CVE-2017-1000456 — Improper Restriction of Operations within the Bounds of a Memory Buffer in Poppler

CWE-119 — Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-682 — Incorrect Calculation CWE-125 — Out-of-bounds Read10 documents8 sources

Severity

8.8HIGHNVD

EPSS

0.7%

top 27.50%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Freedesktop Poppler Debian Linux

Timeline

PublishedJan 2

Latest updateMay 14

Description

freedesktop.org libpoppler 0.60.1 fails to validate boundaries in TextPool::addWord, leading to overflow in subsequent calculations.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages3 packages

▶Debianfreedesktop/poppler< 0.61.1-2+3

▶Ubuntufreedesktop/poppler< 0.24.5-2ubuntu4.9+1

▶NVDfreedesktop/poppler0.60.1

Also affects: Debian Linux 7.0, 8.0, 9.0

Patches

Patch: bugs.freedesktop.org ↗Patch: bugs.freedesktop.org ↗

🔴Vulnerability Details

GHSA

GHSA-54wv-g6q8-8695: freedesktop↗2022-05-14

▶

OSV

poppler vulnerabilities↗2018-01-08

▶

OSV

CVE-2017-1000456: freedesktop↗2018-01-02

▶

CVEList

CVE-2017-1000456: freedesktop↗2018-01-02

▶

📋Vendor Advisories

Ubuntu

poppler vulnerabilities↗2018-01-08

▶

Red Hat

poppler: Invalid read in TextPool::addWord() causes crash and can lead to overflow in subsequent calculations↗2017-10-05

▶

Debian

CVE-2017-1000456: poppler - freedesktop.org libpoppler 0.60.1 fails to validate boundaries in TextPool::addW...↗2017

▶

💬Community

Bugzilla

CVE-2017-1000456 poppler: Invalid read in TextPool::addWord() causes crash and can lead to overflow in subsequent calculations↗2018-01-05

▶

Bugzilla

CVE-2017-1000456 poppler: Invalid read in TextPool::addWord() causes crash and can lead to overflow in subsequent calculations [fedora-all]↗2018-01-05

▶