Overview

File _patchinfo of Package patchinfo.8856

<patchinfo incident="8856">
  <issue tracker="bnc" id="1096890">VUL-1: CVE-2018-11255: podofo: Null Pointer Dereference Denial of Service in PdfPage::GetPageNumber()</issue>
  <issue tracker="bnc" id="1076962">VUL-1: CVE-2018-5783: podofo: Uncontrolled memory allocation in PoDoFo::PdfVecObjects::Reserve (src/base/PdfVecObjects.h)</issue>
  <issue tracker="bnc" id="1096889">VUL-1: CVE-2018-11256: podofo: Null Pointer Dereference Denial of Service</issue>
  <issue tracker="bnc" id="1032021">VUL-1: CVE-2017-7382: podofo: four null pointer dereference</issue>
  <issue tracker="bnc" id="1032020">VUL-1: CVE-2017-7381: podofo: four null pointer dereference</issue>
  <issue tracker="bnc" id="1032022">VUL-1: CVE-2017-7383: podofo: four null pointer dereference</issue>
  <issue tracker="bnc" id="1075772">VUL-1: CVE-2018-5308: podofo: Undefined behavior  (memcpy with NULL pointer) in PdfMemoryOutputStream::Write (src/base/PdfOutputStream.cpp)</issue>
  <issue tracker="bnc" id="1027779">VUL-1: CVE-2017-6845: podofo: NULL pointer dereference in GraphicsStack::TGraphicsStackElement::SetNonStrokingColorSpace (graphicsstack.h)</issue>
  <issue tracker="bnc" id="1075021">VUL-1: CVE-2018-5296: podofo: podofoimgextract: memory malloc failure in PdfParser::ReadXRefSubsection (src/base/PdfParser.cpp)</issue>
  <issue tracker="bnc" id="1075322">VUL-1: CVE-2018-5309: podofo: integer overflow caused by out-of-range left shift in readUInt32 (util/read.c)</issue>
  <issue tracker="bnc" id="1075026">VUL-1: CVE-2018-5295: podofo: Integer Overflow in PdfXRefStreamParserObject::ParseStream</issue>
  <issue tracker="cve" id="2018-11256"/>
  <issue tracker="cve" id="2018-5309"/>
  <issue tracker="cve" id="2018-5295"/>
  <issue tracker="cve" id="2018-5296"/>
  <issue tracker="cve" id="2018-5783"/>
  <issue tracker="cve" id="2017-6845"/>
  <issue tracker="cve" id="2018-5308"/>
  <issue tracker="cve" id="2017-7381"/>
  <issue tracker="cve" id="2017-7382"/>
  <issue tracker="cve" id="2017-7383"/>
  <issue tracker="cve" id="2017-8054"/>
  <category>security</category>
  <rating>moderate</rating>
  <packager>alarrosa</packager>
  <description>This update for podofo fixes the following issues:

These security issues were fixed:

- CVE-2017-6845: The PoDoFo::PdfColor::operator function allowed remote
  attackers to cause a denial of service (NULL pointer dereference) via a crafted
  file (bsc#1027779).
- CVE-2018-5308: Properly validate memcpy arguments in the
  PdfMemoryOutputStream::Write function to prevent remote attackers from causing
  a denial-of-service or possibly have unspecified other impact via a crafted pdf
  file (bsc#1075772)
- CVE-2018-5295: Prevent integer overflow in the
  PdfXRefStreamParserObject::ParseStream function that allowed remote attackers
  to cause a denial-of-service via a crafted pdf file (bsc#1075026).
- CVE-2017-6845: The PoDoFo::PdfColor::operator function allowed remote
  attackers to cause a denial of service (NULL pointer dereference) via a crafted
  file (bsc#1027779).
- CVE-2018-5309: Prevent integer overflow in the
  PdfObjectStreamParserObject::ReadObjectsFromStream function that allowed remote
  attackers to cause a denial-of-service via a crafted pdf file (bsc#1075322).
- CVE-2018-5296: Prevent uncontrolled memory allocation in the
  PdfParser::ReadXRefSubsection function that allowed remote attackers to cause a
  denial-of-service via a crafted pdf file (bsc#1075021).
- CVE-2017-7381: Prevent NULL pointer dereference that allowed remote attackers
  to cause a denial of service via a crafted PDF document (bsc#1032020).
- CVE-2017-7382: Prevent NULL pointer dereference that allowed remote attackers
  to cause a denial of service via a crafted PDF document (bsc#1032021).
- CVE-2017-7383: Prevent NULL pointer dereference that allowed remote attackers
  to cause a denial of service via a crafted PDF document (bsc#1032022).
- CVE-2018-11256: Prevent NULL pointer dereference that allowed remote
  attackers to cause a denial of service via a crafted PDF document
  (bsc#1096889).
- CVE-2018-5783: Prevent uncontrolled memory allocation in the
  PoDoFo::PdfVecObjects::Reserve function that allowed remote attackers to cause
  a denial of service via a crafted pdf file (bsc#1076962).

These non-security issues were fixed:

- Prevent regression caused by the fix for CVE-2017-8054.
- Prevent NULL dereferences when "Kids" array is missing (bsc#1096890)
- Added to detect cycles and recursions in XRef tables
</description>
  <summary>Security update for podofo</summary>
</patchinfo>
openSUSE Build Service is sponsored by
Places