SUSE-SU-2018:2481-1: moderate: Security update for podofo
sle-security-updates at lists.suse.com
sle-security-updates at lists.suse.com
Wed Aug 22 13:08:23 MDT 2018
SUSE Security Update: Security update for podofo
______________________________________________________________________________
Announcement ID: SUSE-SU-2018:2481-1
Rating: moderate
References: #1023067 #1023069 #1023070 #1023071 #1023380
#1027778 #1027782 #1027787 #1032017 #1032018
#1032019 #1035534 #1035596 #1037739 #1075772
#1084894
Cross-References: CVE-2017-5852 CVE-2017-5853 CVE-2017-5854
CVE-2017-5855 CVE-2017-5886 CVE-2017-6840
CVE-2017-6844 CVE-2017-6847 CVE-2017-7378
CVE-2017-7379 CVE-2017-7380 CVE-2017-7994
CVE-2017-8054 CVE-2017-8787 CVE-2018-5308
CVE-2018-8001
Affected Products:
SUSE Linux Enterprise Workstation Extension 12-SP3
SUSE Linux Enterprise Software Development Kit 12-SP3
SUSE Linux Enterprise Desktop 12-SP3
______________________________________________________________________________
An update that fixes 16 vulnerabilities is now available.
Description:
This update for podofo fixes the following issues:
- CVE-2017-5852: The PoDoFo::PdfPage::GetInheritedKeyFromObject function
allowed remote attackers to cause a denial of service (infinite loop)
via a crafted file (bsc#1023067).
- CVE-2017-5853: Integer overflow allowed remote attackers to have
unspecified impact via a crafted file (bsc#1023069).
- CVE-2017-5854: Prevent NULL pointer dereference that allowed remote
attackers to cause a denial of service via a crafted file (bsc#1023070).
- CVE-2017-5855: The PoDoFo::PdfParser::ReadXRefSubsection function
allowed remote attackers to cause a denial of service (NULL pointer
dereference) via a crafted file (bsc#1023071).
- CVE-2017-5886: Prevent heap-based buffer overflow in the
PoDoFo::PdfTokenizer::GetNextToken function that allowed remote
attackers to have unspecified impact via a crafted file (bsc#1023380).
- CVE-2017-6847: The PoDoFo::PdfVariant::DelayedLoad function allowed
remote attackers to cause a denial of service (NULL pointer dereference)
via a crafted file (bsc#1027778).
- CVE-2017-6844: Buffer overflow in the
PoDoFo::PdfParser::ReadXRefSubsection function allowed remote attackers
to have unspecified impact via a crafted file (bsc#1027782).
- CVE-2017-6840: The ColorChanger::GetColorFromStack function allowed
remote attackers to cause a denial of service (invalid read) via a
crafted file (bsc#1027787).
- CVE-2017-7378: The PoDoFo::PdfPainter::ExpandTabs function allowed
remote attackers to cause a denial of service (heap-based buffer
over-read and application crash) via a crafted PDF document
(bsc#1032017).
- CVE-2017-7379: The PoDoFo::PdfSimpleEncoding::ConvertToEncoding function
allowed remote attackers to cause a denial of service (heap-based buffer
over-read and application crash) via a crafted PDF document
(bsc#1032018).
- CVE-2017-7380: Prevent NULL pointer dereference that allowed remote
attackers to cause a denial of service via a crafted PDF document
(bsc#1032019).
- CVE-2017-7994: The function TextExtractor::ExtractText allowed remote
attackers to cause a denial of service (NULL pointer dereference and
application crash) via a crafted PDF document (bsc#1035534).
- CVE-2017-8054: The function PdfPagesTree::GetPageNodeFromArray allowed
remote attackers to cause a denial of service (infinite recursion and
application crash) via a crafted PDF document (bsc#1035596).
- CVE-2017-8787: The
PoDoFo::PdfXRefStreamParserObject::ReadXRefStreamEntry function allowed
remote attackers to cause a denial of service (heap-based buffer
over-read) or possibly have unspecified other impact via a crafted PDF
file (bsc#1037739).
- CVE-2018-5308: Properly validate memcpy arguments in the
PdfMemoryOutputStream::Write function to prevent remote attackers from
causing a denial-of-service or possibly have unspecified other impact
via a crafted pdf file (bsc#1075772).
- CVE-2018-8001: Prevent heap-based buffer over-read vulnerability in
UnescapeName() that allowed remote attackers to cause a
denial-of-service or possibly unspecified other impact via a crafted pdf
file (bsc#1084894).
Patch Instructions:
To install this SUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- SUSE Linux Enterprise Workstation Extension 12-SP3:
zypper in -t patch SUSE-SLE-WE-12-SP3-2018-1744=1
- SUSE Linux Enterprise Software Development Kit 12-SP3:
zypper in -t patch SUSE-SLE-SDK-12-SP3-2018-1744=1
- SUSE Linux Enterprise Desktop 12-SP3:
zypper in -t patch SUSE-SLE-DESKTOP-12-SP3-2018-1744=1
Package List:
- SUSE Linux Enterprise Workstation Extension 12-SP3 (x86_64):
libpodofo0_9_2-0.9.2-3.3.1
libpodofo0_9_2-debuginfo-0.9.2-3.3.1
podofo-debuginfo-0.9.2-3.3.1
podofo-debugsource-0.9.2-3.3.1
- SUSE Linux Enterprise Software Development Kit 12-SP3 (aarch64 ppc64le s390x x86_64):
libpodofo-devel-0.9.2-3.3.1
podofo-debuginfo-0.9.2-3.3.1
podofo-debugsource-0.9.2-3.3.1
- SUSE Linux Enterprise Desktop 12-SP3 (x86_64):
libpodofo0_9_2-0.9.2-3.3.1
libpodofo0_9_2-debuginfo-0.9.2-3.3.1
podofo-debuginfo-0.9.2-3.3.1
podofo-debugsource-0.9.2-3.3.1
References:
https://www.suse.com/security/cve/CVE-2017-5852.html
https://www.suse.com/security/cve/CVE-2017-5853.html
https://www.suse.com/security/cve/CVE-2017-5854.html
https://www.suse.com/security/cve/CVE-2017-5855.html
https://www.suse.com/security/cve/CVE-2017-5886.html
https://www.suse.com/security/cve/CVE-2017-6840.html
https://www.suse.com/security/cve/CVE-2017-6844.html
https://www.suse.com/security/cve/CVE-2017-6847.html
https://www.suse.com/security/cve/CVE-2017-7378.html
https://www.suse.com/security/cve/CVE-2017-7379.html
https://www.suse.com/security/cve/CVE-2017-7380.html
https://www.suse.com/security/cve/CVE-2017-7994.html
https://www.suse.com/security/cve/CVE-2017-8054.html
https://www.suse.com/security/cve/CVE-2017-8787.html
https://www.suse.com/security/cve/CVE-2018-5308.html
https://www.suse.com/security/cve/CVE-2018-8001.html
https://bugzilla.suse.com/1023067
https://bugzilla.suse.com/1023069
https://bugzilla.suse.com/1023070
https://bugzilla.suse.com/1023071
https://bugzilla.suse.com/1023380
https://bugzilla.suse.com/1027778
https://bugzilla.suse.com/1027782
https://bugzilla.suse.com/1027787
https://bugzilla.suse.com/1032017
https://bugzilla.suse.com/1032018
https://bugzilla.suse.com/1032019
https://bugzilla.suse.com/1035534
https://bugzilla.suse.com/1035596
https://bugzilla.suse.com/1037739
https://bugzilla.suse.com/1075772
https://bugzilla.suse.com/1084894
More information about the sle-security-updates
mailing list