SB2018122505 - Multiple vulnerabilities in Foxit Quick PDF Library
Published: December 25, 2018
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 3 secuirty vulnerabilities.
1) Stack-based buffer overflow (CVE-ID: CVE-2018-20247)
The vulnerability allows a local attacker to gain elevated privileges the target system.
The weakness exists due to stack based buffer overflow when handling malicious input. A local attacker can load a malformed or malicious PDF containing a recursive page tree structure using the LoadFromFile, LoadFromString or LoadFromStream functions, trigger memory corruption and cause the service to crash or execute arbitrary code with elevated privileges.
Successful exploitation of the vulnerability may result in system compromise.
2) Out-of-bounds read (CVE-ID: CVE-2018-20248)
The vulnerability allows a local attacker to bypass security restrictions the target system.
The weakness exists due to out-of-bounds read when handling malicious input. A local attacker can load a malformed or malicious PDF containing invalid xref table pointers or invalid xref table data using the LoadFromFile, LoadFromString, LoadFromStream, DAOpenFile or DAOpenFileReadOnly functions, trigger memory corruption and bypass security restrictions to conduct further attacks.
3) Out-of-bounds read (CVE-ID: CVE-2018-20249)
The vulnerability allows a local attacker to bypass security restrictions the target system.
The weakness exists due to out-of-bounds read when handling malicious input. A local attacker can load a malformed or malicious PDF containing invalid xref entries using the DAOpenFile or DAOpenFileReadOnly functions, trigger memory corruption and bypass security restrictions to conduct for further attacks.
Remediation
Install update from vendor's website.