SUSE-SU-2018:2481-1: moderate: Security update for podofo

sle-updates at lists.suse.com sle-updates at lists.suse.com
Wed Aug 22 13:08:23 MDT 2018


   SUSE Security Update: Security update for podofo
______________________________________________________________________________

Announcement ID:    SUSE-SU-2018:2481-1
Rating:             moderate
References:         #1023067 #1023069 #1023070 #1023071 #1023380 
                    #1027778 #1027782 #1027787 #1032017 #1032018 
                    #1032019 #1035534 #1035596 #1037739 #1075772 
                    #1084894 
Cross-References:   CVE-2017-5852 CVE-2017-5853 CVE-2017-5854
                    CVE-2017-5855 CVE-2017-5886 CVE-2017-6840
                    CVE-2017-6844 CVE-2017-6847 CVE-2017-7378
                    CVE-2017-7379 CVE-2017-7380 CVE-2017-7994
                    CVE-2017-8054 CVE-2017-8787 CVE-2018-5308
                    CVE-2018-8001
Affected Products:
                    SUSE Linux Enterprise Workstation Extension 12-SP3
                    SUSE Linux Enterprise Software Development Kit 12-SP3
                    SUSE Linux Enterprise Desktop 12-SP3
______________________________________________________________________________

   An update that fixes 16 vulnerabilities is now available.

Description:

   This update for podofo fixes the following issues:

   - CVE-2017-5852: The PoDoFo::PdfPage::GetInheritedKeyFromObject function
     allowed remote attackers to cause a denial of service (infinite loop)
     via a crafted file (bsc#1023067).
   - CVE-2017-5853: Integer overflow allowed remote attackers to have
     unspecified impact via a crafted file (bsc#1023069).
   - CVE-2017-5854: Prevent NULL pointer dereference that allowed remote
     attackers to cause a denial of service via a crafted file (bsc#1023070).
   - CVE-2017-5855: The PoDoFo::PdfParser::ReadXRefSubsection function
     allowed remote attackers to cause a denial of service (NULL pointer
     dereference) via a crafted file (bsc#1023071).
   - CVE-2017-5886: Prevent heap-based buffer overflow in the
     PoDoFo::PdfTokenizer::GetNextToken function that allowed remote
     attackers to have unspecified impact via a crafted file (bsc#1023380).
   - CVE-2017-6847: The PoDoFo::PdfVariant::DelayedLoad function allowed
     remote attackers to cause a denial of service (NULL pointer dereference)
     via a crafted file (bsc#1027778).
   - CVE-2017-6844: Buffer overflow in the
     PoDoFo::PdfParser::ReadXRefSubsection function allowed remote attackers
     to have unspecified impact via a crafted file (bsc#1027782).
   - CVE-2017-6840: The ColorChanger::GetColorFromStack function allowed
     remote attackers to cause a denial of service (invalid read) via a
     crafted file (bsc#1027787).
   - CVE-2017-7378: The PoDoFo::PdfPainter::ExpandTabs function allowed
     remote attackers to cause a denial of service (heap-based buffer
     over-read and application crash) via a crafted PDF document
     (bsc#1032017).
   - CVE-2017-7379: The PoDoFo::PdfSimpleEncoding::ConvertToEncoding function
     allowed remote attackers to cause a denial of service (heap-based buffer
     over-read and application crash) via a crafted PDF document
      (bsc#1032018).
   - CVE-2017-7380: Prevent NULL pointer dereference that allowed remote
     attackers to cause a denial of service via a crafted PDF document
     (bsc#1032019).
   - CVE-2017-7994: The function TextExtractor::ExtractText allowed remote
     attackers to cause a denial of service (NULL pointer dereference and
     application crash) via a crafted PDF document (bsc#1035534).
   - CVE-2017-8054: The function PdfPagesTree::GetPageNodeFromArray allowed
     remote attackers to cause a denial of service (infinite recursion and
     application crash) via a crafted PDF document (bsc#1035596).
   - CVE-2017-8787: The
     PoDoFo::PdfXRefStreamParserObject::ReadXRefStreamEntry function allowed
     remote attackers to cause a denial of service (heap-based buffer
     over-read) or possibly have unspecified other impact via a crafted PDF
     file (bsc#1037739).
   - CVE-2018-5308: Properly validate memcpy arguments in the
     PdfMemoryOutputStream::Write function to prevent remote attackers from
     causing a denial-of-service or possibly have unspecified other impact
     via a crafted pdf file (bsc#1075772).
   - CVE-2018-8001: Prevent heap-based buffer over-read vulnerability in
     UnescapeName() that allowed remote attackers to cause a
     denial-of-service or possibly unspecified other impact via a crafted pdf
     file (bsc#1084894).


Patch Instructions:

   To install this SUSE Security Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - SUSE Linux Enterprise Workstation Extension 12-SP3:

      zypper in -t patch SUSE-SLE-WE-12-SP3-2018-1744=1

   - SUSE Linux Enterprise Software Development Kit 12-SP3:

      zypper in -t patch SUSE-SLE-SDK-12-SP3-2018-1744=1

   - SUSE Linux Enterprise Desktop 12-SP3:

      zypper in -t patch SUSE-SLE-DESKTOP-12-SP3-2018-1744=1



Package List:

   - SUSE Linux Enterprise Workstation Extension 12-SP3 (x86_64):

      libpodofo0_9_2-0.9.2-3.3.1
      libpodofo0_9_2-debuginfo-0.9.2-3.3.1
      podofo-debuginfo-0.9.2-3.3.1
      podofo-debugsource-0.9.2-3.3.1

   - SUSE Linux Enterprise Software Development Kit 12-SP3 (aarch64 ppc64le s390x x86_64):

      libpodofo-devel-0.9.2-3.3.1
      podofo-debuginfo-0.9.2-3.3.1
      podofo-debugsource-0.9.2-3.3.1

   - SUSE Linux Enterprise Desktop 12-SP3 (x86_64):

      libpodofo0_9_2-0.9.2-3.3.1
      libpodofo0_9_2-debuginfo-0.9.2-3.3.1
      podofo-debuginfo-0.9.2-3.3.1
      podofo-debugsource-0.9.2-3.3.1


References:

   https://www.suse.com/security/cve/CVE-2017-5852.html
   https://www.suse.com/security/cve/CVE-2017-5853.html
   https://www.suse.com/security/cve/CVE-2017-5854.html
   https://www.suse.com/security/cve/CVE-2017-5855.html
   https://www.suse.com/security/cve/CVE-2017-5886.html
   https://www.suse.com/security/cve/CVE-2017-6840.html
   https://www.suse.com/security/cve/CVE-2017-6844.html
   https://www.suse.com/security/cve/CVE-2017-6847.html
   https://www.suse.com/security/cve/CVE-2017-7378.html
   https://www.suse.com/security/cve/CVE-2017-7379.html
   https://www.suse.com/security/cve/CVE-2017-7380.html
   https://www.suse.com/security/cve/CVE-2017-7994.html
   https://www.suse.com/security/cve/CVE-2017-8054.html
   https://www.suse.com/security/cve/CVE-2017-8787.html
   https://www.suse.com/security/cve/CVE-2018-5308.html
   https://www.suse.com/security/cve/CVE-2018-8001.html
   https://bugzilla.suse.com/1023067
   https://bugzilla.suse.com/1023069
   https://bugzilla.suse.com/1023070
   https://bugzilla.suse.com/1023071
   https://bugzilla.suse.com/1023380
   https://bugzilla.suse.com/1027778
   https://bugzilla.suse.com/1027782
   https://bugzilla.suse.com/1027787
   https://bugzilla.suse.com/1032017
   https://bugzilla.suse.com/1032018
   https://bugzilla.suse.com/1032019
   https://bugzilla.suse.com/1035534
   https://bugzilla.suse.com/1035596
   https://bugzilla.suse.com/1037739
   https://bugzilla.suse.com/1075772
   https://bugzilla.suse.com/1084894



More information about the sle-updates mailing list