Amazon Linux AMI update for poppler

Published: 2018-12-07 10:05:40 | Updated: 2018-12-07
Severity Low
Patch available YES
Number of vulnerabilities 3
CVE ID CVE-2017-18267
CVE-2018-13988
CVE-2018-10768
CVSSv3 4.6 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]
5.7 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
4.6 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]
CWE ID CWE-674
CWE-120
CWE-476
Exploitation vector Network
Public exploit N/A
Vulnerable software Amazon Linux AMI
Vulnerable software versions Amazon Linux AMI 2017.03
Vendor URL Amazon Web Services, Inc.

Security Advisory

1) Uncontrolled recursion

Description

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The weakness exists in the FoFiType1C::cvtGlyph function in fofi/FoFiType1C.cc due to infinite recursion. A remote attacker can trick the victim into opening a specially crafted PDF file and cause the service to crash.

Remediation

Update the affected packages.

i686:
    poppler-devel-0.26.5-20.18.amzn1.i686
    poppler-glib-0.26.5-20.18.amzn1.i686
    poppler-cpp-devel-0.26.5-20.18.amzn1.i686
    poppler-utils-0.26.5-20.18.amzn1.i686
    poppler-glib-devel-0.26.5-20.18.amzn1.i686
    poppler-cpp-0.26.5-20.18.amzn1.i686
    poppler-debuginfo-0.26.5-20.18.amzn1.i686
    poppler-0.26.5-20.18.amzn1.i686

src:
    poppler-0.26.5-20.18.amzn1.src

x86_64:
    poppler-debuginfo-0.26.5-20.18.amzn1.x86_64
    poppler-glib-devel-0.26.5-20.18.amzn1.x86_64
    poppler-cpp-devel-0.26.5-20.18.amzn1.x86_64
    poppler-glib-0.26.5-20.18.amzn1.x86_64
    poppler-0.26.5-20.18.amzn1.x86_64
    poppler-devel-0.26.5-20.18.amzn1.x86_64
    poppler-utils-0.26.5-20.18.amzn1.x86_64
    poppler-cpp-0.26.5-20.18.amzn1.x86_64

External links

https://alas.aws.amazon.com/ALAS-2018-1110.html

2) Buffer overflow

Description

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The vulnerability exists in the image rendering functionality due to buffer overflow when handling malicious input. A remote unauthenticated attacker can trick the victim into opening a specially crafted PDF file, trigger memory corruption and cause the system to crash.

Remediation

Update the affected packages.

i686:
    poppler-devel-0.26.5-20.18.amzn1.i686
    poppler-glib-0.26.5-20.18.amzn1.i686
    poppler-cpp-devel-0.26.5-20.18.amzn1.i686
    poppler-utils-0.26.5-20.18.amzn1.i686
    poppler-glib-devel-0.26.5-20.18.amzn1.i686
    poppler-cpp-0.26.5-20.18.amzn1.i686
    poppler-debuginfo-0.26.5-20.18.amzn1.i686
    poppler-0.26.5-20.18.amzn1.i686

src:
    poppler-0.26.5-20.18.amzn1.src

x86_64:
    poppler-debuginfo-0.26.5-20.18.amzn1.x86_64
    poppler-glib-devel-0.26.5-20.18.amzn1.x86_64
    poppler-cpp-devel-0.26.5-20.18.amzn1.x86_64
    poppler-glib-0.26.5-20.18.amzn1.x86_64
    poppler-0.26.5-20.18.amzn1.x86_64
    poppler-devel-0.26.5-20.18.amzn1.x86_64
    poppler-utils-0.26.5-20.18.amzn1.x86_64
    poppler-cpp-0.26.5-20.18.amzn1.x86_64

External links

https://alas.aws.amazon.com/ALAS-2018-1110.html

3) NULL pointer dereference

Description

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The weakness exists in the AnnotPath::getCoordsLength function in Annot.h due to NULL pointer dereference. A remote attacker can cause the service to crash.

Remediation

Update the affected packages.

i686:
    poppler-devel-0.26.5-20.18.amzn1.i686
    poppler-glib-0.26.5-20.18.amzn1.i686
    poppler-cpp-devel-0.26.5-20.18.amzn1.i686
    poppler-utils-0.26.5-20.18.amzn1.i686
    poppler-glib-devel-0.26.5-20.18.amzn1.i686
    poppler-cpp-0.26.5-20.18.amzn1.i686
    poppler-debuginfo-0.26.5-20.18.amzn1.i686
    poppler-0.26.5-20.18.amzn1.i686

src:
    poppler-0.26.5-20.18.amzn1.src

x86_64:
    poppler-debuginfo-0.26.5-20.18.amzn1.x86_64
    poppler-glib-devel-0.26.5-20.18.amzn1.x86_64
    poppler-cpp-devel-0.26.5-20.18.amzn1.x86_64
    poppler-glib-0.26.5-20.18.amzn1.x86_64
    poppler-0.26.5-20.18.amzn1.x86_64
    poppler-devel-0.26.5-20.18.amzn1.x86_64
    poppler-utils-0.26.5-20.18.amzn1.x86_64
    poppler-cpp-0.26.5-20.18.amzn1.x86_64

External links

https://alas.aws.amazon.com/ALAS-2018-1110.html

Back to List