[manjaro-security] [ASA-201910-10] xpdf: arbitrary code execution
Morten Linderud
foxboron at archlinux.org
Wed Oct 23 16:19:47 CEST 2019
Arch Linux Security Advisory ASA-201910-10
==========================================
Severity: Medium
Date : 2019-10-16
CVE-ID : CVE-2019-16927
Package : xpdf
Type : arbitrary code execution
Remote : No
Link : https://security.archlinux.org/AVG-1048
Summary
=======
The package xpdf before version 4.02-1 is vulnerable to arbitrary code
execution.
Resolution
==========
Upgrade to 4.02-1.
# pacman -Syu "xpdf>=4.02-1"
The problem has been fixed upstream in version 4.02.
Workaround
==========
None.
Description
===========
Xpdf 4.01.01 has an out-of-bounds write in the vertProfile part of the
TextPage::findGaps function in TextOutputDev.cc, a different
vulnerability than CVE-2019-9877.
Impact
======
A local attacker is able to execute arbitrary code via a specially
crafted PDF document.
References
==========
https://bugs.archlinux.org/task/63980
https://forum.xpdfreader.com/viewtopic.php?f=3&t=41885
https://security.archlinux.org/CVE-2019-16927
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.manjaro.org/pipermail/manjaro-security/attachments/20191023/2ed289bc/attachment.sig>
More information about the manjaro-security
mailing list