Security update for poppler SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2023:0480-1 Final 1 1 2023-02-22T14:03:45Z current 2023-02-22T14:03:45Z 2023-02-22T14:03:45Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for poppler This update for poppler fixes the following issues: - CVE-2022-38784: Fixed integer overflow in the JBIG2 decoder (bsc#1202692). - CVE-2019-13283: Fixed heap-based buffer over-read that could be triggered by sending a crafted PDF document to the pdftotext tool (bsc#1140877). The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2023-480,SUSE-SLE-Product-HPC-15-SP1-LTSS-2023-480,SUSE-SLE-Product-SLES-15-SP1-LTSS-2023-480,SUSE-SLE-Product-SLES_SAP-15-SP1-2023-480,openSUSE-SLE-15.4-2023-480 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2023/suse-su-20230480-1/ Link for SUSE-SU-2023:0480-1 https://lists.suse.com/pipermail/sle-security-updates/2023-February/013869.html E-Mail link for SUSE-SU-2023:0480-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1140877 SUSE Bug 1140877 https://bugzilla.suse.com/1202692 SUSE Bug 1202692 https://www.suse.com/security/cve/CVE-2019-13283/ SUSE CVE CVE-2019-13283 page https://www.suse.com/security/cve/CVE-2022-38784/ SUSE CVE CVE-2022-38784 page SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS SUSE Linux Enterprise Server 15 SP1-LTSS SUSE Linux Enterprise Server for SAP Applications 15 SP1 openSUSE Leap 15.4 libpoppler-cpp0-0.62.0-150000.4.9.1 libpoppler-cpp0-32bit-0.62.0-150000.4.9.1 libpoppler-cpp0-64bit-0.62.0-150000.4.9.1 libpoppler-devel-0.62.0-150000.4.9.1 libpoppler-glib-devel-0.62.0-150000.4.9.1 libpoppler-glib8-0.62.0-150000.4.9.1 libpoppler-glib8-32bit-0.62.0-150000.4.9.1 libpoppler-glib8-64bit-0.62.0-150000.4.9.1 libpoppler-qt5-1-0.62.0-150000.4.9.1 libpoppler-qt5-1-32bit-0.62.0-150000.4.9.1 libpoppler-qt5-1-64bit-0.62.0-150000.4.9.1 libpoppler-qt5-devel-0.62.0-150000.4.9.1 libpoppler73-0.62.0-150000.4.9.1 libpoppler73-32bit-0.62.0-150000.4.9.1 libpoppler73-64bit-0.62.0-150000.4.9.1 poppler-tools-0.62.0-150000.4.9.1 typelib-1_0-Poppler-0_18-0.62.0-150000.4.9.1 libpoppler-cpp0-0.62.0-150000.4.9.1 as a component of SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS libpoppler-devel-0.62.0-150000.4.9.1 as a component of SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS libpoppler-glib-devel-0.62.0-150000.4.9.1 as a component of SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS libpoppler-glib8-0.62.0-150000.4.9.1 as a component of SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS libpoppler73-0.62.0-150000.4.9.1 as a component of SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS poppler-tools-0.62.0-150000.4.9.1 as a component of SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS typelib-1_0-Poppler-0_18-0.62.0-150000.4.9.1 as a component of SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS libpoppler-cpp0-0.62.0-150000.4.9.1 as a component of SUSE Linux Enterprise Server 15 SP1-LTSS libpoppler-devel-0.62.0-150000.4.9.1 as a component of SUSE Linux Enterprise Server 15 SP1-LTSS libpoppler-glib-devel-0.62.0-150000.4.9.1 as a component of SUSE Linux Enterprise Server 15 SP1-LTSS libpoppler-glib8-0.62.0-150000.4.9.1 as a component of SUSE Linux Enterprise Server 15 SP1-LTSS libpoppler73-0.62.0-150000.4.9.1 as a component of SUSE Linux Enterprise Server 15 SP1-LTSS poppler-tools-0.62.0-150000.4.9.1 as a component of SUSE Linux Enterprise Server 15 SP1-LTSS typelib-1_0-Poppler-0_18-0.62.0-150000.4.9.1 as a component of SUSE Linux Enterprise Server 15 SP1-LTSS libpoppler-cpp0-0.62.0-150000.4.9.1 as a component of SUSE Linux Enterprise Server for SAP Applications 15 SP1 libpoppler-devel-0.62.0-150000.4.9.1 as a component of SUSE Linux Enterprise Server for SAP Applications 15 SP1 libpoppler-glib-devel-0.62.0-150000.4.9.1 as a component of SUSE Linux Enterprise Server for SAP Applications 15 SP1 libpoppler-glib8-0.62.0-150000.4.9.1 as a component of SUSE Linux Enterprise Server for SAP Applications 15 SP1 libpoppler73-0.62.0-150000.4.9.1 as a component of SUSE Linux Enterprise Server for SAP Applications 15 SP1 poppler-tools-0.62.0-150000.4.9.1 as a component of SUSE Linux Enterprise Server for SAP Applications 15 SP1 typelib-1_0-Poppler-0_18-0.62.0-150000.4.9.1 as a component of SUSE Linux Enterprise Server for SAP Applications 15 SP1 libpoppler73-0.62.0-150000.4.9.1 as a component of openSUSE Leap 15.4 libpoppler73-32bit-0.62.0-150000.4.9.1 as a component of openSUSE Leap 15.4 In Xpdf 4.01.01, a heap-based buffer over-read could be triggered in strncpy from FoFiType1::parse in fofi/FoFiType1.cc because it does not ensure the source string has a valid length before making a fixed-length copy. It can, for example, be triggered by sending a crafted PDF document to the pdftotext tool. It allows an attacker to use a crafted pdf file to cause Denial of Service or an information leak, or possibly have unspecified other impact. CVE-2019-13283 SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS:libpoppler-cpp0-0.62.0-150000.4.9.1 SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS:libpoppler-devel-0.62.0-150000.4.9.1 SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS:libpoppler-glib-devel-0.62.0-150000.4.9.1 SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS:libpoppler-glib8-0.62.0-150000.4.9.1 SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS:libpoppler73-0.62.0-150000.4.9.1 SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS:poppler-tools-0.62.0-150000.4.9.1 SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS:typelib-1_0-Poppler-0_18-0.62.0-150000.4.9.1 SUSE Linux Enterprise Server 15 SP1-LTSS:libpoppler-cpp0-0.62.0-150000.4.9.1 SUSE Linux Enterprise Server 15 SP1-LTSS:libpoppler-devel-0.62.0-150000.4.9.1 SUSE Linux Enterprise Server 15 SP1-LTSS:libpoppler-glib-devel-0.62.0-150000.4.9.1 SUSE Linux Enterprise Server 15 SP1-LTSS:libpoppler-glib8-0.62.0-150000.4.9.1 SUSE Linux Enterprise Server 15 SP1-LTSS:libpoppler73-0.62.0-150000.4.9.1 SUSE Linux Enterprise Server 15 SP1-LTSS:poppler-tools-0.62.0-150000.4.9.1 SUSE Linux Enterprise Server 15 SP1-LTSS:typelib-1_0-Poppler-0_18-0.62.0-150000.4.9.1 SUSE Linux Enterprise Server for SAP Applications 15 SP1:libpoppler-cpp0-0.62.0-150000.4.9.1 SUSE Linux Enterprise Server for SAP Applications 15 SP1:libpoppler-devel-0.62.0-150000.4.9.1 SUSE Linux Enterprise Server for SAP Applications 15 SP1:libpoppler-glib-devel-0.62.0-150000.4.9.1 SUSE Linux Enterprise Server for SAP Applications 15 SP1:libpoppler-glib8-0.62.0-150000.4.9.1 SUSE Linux Enterprise Server for SAP Applications 15 SP1:libpoppler73-0.62.0-150000.4.9.1 SUSE Linux Enterprise Server for SAP Applications 15 SP1:poppler-tools-0.62.0-150000.4.9.1 SUSE Linux Enterprise Server for SAP Applications 15 SP1:typelib-1_0-Poppler-0_18-0.62.0-150000.4.9.1 openSUSE Leap 15.4:libpoppler73-0.62.0-150000.4.9.1 openSUSE Leap 15.4:libpoppler73-32bit-0.62.0-150000.4.9.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2023/suse-su-20230480-1/ https://www.suse.com/security/cve/CVE-2019-13283.html CVE-2019-13283 https://bugzilla.suse.com/1140877 SUSE Bug 1140877 Poppler prior to and including 22.08.0 contains an integer overflow in the JBIG2 decoder (JBIG2Stream::readTextRegionSeg() in JBIGStream.cc). Processing a specially crafted PDF file or JBIG2 image could lead to a crash or the execution of arbitrary code. This is similar to the vulnerability described by CVE-2022-38171 in Xpdf. CVE-2022-38784 SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS:libpoppler-cpp0-0.62.0-150000.4.9.1 SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS:libpoppler-devel-0.62.0-150000.4.9.1 SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS:libpoppler-glib-devel-0.62.0-150000.4.9.1 SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS:libpoppler-glib8-0.62.0-150000.4.9.1 SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS:libpoppler73-0.62.0-150000.4.9.1 SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS:poppler-tools-0.62.0-150000.4.9.1 SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS:typelib-1_0-Poppler-0_18-0.62.0-150000.4.9.1 SUSE Linux Enterprise Server 15 SP1-LTSS:libpoppler-cpp0-0.62.0-150000.4.9.1 SUSE Linux Enterprise Server 15 SP1-LTSS:libpoppler-devel-0.62.0-150000.4.9.1 SUSE Linux Enterprise Server 15 SP1-LTSS:libpoppler-glib-devel-0.62.0-150000.4.9.1 SUSE Linux Enterprise Server 15 SP1-LTSS:libpoppler-glib8-0.62.0-150000.4.9.1 SUSE Linux Enterprise Server 15 SP1-LTSS:libpoppler73-0.62.0-150000.4.9.1 SUSE Linux Enterprise Server 15 SP1-LTSS:poppler-tools-0.62.0-150000.4.9.1 SUSE Linux Enterprise Server 15 SP1-LTSS:typelib-1_0-Poppler-0_18-0.62.0-150000.4.9.1 SUSE Linux Enterprise Server for SAP Applications 15 SP1:libpoppler-cpp0-0.62.0-150000.4.9.1 SUSE Linux Enterprise Server for SAP Applications 15 SP1:libpoppler-devel-0.62.0-150000.4.9.1 SUSE Linux Enterprise Server for SAP Applications 15 SP1:libpoppler-glib-devel-0.62.0-150000.4.9.1 SUSE Linux Enterprise Server for SAP Applications 15 SP1:libpoppler-glib8-0.62.0-150000.4.9.1 SUSE Linux Enterprise Server for SAP Applications 15 SP1:libpoppler73-0.62.0-150000.4.9.1 SUSE Linux Enterprise Server for SAP Applications 15 SP1:poppler-tools-0.62.0-150000.4.9.1 SUSE Linux Enterprise Server for SAP Applications 15 SP1:typelib-1_0-Poppler-0_18-0.62.0-150000.4.9.1 openSUSE Leap 15.4:libpoppler73-0.62.0-150000.4.9.1 openSUSE Leap 15.4:libpoppler73-32bit-0.62.0-150000.4.9.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2023/suse-su-20230480-1/ https://www.suse.com/security/cve/CVE-2022-38784.html CVE-2022-38784 https://bugzilla.suse.com/1202692 SUSE Bug 1202692 https://bugzilla.suse.com/1203392 SUSE Bug 1203392