Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 679292 (CVE-2019-9543, CVE-2019-9545) - app-text/poppler: multiple vulnerabilities (CVE-2019-{9543,9545})
Summary: app-text/poppler: multiple vulnerabilities (CVE-2019-{9543,9545})
Status: IN_PROGRESS
Alias: CVE-2019-9543, CVE-2019-9545
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: A3 [upstream cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2019-03-03 00:52 UTC by D'juan McDonald (domhnall)
Modified: 2019-03-24 12:10 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description D'juan McDonald (domhnall) 2019-03-03 00:52:55 UTC
(https://nvd.nist.gov/vuln/detail/CVE-2019-9545):

An issue was discovered in Poppler 0.74.0. A recursive function call, in JBIG2Stream::readTextRegion() located in JBIG2Stream.cc, can be triggered by sending a crafted pdf file to (for example) the pdfimages binary. It allows an attacker to cause Denial of Service (Segmentation fault) or possibly have unspecified other impact. This is related to JBIG2Bitmap::clearToZero.

Reference: https://gitlab.freedesktop.org/poppler/poppler/issues/731

(https://nvd.nist.gov/vuln/detail/CVE-2019-9543):

An issue was discovered in Poppler 0.74.0. A recursive function call, in JBIG2Stream::readGenericBitmap() located in JBIG2Stream.cc, can be triggered by sending a crafted pdf file to (for example) the pdfseparate binary. It allows an attacker to cause Denial of Service (Segmentation fault) or possibly have unspecified other impact. This is related to JArithmeticDecoder::decodeBit.

Reference: https://gitlab.freedesktop.org/poppler/poppler/issues/730


Gentoo Security Padawan
(domhnall)
Comment 1 Agostino Sarubbo gentoo-dev 2019-03-03 08:18:32 UTC
poppler is a common lib, I'd set it to A
Comment 2 GLSAMaker/CVETool Bot gentoo-dev 2019-03-07 23:38:35 UTC
CVE-2019-9545 (https://nvd.nist.gov/vuln/detail/CVE-2019-9545):
  An issue was discovered in Poppler 0.74.0. A recursive function call, in
  JBIG2Stream::readTextRegion() located in JBIG2Stream.cc, can be triggered by
  sending a crafted pdf file to (for example) the pdfimages binary. It allows
  an attacker to cause Denial of Service (Segmentation fault) or possibly have
  unspecified other impact. This is related to JBIG2Bitmap::clearToZero.

CVE-2019-9543 (https://nvd.nist.gov/vuln/detail/CVE-2019-9543):
  An issue was discovered in Poppler 0.74.0. A recursive function call, in
  JBIG2Stream::readGenericBitmap() located in JBIG2Stream.cc, can be triggered
  by sending a crafted pdf file to (for example) the pdfseparate binary. It
  allows an attacker to cause Denial of Service (Segmentation fault) or
  possibly have unspecified other impact. This is related to
  JArithmeticDecoder::decodeBit.