CVE-2019-9200

Published: 26 February 2019

A heap-based buffer underwrite exists in ImageStream::getLine() located at Stream.cc in Poppler 0.74.0 that can (for example) be triggered by sending a crafted PDF file to the pdfimages binary. It allows an attacker to cause Denial of Service (Segmentation fault) or possibly have unspecified other impact.

Priority

CVSS 3 base score: 8.8

Status

Package	Release	Status
poppler Launchpad, Ubuntu, Debian	bionic	Released (0.62.0-2ubuntu2.8)
	cosmic	Released (0.68.0-0ubuntu1.6)
	disco	Released (0.74.0-0ubuntu1.2)
	precise	Does not exist
	trusty	Does not exist (trusty was released [0.24.5-2ubuntu4.17])
	upstream	Needs triage
	xenial	Released (0.41.0-0ubuntu1.13)
	Patches: upstream: https://gitlab.freedesktop.org/poppler/poppler/commit/f4136a6353162db249f63ddb0f20611622ab61b4

References

Bugs

https://gitlab.freedesktop.org/poppler/poppler/issues/728

Join the discussion

Canonical is offering Expanded Security Maintenance

Canonical is offering Ubuntu Expanded Security Maintenance (ESM) for security fixes and essential packages.

Find out more about ESM ›