Security update for podofo

SUSE Security Update: Security update for podofo
Announcement ID: SUSE-SU-2018:2481-1
Rating: moderate
References: #1023067 #1023069 #1023070 #1023071 #1023380 #1027778 #1027782 #1027787 #1032017 #1032018 #1032019 #1035534 #1035596 #1037739 #1075772 #1084894
Cross-References: CVE-2017-5852 CVE-2017-5853 CVE-2017-5854 CVE-2017-5855 CVE-2017-5886 CVE-2017-6840 CVE-2017-6844 CVE-2017-6847 CVE-2017-7378 CVE-2017-7379 CVE-2017-7380 CVE-2017-7994 CVE-2017-8054 CVE-2017-8787 CVE-2018-5308 CVE-2018-8001
Affected Products:
  • SUSE Linux Enterprise Workstation Extension 12-SP3
  • SUSE Linux Enterprise Software Development Kit 12-SP3
  • SUSE Linux Enterprise Desktop 12-SP3

  • An update that fixes 16 vulnerabilities is now available.

    Description:

    This update for podofo fixes the following issues:

    - CVE-2017-5852: The PoDoFo::PdfPage::GetInheritedKeyFromObject function
    allowed remote attackers to cause a denial of service (infinite loop)
    via a crafted file (bsc#1023067).
    - CVE-2017-5853: Integer overflow allowed remote attackers to have
    unspecified impact via a crafted file (bsc#1023069).
    - CVE-2017-5854: Prevent NULL pointer dereference that allowed remote
    attackers to cause a denial of service via a crafted file (bsc#1023070).
    - CVE-2017-5855: The PoDoFo::PdfParser::ReadXRefSubsection function
    allowed remote attackers to cause a denial of service (NULL pointer
    dereference) via a crafted file (bsc#1023071).
    - CVE-2017-5886: Prevent heap-based buffer overflow in the
    PoDoFo::PdfTokenizer::GetNextToken function that allowed remote
    attackers to have unspecified impact via a crafted file (bsc#1023380).
    - CVE-2017-6847: The PoDoFo::PdfVariant::DelayedLoad function allowed
    remote attackers to cause a denial of service (NULL pointer dereference)
    via a crafted file (bsc#1027778).
    - CVE-2017-6844: Buffer overflow in the
    PoDoFo::PdfParser::ReadXRefSubsection function allowed remote attackers
    to have unspecified impact via a crafted file (bsc#1027782).
    - CVE-2017-6840: The ColorChanger::GetColorFromStack function allowed
    remote attackers to cause a denial of service (invalid read) via a
    crafted file (bsc#1027787).
    - CVE-2017-7378: The PoDoFo::PdfPainter::ExpandTabs function allowed
    remote attackers to cause a denial of service (heap-based buffer
    over-read and application crash) via a crafted PDF document
    (bsc#1032017).
    - CVE-2017-7379: The PoDoFo::PdfSimpleEncoding::ConvertToEncoding function
    allowed remote attackers to cause a denial of service (heap-based buffer
    over-read and application crash) via a crafted PDF document
    (bsc#1032018).
    - CVE-2017-7380: Prevent NULL pointer dereference that allowed remote
    attackers to cause a denial of service via a crafted PDF document
    (bsc#1032019).
    - CVE-2017-7994: The function TextExtractor::ExtractText allowed remote
    attackers to cause a denial of service (NULL pointer dereference and
    application crash) via a crafted PDF document (bsc#1035534).
    - CVE-2017-8054: The function PdfPagesTree::GetPageNodeFromArray allowed
    remote attackers to cause a denial of service (infinite recursion and
    application crash) via a crafted PDF document (bsc#1035596).
    - CVE-2017-8787: The
    PoDoFo::PdfXRefStreamParserObject::ReadXRefStreamEntry function allowed
    remote attackers to cause a denial of service (heap-based buffer
    over-read) or possibly have unspecified other impact via a crafted PDF
    file (bsc#1037739).
    - CVE-2018-5308: Properly validate memcpy arguments in the
    PdfMemoryOutputStream::Write function to prevent remote attackers from
    causing a denial-of-service or possibly have unspecified other impact
    via a crafted pdf file (bsc#1075772).
    - CVE-2018-8001: Prevent heap-based buffer over-read vulnerability in
    UnescapeName() that allowed remote attackers to cause a
    denial-of-service or possibly unspecified other impact via a crafted pdf
    file (bsc#1084894).

    Patch Instructions:

    To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
    Alternatively you can run the command listed for your product:

    • SUSE Linux Enterprise Workstation Extension 12-SP3:
      zypper in -t patch SUSE-SLE-WE-12-SP3-2018-1744=1
    • SUSE Linux Enterprise Software Development Kit 12-SP3:
      zypper in -t patch SUSE-SLE-SDK-12-SP3-2018-1744=1
    • SUSE Linux Enterprise Desktop 12-SP3:
      zypper in -t patch SUSE-SLE-DESKTOP-12-SP3-2018-1744=1

    Package List:

    • SUSE Linux Enterprise Workstation Extension 12-SP3 (x86_64):
      • libpodofo0_9_2-0.9.2-3.3.1
      • libpodofo0_9_2-debuginfo-0.9.2-3.3.1
      • podofo-debuginfo-0.9.2-3.3.1
      • podofo-debugsource-0.9.2-3.3.1
    • SUSE Linux Enterprise Software Development Kit 12-SP3 (aarch64 ppc64le s390x x86_64):
      • libpodofo-devel-0.9.2-3.3.1
      • podofo-debuginfo-0.9.2-3.3.1
      • podofo-debugsource-0.9.2-3.3.1
    • SUSE Linux Enterprise Desktop 12-SP3 (x86_64):
      • libpodofo0_9_2-0.9.2-3.3.1
      • libpodofo0_9_2-debuginfo-0.9.2-3.3.1
      • podofo-debuginfo-0.9.2-3.3.1
      • podofo-debugsource-0.9.2-3.3.1

    References: