{"affected":[{"ecosystem_specific":{"binaries":[{"libpodofo0_9_2":"0.9.2-3.3.1"}]},"package":{"ecosystem":"SUSE:Linux Enterprise Desktop 12 SP3","name":"podofo","purl":"pkg:rpm/suse/podofo&distro=SUSE%20Linux%20Enterprise%20Desktop%2012%20SP3"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"0.9.2-3.3.1"}],"type":"ECOSYSTEM"}]},{"ecosystem_specific":{"binaries":[{"libpodofo-devel":"0.9.2-3.3.1"}]},"package":{"ecosystem":"SUSE:Linux Enterprise Software Development Kit 12 SP3","name":"podofo","purl":"pkg:rpm/suse/podofo&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP3"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"0.9.2-3.3.1"}],"type":"ECOSYSTEM"}]},{"ecosystem_specific":{"binaries":[{"libpodofo0_9_2":"0.9.2-3.3.1"}]},"package":{"ecosystem":"SUSE:Linux Enterprise Workstation Extension 12 SP3","name":"podofo","purl":"pkg:rpm/suse/podofo&distro=SUSE%20Linux%20Enterprise%20Workstation%20Extension%2012%20SP3"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"0.9.2-3.3.1"}],"type":"ECOSYSTEM"}]}],"aliases":[],"details":"This update for podofo fixes the following issues:\n\n- CVE-2017-5852: The PoDoFo::PdfPage::GetInheritedKeyFromObject function\n  allowed remote attackers to cause a denial of service (infinite loop) via a\n  crafted file (bsc#1023067).\n- CVE-2017-5853: Integer overflow allowed remote attackers to have unspecified\n  impact via a crafted file (bsc#1023069).\n- CVE-2017-5854: Prevent NULL pointer dereference that allowed remote attackers\n  to cause a denial of service via a crafted file (bsc#1023070).\n- CVE-2017-5855: The PoDoFo::PdfParser::ReadXRefSubsection function allowed\n  remote attackers to cause a denial of service (NULL pointer dereference) via a\n  crafted file (bsc#1023071).\n- CVE-2017-5886: Prevent heap-based buffer overflow in the\n  PoDoFo::PdfTokenizer::GetNextToken function that allowed remote attackers to\n  have unspecified impact via a crafted file (bsc#1023380).\n- CVE-2017-6847: The PoDoFo::PdfVariant::DelayedLoad function allowed remote\n  attackers to cause a denial of service (NULL pointer dereference) via a crafted\n  file (bsc#1027778).\n- CVE-2017-6844: Buffer overflow in the PoDoFo::PdfParser::ReadXRefSubsection\n  function allowed remote attackers to have unspecified impact via a crafted file\n  (bsc#1027782).\n- CVE-2017-6840: The ColorChanger::GetColorFromStack function allowed remote\n  attackers to cause a denial of service (invalid read) via a crafted file\n  (bsc#1027787).\n- CVE-2017-7378: The PoDoFo::PdfPainter::ExpandTabs function allowed remote\n  attackers to cause a denial of service (heap-based buffer over-read and\n  application crash) via a crafted PDF document (bsc#1032017).\n- CVE-2017-7379: The PoDoFo::PdfSimpleEncoding::ConvertToEncoding function\n  allowed remote attackers to cause a denial of service (heap-based buffer\n  over-read and application crash) via a crafted PDF document (bsc#1032018).\n- CVE-2017-7380: Prevent NULL pointer dereference that allowed remote attackers\n  to cause a denial of service via a crafted PDF document (bsc#1032019).\n- CVE-2017-7994: The function TextExtractor::ExtractText allowed remote\n  attackers to cause a denial of service (NULL pointer dereference and\n  application crash) via a crafted PDF document (bsc#1035534).\n- CVE-2017-8054: The function PdfPagesTree::GetPageNodeFromArray allowed remote\n  attackers to cause a denial of service (infinite recursion and application\n  crash) via a crafted PDF document (bsc#1035596).\n- CVE-2017-8787: The PoDoFo::PdfXRefStreamParserObject::ReadXRefStreamEntry\n  function allowed remote attackers to cause a denial of service (heap-based\n  buffer over-read) or possibly have unspecified other impact via a crafted PDF\n  file (bsc#1037739).\n- CVE-2018-5308: Properly validate memcpy arguments in the\n  PdfMemoryOutputStream::Write function to prevent remote attackers from causing\n  a denial-of-service or possibly have unspecified other impact via a crafted pdf\n  file (bsc#1075772).\n- CVE-2018-8001: Prevent heap-based buffer over-read vulnerability in\n  UnescapeName() that allowed remote attackers to cause a denial-of-service or\n  possibly unspecified other impact via a crafted pdf file (bsc#1084894).\n","id":"SUSE-SU-2018:2481-1","modified":"2018-08-22T14:58:50Z","published":"2018-08-22T14:58:50Z","references":[{"type":"ADVISORY","url":"https://www.suse.com/support/update/announcement/2018/suse-su-20182481-1/"},{"type":"REPORT","url":"https://bugzilla.suse.com/1023067"},{"type":"REPORT","url":"https://bugzilla.suse.com/1023069"},{"type":"REPORT","url":"https://bugzilla.suse.com/1023070"},{"type":"REPORT","url":"https://bugzilla.suse.com/1023071"},{"type":"REPORT","url":"https://bugzilla.suse.com/1023380"},{"type":"REPORT","url":"https://bugzilla.suse.com/1027778"},{"type":"REPORT","url":"https://bugzilla.suse.com/1027782"},{"type":"REPORT","url":"https://bugzilla.suse.com/1027787"},{"type":"REPORT","url":"https://bugzilla.suse.com/1032017"},{"type":"REPORT","url":"https://bugzilla.suse.com/1032018"},{"type":"REPORT","url":"https://bugzilla.suse.com/1032019"},{"type":"REPORT","url":"https://bugzilla.suse.com/1035534"},{"type":"REPORT","url":"https://bugzilla.suse.com/1035596"},{"type":"REPORT","url":"https://bugzilla.suse.com/1037739"},{"type":"REPORT","url":"https://bugzilla.suse.com/1075772"},{"type":"REPORT","url":"https://bugzilla.suse.com/1084894"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2017-5852"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2017-5853"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2017-5854"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2017-5855"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2017-5886"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2017-6840"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2017-6844"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2017-6847"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2017-7378"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2017-7379"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2017-7380"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2017-7994"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2017-8054"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2017-8787"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2018-5308"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2018-8001"}],"related":["CVE-2017-5852","CVE-2017-5853","CVE-2017-5854","CVE-2017-5855","CVE-2017-5886","CVE-2017-6840","CVE-2017-6844","CVE-2017-6847","CVE-2017-7378","CVE-2017-7379","CVE-2017-7380","CVE-2017-7994","CVE-2017-8054","CVE-2017-8787","CVE-2018-5308","CVE-2018-8001"],"summary":"Security update for podofo","upstream":["CVE-2017-5852","CVE-2017-5853","CVE-2017-5854","CVE-2017-5855","CVE-2017-5886","CVE-2017-6840","CVE-2017-6844","CVE-2017-6847","CVE-2017-7378","CVE-2017-7379","CVE-2017-7380","CVE-2017-7994","CVE-2017-8054","CVE-2017-8787","CVE-2018-5308","CVE-2018-8001"]}