{"id":"MGASA-2018-0465","summary":"Updated poppler packages fix security vulnerabilities","details":"In Poppler 0.68.0, the Parser::getObj() function in Parser.cc may cause\ninfinite recursion via a crafted file. A remote attacker can leverage\nthis for a DoS attack. (CVE-2018-16646)\n\nAn issue was discovered in Poppler 0.71.0. There is a reachable abort in\nObject.h, will lead to denial of service because EmbFile::save2 in\nFileSpec.cc lacks a stream check before saving an embedded file.\n(CVE-2018-19058)\n\nAn issue was discovered in Poppler 0.71.0. There is a out-of-bounds read\nin EmbFile::save2 in FileSpec.cc, will lead to denial of service, as\ndemonstrated by utils/pdfdetach.cc not validating embedded files before\nsave attempts. (CVE-2018-19059)\n\nAn issue was discovered in Poppler 0.71.0. There is a NULL pointer\ndereference in goo/GooString.h, will lead to denial of service, as\ndemonstrated by utils/pdfdetach.cc not validating a filename of an\nembedded file before constructing a save path. (CVE-2018-19060)\n","modified":"2026-04-16T01:48:59.641516567Z","published":"2018-11-22T22:26:34Z","upstream":["CVE-2018-16646","CVE-2018-19058","CVE-2018-19059","CVE-2018-19060"],"references":[{"type":"ADVISORY","url":"https://advisories.mageia.org/MGASA-2018-0465.html"},{"type":"REPORT","url":"https://bugs.mageia.org/show_bug.cgi?id=23865"}],"affected":[{"package":{"name":"poppler","ecosystem":"Mageia:6","purl":"pkg:rpm/mageia/poppler?arch=source&distro=mageia-6"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"0.52.0-3.9.mga6"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2018-0465.json"}}],"schema_version":"1.7.5","credits":[{"name":"Mageia","contact":["https://wiki.mageia.org/en/Packages_Security_Team"],"type":"COORDINATOR"}]}