openSUSE Security Update : podofo (openSUSE-2019-66)

high Nessus Plugin ID 121290

Language:

Synopsis

The remote openSUSE host is missing a security update.

Description

This update for podofo version 0.9.6 fixes the following issues :

Security issues fixed :

- CVE-2017-5852: Fix a infinite loop in PoDoFo::PdfPage::GetInheritedKeyFromObject (PdfPage.cpp) (boo#1023067)

- CVE-2017-5854: Fix a NULL pointer dereference in PdfOutputStream.cpp (boo#1023070)

- CVE-2017-5886: Fix a heap-based buffer overflow in PoDoFo::PdfTokenizer::GetNextToken (PdfTokenizer.cpp) (boo#1023380)

- CVE-2017-6844: Fix a buffer overflow in PoDoFo::PdfParser::ReadXRefSubsection (PdfParser.cpp) (boo#1027782)

- CVE-2017-6847: Fix a NULL pointer dereference in PoDoFo::PdfVariant::DelayedLoad (PdfVariant.h) (boo#1027778)

- CVE-2017-7379: Fix a heap-based buffer overflow in PoDoFo::PdfSimpleEncoding::ConvertToEncoding (PdfEncoding.cpp) (boo#1032018)

- CVE-2018-5296: Fix a denial of service in the ReadXRefSubsection function (boo#1075021)

- CVE-2018-5309: Fix a integer overflow in the ReadObjectsFromStream function (boo#1075322)

- CVE-2017-5853: Fix a signed integer overflow in PdfParser.cpp (boo#1023069)

- CVE-2017-5855: Fix a NULL pointer dereference in the ReadXRefSubsection function (boo#1023071)

- CVE-2017-6840: Fix a invalid memory read in the GetColorFromStack function (boo#1027787)

- CVE-2017-6845: Fix a NULL pointer dereference in the SetNonStrokingColorSpace function (boo#1027779)

- CVE-2017-7378: Fix a heap-based buffer overflow in the ExpandTabs function (boo#1032017)

- CVE-2017-7380: Fix four NULL pointer dereferences (boo#1032019)

- CVE-2017-8054: Fix a denial of service in the GetPageNodeFromArray function (boo#1035596)

- CVE-2018-5295: Fix a integer overflow in the ParseStream function (boo#1075026)

- CVE-2018-5308: Fix undefined behavior in the PdfMemoryOutputStream::Write function (boo#1075772)

- CVE-2018-8001: Fix a heap overflow read vulnerability in the UnescapeName function (boo#1084894)

- CVE-2017-7994, CVE-2017-8787: Fix a denial of service via a crafted PDF document (boo#1035534, boo#1037739)

Solution

Update the affected podofo packages.

See Also

https://bugzilla.opensuse.org/show_bug.cgi?id=1023067

https://bugzilla.opensuse.org/show_bug.cgi?id=1023069

https://bugzilla.opensuse.org/show_bug.cgi?id=1023070

https://bugzilla.opensuse.org/show_bug.cgi?id=1023071

https://bugzilla.opensuse.org/show_bug.cgi?id=1023380

https://bugzilla.opensuse.org/show_bug.cgi?id=1027778

https://bugzilla.opensuse.org/show_bug.cgi?id=1027779

https://bugzilla.opensuse.org/show_bug.cgi?id=1027782

https://bugzilla.opensuse.org/show_bug.cgi?id=1027787

https://bugzilla.opensuse.org/show_bug.cgi?id=1032017

https://bugzilla.opensuse.org/show_bug.cgi?id=1032018

https://bugzilla.opensuse.org/show_bug.cgi?id=1032019

https://bugzilla.opensuse.org/show_bug.cgi?id=1035534

https://bugzilla.opensuse.org/show_bug.cgi?id=1035596

https://bugzilla.opensuse.org/show_bug.cgi?id=1037739

https://bugzilla.opensuse.org/show_bug.cgi?id=1075021

https://bugzilla.opensuse.org/show_bug.cgi?id=1075026

https://bugzilla.opensuse.org/show_bug.cgi?id=1075322

https://bugzilla.opensuse.org/show_bug.cgi?id=1075772

https://bugzilla.opensuse.org/show_bug.cgi?id=1084894

Plugin Details

Severity: High

ID: 121290

File Name: openSUSE-2019-66.nasl

Version: 1.4

Type: local

Agent: unix

Published: 1/22/2019

Updated: 1/19/2021

Supported Sensors: Frictionless Assessment Agent, Frictionless Assessment AWS, Frictionless Assessment Azure, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Temporal Score: 5

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2018-8001

CVSS v3

Risk Factor: High

Base Score: 7.8

Temporal Score: 6.8

Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:novell:opensuse:libpodofo-devel, p-cpe:/a:novell:opensuse:libpodofo0_9_6, p-cpe:/a:novell:opensuse:libpodofo0_9_6-debuginfo, p-cpe:/a:novell:opensuse:podofo, p-cpe:/a:novell:opensuse:podofo-debuginfo, p-cpe:/a:novell:opensuse:podofo-debugsource, cpe:/o:novell:opensuse:42.3

Required KB Items: Host/local_checks_enabled, Host/SuSE/release, Host/SuSE/rpm-list, Host/cpu

Exploit Ease: No known exploits are available

Patch Publication Date: 1/18/2019

Vulnerability Publication Date: 3/1/2017

Reference Information

CVE: CVE-2017-5852, CVE-2017-5853, CVE-2017-5854, CVE-2017-5855, CVE-2017-5886, CVE-2017-6840, CVE-2017-6844, CVE-2017-6845, CVE-2017-6847, CVE-2017-7378, CVE-2017-7379, CVE-2017-7380, CVE-2017-7994, CVE-2017-8054, CVE-2017-8787, CVE-2018-5295, CVE-2018-5296, CVE-2018-5308, CVE-2018-5309, CVE-2018-8001