Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 673860 (CVE-2018-20481, CVE-2018-20551) - <app-text/poppler-0.73.0: multiple vulnerabilities
Summary: <app-text/poppler-0.73.0: multiple vulnerabilities
Alias: CVE-2018-20481, CVE-2018-20551
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
Whiteboard: B3 [noglsa cve]
Depends on: CVE-2018-20650 poppler-0.73.0
  Show dependency tree
Reported: 2018-12-28 02:41 UTC by D'juan McDonald (domhnall)
Modified: 2019-03-10 04:25 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description D'juan McDonald (domhnall) 2018-12-28 02:41:55 UTC

XRef::getEntry in in Poppler 0.72.0 mishandles unallocated XRef entries, which allows remote attackers to cause a denial of service (NULL pointer dereference) via a crafted PDF document, when XRefEntry::setFlag in XRef.h is called from Parser::makeStream in


@maintainer(s): "Poppler 0.72.0 is vulnerable; other versions may also be affected."

Gentoo Security Padawan
Comment 1 D'juan McDonald (domhnall) 2018-12-31 05:36:36 UTC

A reachable Object::getString assertion in Poppler 0.72.0 allows attackers to cause a denial of service due to construction of invalid rich media annotation assets in the AnnotRichMedia class in Annot.c.

Upsteam bug:
Upsteam PR:
Comment 2 Andreas Sturmlechner gentoo-dev 2019-03-03 01:04:11 UTC
Cleanup done.