in pdfunite.cc lacks a stream check before saving an embedded file.
A reachable Object::getString assertion in Poppler 22.07.0 allows attackers to cause a denial of service due to a failure in markObject.
An issue was discovered in Poppler 22.08.0. There is a reachable assertion in Object.h, will lead to denial of service because PDFDoc::replacePageDict in PDFDoc.cc lacks a stream check before saving an embedded file.