CVE-2018-13988

NameCVE-2018-13988
DescriptionPoppler through 0.62 contains an out of bounds read vulnerability due to an incorrect memory access that is not mapped in its memory space, as demonstrated by pdfunite. This can result in memory corruption and denial of service. This may be exploitable when a victim opens a specially crafted PDF file.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-1562-1
NVD severitymedium (attack range: remote)
Debian Bugs904922

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
poppler (PTS)jessie0.26.5-2+deb8u4vulnerable
jessie (security)0.26.5-2+deb8u7fixed
stretch (security), stretch0.48.0-2+deb9u2vulnerable
buster, sid0.71.0-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
popplersource(unstable)0.69.0-2low904922
popplersourcejessie0.26.5-2+deb8u5mediumDLA-1562-1

Notes

[stretch] - poppler <no-dsa> (Minor issue)
https://bugzilla.redhat.com/show_bug.cgi?id=1602838
https://cgit.freedesktop.org/poppler/poppler/commit/?id=004e3c10df0abda214f0c293f9e269fdd979c5ee (poppler-0.67.0)

Search for package or bug name: Reporting problems