SUSE SLED15: libpoppler-cpp0 / libpoppler-devel / libpoppler-glib-devel / etc (SUSE-SU-2021:3854-1)

critical Nessus Plugin ID 155796

Language:

Synopsis

The remote SUSE host is missing one or more security updates.

Description

The remote SUSE Linux SLED15 / SLES15 / SLES_SAP15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2021:3854-1 advisory.

- CVE-2017-18267: Fixed an infinite recursion that would allow remote attackers to cause a denial of service (bsc#1092945).
- CVE-2018-13988: Added an improper implementation check which otherwise could allow buffer overflows, memory corruption, and denial of service (bsc#1102531).
- CVE-2018-16646: Fixed an infinite recursion which could allow a denial-of-service attack via a specially crafted PDF file (bsc#1107597).
- CVE-2018-18897: Fixed a memory leak (bsc#1114966).
- CVE-2018-19058: Fixed a bug which could allow a denial-of-service attack via a specially crafted PDF file (bsc#1115187).
- CVE-2018-19059: Fixed an out-of-bounds read access which could allow a denial-of-service attack (bsc#1115186).
- CVE-2018-19060: Fixed a NULL pointer dereference which could allow a denial-of-service attack (bsc#1115185).
- CVE-2018-19149: Fixed a NULL pointer dereference which could allow a denial-of-service attack (bsc#1115626).
- CVE-2018-20481: Fixed a NULL pointer dereference while handling unallocated XRef entries which could allow a denial-of-service attack (bsc#1120495).
- CVE-2018-20551: Fixed a reachable assertion which could allow a denial-of-service attack through specially crafted PDF files (bsc#1120496).
- CVE-2018-20650: Fixed a reachable assertion which could allow denial-of-service through specially crafted PDF files (bsc#1120939).
- CVE-2018-20662: Fixed a bug which could potentially crash the running process by SIGABRT resulting in a denial-of-service attack through a specially crafted PDF file (bsc#1120956).
- CVE-2019-10871: Fixed a heap-based buffer over-read in the function PSOutputDev::checkPageSlice at PSOutputDev.cc (bsc#1131696).
- CVE-2019-10872: Fixed a heap-based buffer over-read in the function Splash::blitTransparent at splash/Splash.cc (bsc#1131722).
- CVE-2019-14494: Fixed a divide-by-zero error in the function SplashOutputDev::tilingPatternFill (bsc#1143950).
- CVE-2019-7310: Fixed a heap-based buffer over-read (due to an integer signedness error in the XRef::getEntry function in XRef.cc) that allows remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted PDF document (bsc#1124150).
- CVE-2019-9200: Fixed a heap-based buffer underwrite which could allow denial-of-service attack through a specially crafted PDF file (bsc#1127329)
- CVE-2019-9631: Fixed a heap-based buffer over-read in the CairoRescaleBox.cc downsample_row_box_filter function (bsc#1129202).
- CVE-2019-9903: Fixed excessive stack consumption in the Dict::find() method, which can be triggered by passing a crafted pdf file to the pdfunite binary (bsc#1130229).
- CVE-2019-9959: Fixed integer overflow that made it possible to allocate a large memory chunk on the heap with a size controlled by an attacker (bsc#1142465).
- CVE-2020-27778: Fixed buffer overflow vulnerability in pdftohtml (bsc#1179163).

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Update the affected packages.

See Also

https://bugzilla.suse.com/1092945

https://bugzilla.suse.com/1102531

https://bugzilla.suse.com/1107597

https://bugzilla.suse.com/1114966

https://bugzilla.suse.com/1115185

https://bugzilla.suse.com/1115186

https://bugzilla.suse.com/1115187

https://bugzilla.suse.com/1115626

https://bugzilla.suse.com/1120495

https://bugzilla.suse.com/1120496

https://bugzilla.suse.com/1120939

https://bugzilla.suse.com/1120956

https://bugzilla.suse.com/1124150

https://bugzilla.suse.com/1127329

https://bugzilla.suse.com/1129202

https://bugzilla.suse.com/1130229

https://bugzilla.suse.com/1131696

https://bugzilla.suse.com/1131722

https://bugzilla.suse.com/1142465

https://bugzilla.suse.com/1143950

https://bugzilla.suse.com/1179163

https://www.suse.com/security/cve/CVE-2017-18267

https://www.suse.com/security/cve/CVE-2018-13988

https://www.suse.com/security/cve/CVE-2018-16646

https://www.suse.com/security/cve/CVE-2018-18897

https://www.suse.com/security/cve/CVE-2018-19058

https://www.suse.com/security/cve/CVE-2018-19059

https://www.suse.com/security/cve/CVE-2018-19060

https://www.suse.com/security/cve/CVE-2018-19149

https://www.suse.com/security/cve/CVE-2018-20481

https://www.suse.com/security/cve/CVE-2018-20551

https://www.suse.com/security/cve/CVE-2018-20650

https://www.suse.com/security/cve/CVE-2018-20662

https://www.suse.com/security/cve/CVE-2019-10871

https://www.suse.com/security/cve/CVE-2019-10872

https://www.suse.com/security/cve/CVE-2019-14494

https://www.suse.com/security/cve/CVE-2019-7310

https://www.suse.com/security/cve/CVE-2019-9200

https://www.suse.com/security/cve/CVE-2019-9631

https://www.suse.com/security/cve/CVE-2019-9903

https://www.suse.com/security/cve/CVE-2019-9959

https://www.suse.com/security/cve/CVE-2020-27778

http://www.nessus.org/u?daf7711c

Plugin Details

Severity: Critical

ID: 155796

File Name: suse_SU-2021-3854-1.nasl

Version: 1.7

Type: Local

Agent: unix

Published: 12/2/2021

Updated: 6/26/2026

Supported Sensors: Frictionless Assessment AWS, Frictionless Assessment Azure, Frictionless Assessment Agent, Nessus Agent, Agentless Assessment, Continuous Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.9

Percentile: 97.35

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 5.9

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2019-9631

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:novell:suse_linux:libpoppler73, p-cpe:/a:novell:suse_linux:libpoppler-glib8, p-cpe:/a:novell:suse_linux:libpoppler-cpp0, p-cpe:/a:novell:suse_linux:typelib-1_0-poppler-0_18, p-cpe:/a:novell:suse_linux:libpoppler-devel, p-cpe:/a:novell:suse_linux:poppler-tools, p-cpe:/a:novell:suse_linux:libpoppler-glib-devel, cpe:/o:novell:suse_linux:15

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/SuSE/release, Host/SuSE/rpm-list

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 12/1/2021

Vulnerability Publication Date: 5/10/2018

Reference Information

CVE: CVE-2017-18267, CVE-2018-13988, CVE-2018-16646, CVE-2018-18897, CVE-2018-19058, CVE-2018-19059, CVE-2018-19060, CVE-2018-19149, CVE-2018-20481, CVE-2018-20551, CVE-2018-20650, CVE-2018-20662, CVE-2019-10871, CVE-2019-10872, CVE-2019-14494, CVE-2019-7310, CVE-2019-9200, CVE-2019-9631, CVE-2019-9903, CVE-2019-9959, CVE-2020-27778

IAVB: 2018-B-0151-S, 2019-B-0001-S, 2019-B-0011-S, 2019-B-0021-S, 2019-B-0064-S

SuSE: SUSE-SU-2021:3854-1