SB2023103151 - SUSE update for poppler

Description

This security bulletin contains information about 3 secuirty vulnerabilities.

1) Input validation error (CVE-ID: CVE-2022-37050)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input within the PDFDoc::savePageAs() function in PDFDoc.c. A remote attacker can trick the victim to open a specially crafted PDF file and perform a denial of service (DoS) attack.

Note, the vulnerability exists due to incomplete patch for #VU16830 (CVE-2018-20662).

2) Reachable Assertion (CVE-ID: CVE-2022-37051)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a reachable assertion in pdfunite.cc. A remote attacker can trick the victim to open a specially crafted PDF file and crash the application.

3) Reachable Assertion (CVE-ID: CVE-2022-38349)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a reachable assertion within the PDFDoc::replacePageDict() function in PDFDoc.cc. A remote attacker can trick the victim to open a specially crafted PDF file and crash the application.

Remediation

Install update from vendor's website.

References

• https://www.suse.com/support/update/announcement/2023/suse-su-20233947-1/