Alpine: multiple podofo packages: security update to 0.9.6-r0

critical Tenable Cloud Security Plugin ID 406434

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

- Heap-based buffer overflow in the PdfParser::ReadObjects function in base/PdfParser.cpp in PoDoFo 0.9.5
allows remote attackers to cause a denial of service (application crash) or possibly have unspecified
other impact via vectors related to m_offsets.size. (CVE-2017-8378)

- The PoDoFo::PdfXObject::PdfXObject function in PdfXObject.cpp in PoDoFo 0.9.5 allows remote attackers to
cause a denial of service (NULL pointer dereference) via a crafted file. (CVE-2017-6848)

- The PoDoFo::PdfPainter::ExpandTabs function in PdfPainter.cpp in PoDoFo 0.9.5 allows remote attackers to
cause a denial of service (heap-based buffer over-read and application crash) via a crafted PDF document.
(CVE-2017-7378)

- The PoDoFo::PdfSimpleEncoding::ConvertToEncoding function in PdfEncoding.cpp in PoDoFo 0.9.5 allows remote
attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted
PDF document. (CVE-2017-7379)

- The doc/PdfPage.cpp:614:20 code in PoDoFo 0.9.5 allows remote attackers to cause a denial of service (NULL
pointer dereference and application crash) via a crafted PDF document. (CVE-2017-7380)

See Also

https://security.alpinelinux.org/vuln/CVE-2017-6848

https://security.alpinelinux.org/vuln/CVE-2017-7378

https://security.alpinelinux.org/vuln/CVE-2017-7379

https://security.alpinelinux.org/vuln/CVE-2017-7380

https://security.alpinelinux.org/vuln/CVE-2017-7381

https://security.alpinelinux.org/vuln/CVE-2017-7382

https://security.alpinelinux.org/vuln/CVE-2017-7383

https://security.alpinelinux.org/vuln/CVE-2017-7994

https://security.alpinelinux.org/vuln/CVE-2017-8053

https://security.alpinelinux.org/vuln/CVE-2017-8054

https://security.alpinelinux.org/vuln/CVE-2017-8378

https://security.alpinelinux.org/vuln/CVE-2017-8787

https://security.alpinelinux.org/vuln/CVE-2018-11254

https://security.alpinelinux.org/vuln/CVE-2018-11255

https://security.alpinelinux.org/vuln/CVE-2018-11256

https://security.alpinelinux.org/vuln/CVE-2018-12982

https://security.alpinelinux.org/vuln/CVE-2018-12983

https://security.alpinelinux.org/vuln/CVE-2018-5295

https://security.alpinelinux.org/vuln/CVE-2018-5296

https://security.alpinelinux.org/vuln/CVE-2018-5308

https://security.alpinelinux.org/vuln/CVE-2018-5309

https://security.alpinelinux.org/vuln/CVE-2018-5783

https://security.alpinelinux.org/vuln/CVE-2018-6352

https://security.alpinelinux.org/vuln/CVE-2018-8000

https://security.alpinelinux.org/vuln/CVE-2018-8001

https://security.alpinelinux.org/vuln/CVE-2018-8002

Plugin Details

Severity: Critical

ID: 406434

Version: Revision 1.26

Type: Local

Published: 10/31/2023

Updated: 12/4/2025

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 5

Percentile: 95.09

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 5.9

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2017-8378

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Vulnerability Publication Date: 3/15/2017

Reference Information

CVE: CVE-2017-6848, CVE-2017-7378, CVE-2017-7379, CVE-2017-7380, CVE-2017-7381, CVE-2017-7382, CVE-2017-7383, CVE-2017-7994, CVE-2017-8053, CVE-2017-8054, CVE-2017-8378, CVE-2017-8787, CVE-2018-11254, CVE-2018-11255, CVE-2018-11256, CVE-2018-12982, CVE-2018-12983, CVE-2018-5295, CVE-2018-5296, CVE-2018-5308, CVE-2018-5309, CVE-2018-5783, CVE-2018-6352, CVE-2018-8000, CVE-2018-8001, CVE-2018-8002

BID: 97296, 97980