CVE-2018-20797

Name	CVE-2018-20797
Description	An issue was discovered in PoDoFo 0.9.6. There is an attempted excessive memory allocation in PoDoFo::podofo_calloc in base/PdfMemoryManagement.cpp when called from PoDoFo::PdfPredictorDecoder::PdfPredictorDecoder in base/PdfFiltersPrivate.cpp.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severity	medium (attack range: remote)
Debian Bugs	923415

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
libpodofo (PTS)	jessie	0.9.0-1.2	vulnerable
	stretch	0.9.4-6	vulnerable
	buster, bullseye, sid	0.9.6+dfsg-5	vulnerable

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Urgency	Origin	Debian Bugs
libpodofo	source	(unstable)	(unfixed)	low		923415

Notes

[buster] - libpodofo <no-dsa> (Minor issue)
[stretch] - libpodofo <no-dsa> (Minor issue)
[jessie] - libpodofo <no-dsa> (Minor issue)
https://sourceforge.net/p/podofo/tickets/34/