{"id":"MGASA-2020-0294","summary":"Updated podofo packages fix security vulnerability","details":"The updated packages fix security vulnerabilities:\n\nA stack-based buffer over-read in the PdfEncryptMD5Base::ComputeEncryptionKey()\nfunction in PdfEncrypt.cpp in PoDoFo 0.9.6-rc1 could be leveraged by remote \nattackers to cause a denial-of-service via a crafted pdf file. (CVE-2018-12983)\n\nAn issue was discovered in crop_page in PoDoFo 0.9.6. For a crafted PDF document,\npPage-\u003eGetObject()-\u003eGetDictionary().AddKey(PdfName(\"MediaBox\"),var) can be\nproblematic due to the function GetObject() being called for the pPage NULL\npointer object. The value of pPage at this point is 0x0, which causes a NULL\npointer dereference. (CVE-2018-20751)\n\nPoDoFo::Impose::PdfTranslator::setSource() in pdftranslator.cpp in PoDoFo 0.9.6\nhas a NULL pointer dereference that can (for example) be triggered by sending a\ncrafted PDF file to the podofoimpose binary. It allows an attacker to cause\nDenial of Service (Segmentation fault) or possibly have unspecified other impact.\n(CVE-2019-9199)\n\nPoDoFo 0.9.6 has a heap-based buffer overflow in PdfString::ConvertUTF16toUTF8 in\nbase/PdfString.cpp. (CVE-2019-9687)\n\nThe PoDoFo::PdfVariant::DelayedLoad function in PdfVariant.h in PoDoFo 0.9.6 allows\nremote attackers to cause a denial of service (NULL pointer dereference) via a\ncrafted file, because of ImageExtractor.cpp. (CVE-2019-20093)\n","modified":"2026-04-16T00:09:50.726767957Z","published":"2020-07-30T13:06:40Z","upstream":["CVE-2018-12983","CVE-2018-20751","CVE-2019-20093","CVE-2019-9199","CVE-2019-9687"],"references":[{"type":"ADVISORY","url":"https://advisories.mageia.org/MGASA-2020-0294.html"},{"type":"REPORT","url":"https://bugs.mageia.org/show_bug.cgi?id=24385"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/Y6ZKYPW55PN6XV5XW6KZDIJLWRXON74N/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/5Z7UF3AC76HHLSAHVBUQWMYXHR33DR34/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/4K6FST3UH3WNUNCIAEEGZJJASCP5ZXUF/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/SSB4HRLHF7H3DPNTFPTXUE6EGXXZ5JSZ/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/WR6XY3TOLJPLXOGHYPCB42JW3SWRZNY4/"}],"affected":[{"package":{"name":"podofo","ecosystem":"Mageia:7","purl":"pkg:rpm/mageia/podofo?arch=source&distro=mageia-7"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"0.9.6-1.1.mga7"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2020-0294.json"}}],"schema_version":"1.7.5","credits":[{"name":"Mageia","contact":["https://wiki.mageia.org/en/Packages_Security_Team"],"type":"COORDINATOR"}]}