CVE-2022-38784 Poppler before version 22.08 has an integer overflow in the JBIG2 decoder. This could lead to a crash or the execution of arbitrary code.

This vulnerability affects the official build of Poppler prior to version 22.08.0 on Ubuntu 14.04 LTS and 18.04. It does not affect Windows or other operating systems. Users running vulnerable versions of Poppler should update as soon as possible to protect against possible attack.

CVE-2018-5457 A heap-based buffer overflow was discovered in poppler-gd JBIG1/2 decoder that is used by Poppler to render PDF documents. A maliciously crafted PDF file could cause an application using Poppler to crash, resulting in a denial of service, or potentially execute arbitrary code. This vulnerability affects the official build of Poppler prior to version 22.08.0 on Ubuntu 14.04 LTS and 18.04. It does not affect Windows or other operating systems. Users running vulnerable versions of Poppler should update as soon as possible to protect against possible attack. CVE-2018-5457 was discovered by Dawid Golunski of LegalHackers.org.

Vulnerability overview

Both vulnerabilities, CVE-2022-38784 and CVE-2018-5457, are severe. The first vulnerability affects the official build of Poppler prior to version 22.08.0 on Ubuntu 14.04 LTS and 18.04 which is used by millions of people in packages for Linux. The second vulnerability affects the official build of Poppler prior to version 22.08.0 on Ubuntu 14.04 LTS and 18.04 which is used by millions of people as well, but this vulnerability also affects Windows users who might be using these packages in their work environment as well as other operating systems that use these vulnerable packages like CentOS or Red Hat Enterprise Linux 7 (RHEL 7).

Potential Impact

The risk of a successful attack is not currently known.

What is Poppler?

Poppler is a library designed to provide high-quality PDF rendering. It supports many different backends, including X11, Cairo, and Qt's Print Services. The goal of the project is to provide a unified interface to PDF generation through multiple backends.

Standard warning

Poppler is an open source PDF rendering library for Linux and other systems, used to display Portable Document Format files. It is the default PDF library in Ubuntu 18.04 LTS and was also available in previous versions of Ubuntu.
Poppler is vulnerable to a heap-based buffer overflow that affects its JBIG1/2 decoder, which could be exploited by a maliciously crafted PDF file to cause an application using Poppler to crash, resulting in denial of service or potentially execute arbitrary code. This vulnerability affects the official build of Poppler prior to version 22.08.0 on Ubuntu 14.04 LTS and 18.04. It does not affect Windows or other operating systems. Users running vulnerable versions of Poppler should update as soon as possible to protect against possible attack.

Timeline

Published on: 08/30/2022 03:15:00 UTC
Last modified on: 09/26/2022 02:15:00 UTC

References

• https://poppler.freedesktop.org/releases.html
• https://github.com/jeffssh/CVE-2021-30860
• https://gist.github.com/zmanion/b2ed0d1a0cec163ecd07d5e3d9740dc6
• https://gitlab.freedesktop.org/poppler/poppler/-/merge_requests/1261/diffs?commit_id=27354e9d9696ee2bc063910a6c9a6b27c5184a52
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-38171
• http://www.openwall.com/lists/oss-security/2022/09/02/11
• https://www.debian.org/security/2022/dsa-5224
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TQAO6O2XHPQHNW2MWOCJJ4C3YWS2VV4K/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/J546EJUKUOPWA3JSLP7DYNBAU3YGNCCW/
• https://lists.debian.org/debian-lts-announce/2022/09/msg00030.html
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-38784