{"id":"MGASA-2019-0092","summary":"Updated poppler packages fix security vulnerability","details":"An issue was discovered in Poppler 0.71.0. There is a memory leak in\nGfxColorSpace::setDisplayProfile in GfxState.cc, as demonstrated by\npdftocairo. (CVE-2018-18897)\n\nXRef::getEntry in XRef.cc in Poppler 0.72.0 mishandles unallocated XRef\nentries, which allows remote attackers to cause a denial of service (NULL\npointer dereference) via a crafted PDF document, when XRefEntry::setFlag\nin XRef.h is called from Parser::makeStream in Parser.cc. (CVE-2018-20481)\n\nA reachable Object::getString assertion in Poppler 0.72.0 allows attackers\nto cause a denial of service due to construction of invalid rich media\nannotation assets in the AnnotRichMedia class in Annot.c. (CVE-2018-20551)\n\nA reachable Object::dictLookup assertion in Poppler 0.72.0 allows attackers\nto cause a denial of service due to the lack of a check for the dict data\ntype, as demonstrated by use of the FileSpec class (in FileSpec.cc) in\npdfdetach. (CVE-2018-20650)\n\nIn Poppler 0.73.0, a heap-based buffer over-read (due to an integer\nsignedness error in the XRef::getEntry function in XRef.cc) allows remote\nattackers to cause a denial of service (application crash) or possibly\nhave unspecified other impact via a crafted PDF document, as demonstrated\nby pdftocairo. (CVE-2019-7310)\n","modified":"2026-02-02T14:58:45.047069Z","published":"2019-02-20T20:56:50Z","related":["CVE-2018-18897","CVE-2018-20481","CVE-2018-20551","CVE-2018-20650","CVE-2019-7310"],"references":[{"type":"ADVISORY","url":"https://advisories.mageia.org/MGASA-2019-0092.html"},{"type":"REPORT","url":"https://bugs.mageia.org/show_bug.cgi?id=24250"},{"type":"REPORT","url":"https://usn.ubuntu.com/3865-1/"},{"type":"REPORT","url":"https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-20481.html"},{"type":"REPORT","url":"https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-20650.html"},{"type":"REPORT","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/CH33MK2BAV326CV7IKYGMFO4IYX552Z2/"},{"type":"REPORT","url":"https://usn.ubuntu.com/3886-1/"}],"affected":[{"package":{"name":"poppler","ecosystem":"Mageia:6","purl":"pkg:rpm/mageia/poppler?arch=source&distro=mageia-6"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"0.52.0-3.11.mga6"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2019-0092.json"}}],"schema_version":"1.7.3","credits":[{"name":"Mageia","contact":["https://wiki.mageia.org/en/Packages_Security_Team"],"type":"COORDINATOR"}]}