CVE-2019-13281

NameCVE-2019-13281
DescriptionIn Xpdf 4.01.01, a heap-based buffer overflow could be triggered in DCTStream::decodeImage() in Stream.cc when writing to frameBuf memory. It can, for example, be triggered by sending a crafted PDF document to the pdftotext tool. It allows an attacker to use a crafted pdf file to cause Denial of Service, an information leak, or possibly unspecified other impact.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
xpdf (PTS)bullseye3.04+git20210103-3fixed
bookworm3.04+git20220601-1fixed
forky, sid, trixie3.04+git20250304-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
xpdfsource(unstable)(not affected)

Notes

- xpdf <not-affected> (xpdf in Debian uses poppler, which is fixed)
Search for package or bug name: Reporting problems