CVE-2022-38784 — Integer Overflow or Wraparound in Poppler

CWE-190 — Integer Overflow or Wraparound7 documents7 sources

Severity

7.8HIGHNVD

EPSS

0.1%

top 75.49%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Freedesktop Poppler Debian Linux Fedoraproject Fedora

Timeline

PublishedAug 30

Latest updateSep 12

Description

Poppler prior to and including 22.08.0 contains an integer overflow in the JBIG2 decoder (JBIG2Stream::readTextRegionSeg() in JBIGStream.cc). Processing a specially crafted PDF file or JBIG2 image could lead to a crash or the execution of arbitrary code. This is similar to the vulnerability described by CVE-2022-38171 in Xpdf.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages2 packages

▶Debianfreedesktop/poppler< 20.09.0-3.1+deb11u1+3

▶NVDfreedesktop/poppler22.08.0

Also affects: Debian Linux 10.0, 11.0, Fedora 35, 36, 37

Patches

Patch: gitlab.freedesktop.org ↗Patch: gitlab.freedesktop.org ↗

🔴Vulnerability Details

GHSA

GHSA-5557-33mq-5995: Poppler prior to and including 22↗2022-08-31

▶

OSV

CVE-2022-38784: Poppler prior to and including 22↗2022-08-30

▶

CVEList

CVE-2022-38784: Poppler prior to and including 22↗2022-08-30

▶

📋Vendor Advisories

Ubuntu

poppler vulnerability↗2022-09-12

▶

Red Hat

poppler: integer overflow in JBIG2 decoder using malformed files↗2022-08-30

▶

Debian

CVE-2022-38784: poppler - Poppler prior to and including 22.08.0 contains an integer overflow in the JBIG2...↗2022

▶