SB2020112523 - Ubuntu update for poppler

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2020112523

SB2020112523 - Ubuntu update for poppler

Published: November 25, 2020 Updated: April 23, 2025

Security Bulletin ID SB2020112523
Severity
High
Patch available
YES
Number of vulnerabilities 5
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

High 20% Medium 20% Low 60%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 5 secuirty vulnerabilities.


1) Access of Uninitialized Pointer (CVE-ID: CVE-2020-27778)

The vulnerability allows a remote attacker to crash the application.

The vulnerability exists due to a boundary error when converting PDF files to HTML. A remote attacker can trick the victim to convert a specially crafted file and perform a denial of service (DoS) attack.


2) Integer overflow (CVE-ID: CVE-2018-21009)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to integer overflow in Parser::makeStream() function in Parser.cc. A remote attacker can create a specially crafted document, trick the victim into opening it, trigger integer overflow and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.


3) Out-of-bounds read (CVE-ID: CVE-2019-10871)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to heap-based buffer over-read in the function PSOutputDev::checkPageSlice in PSOutputDev.cc. A remote attacker can perform a denial of service attack.


4) Integer overflow (CVE-ID: CVE-2019-9959)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to integer overflow in the "JPXStream::init" function, caused by a failure to bounds-check user-supplied data before copying it to an undersized memory buffer. A remote attacker can supply crafted data to the system, trigger integer overflow and cause a denial of service condition on the targeted system.



5) Out-of-bounds read (CVE-ID: CVE-2019-13283)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a boundary error within the FoFiType1::parse() function in fofi/FoFiType1.cc, when processing PDF files. A remote attacker can perform a denial of service attack.


Remediation

Install update from vendor's website.

References