First published: Fri Jan 03 2014(Updated: )
Poppler was recently reported to be vulnerable to a flaw, which can be exploited by malicious people to cause a DoS (Denial of Service) in an application using the library. The vulnerability is caused due to a format string error when handling extraneous bytes within a segment in the "JBIG2Stream::readSegments()" method in JBIG2Stream.cc, which can be exploited to cause a crash. The issue is said to be fixed in Poppler 0.24.5. References: <a href="https://bugs.gentoo.org/show_bug.cgi?id=496770">https://bugs.gentoo.org/show_bug.cgi?id=496770</a> <a href="https://bugs.kde.org/show_bug.cgi?id=328511">https://bugs.kde.org/show_bug.cgi?id=328511</a> (okular) Commit: <a href="http://cgit.freedesktop.org/poppler/poppler/commit/?id=58e04a08afee39370283c494ee2e4e392fd3b684">http://cgit.freedesktop.org/poppler/poppler/commit/?id=58e04a08afee39370283c494ee2e4e392fd3b684</a>
Credit: cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
redhat/poppler | <0.24.5 | 0.24.5 |
Poppler Utilities | <=0.24.3 | |
Poppler Utilities | =0.1 | |
Poppler Utilities | =0.1.1 | |
Poppler Utilities | =0.1.2 | |
Poppler Utilities | =0.2.0 | |
Poppler Utilities | =0.10.0 | |
Poppler Utilities | =0.10.1 | |
Poppler Utilities | =0.10.2 | |
Poppler Utilities | =0.10.3 | |
Poppler Utilities | =0.10.4 | |
Poppler Utilities | =0.10.5 | |
Poppler Utilities | =0.10.6 | |
Poppler Utilities | =0.10.7 | |
Poppler Utilities | =0.11.0 | |
Poppler Utilities | =0.11.1 | |
Poppler Utilities | =0.11.2 | |
Poppler Utilities | =0.11.3 | |
Poppler Utilities | =0.12.0 | |
Poppler Utilities | =0.12.1 | |
Poppler Utilities | =0.12.2 | |
Poppler Utilities | =0.12.3 | |
Poppler Utilities | =0.12.4 | |
Poppler Utilities | =0.13.0 | |
Poppler Utilities | =0.13.1 | |
Poppler Utilities | =0.13.2 | |
Poppler Utilities | =0.13.3 | |
Poppler Utilities | =0.13.4 | |
Poppler Utilities | =0.14.0 | |
Poppler Utilities | =0.14.1 | |
Poppler Utilities | =0.14.2 | |
Poppler Utilities | =0.14.3 | |
Poppler Utilities | =0.14.4 | |
Poppler Utilities | =0.14.5 | |
Poppler Utilities | =0.15.0 | |
Poppler Utilities | =0.15.1 | |
Poppler Utilities | =0.15.2 | |
Poppler Utilities | =0.15.3 | |
Poppler Utilities | =0.16.0 | |
Poppler Utilities | =0.16.1 | |
Poppler Utilities | =0.16.2 | |
Poppler Utilities | =0.16.3 | |
Poppler Utilities | =0.16.4 | |
Poppler Utilities | =0.16.5 | |
Poppler Utilities | =0.16.6 | |
Poppler Utilities | =0.16.7 | |
Poppler Utilities | =0.17.0 | |
Poppler Utilities | =0.17.1 | |
Poppler Utilities | =0.17.2 | |
Poppler Utilities | =0.17.3 | |
Poppler Utilities | =0.17.4 | |
Poppler Utilities | =0.18.0 | |
Poppler Utilities | =0.18.1 | |
Poppler Utilities | =0.18.2 | |
Poppler Utilities | =0.18.3 | |
Poppler Utilities | =0.18.4 | |
Poppler Utilities | =0.19.0 | |
Poppler Utilities | =0.19.1 | |
Poppler Utilities | =0.19.2 | |
Poppler Utilities | =0.19.3 | |
Poppler Utilities | =0.19.4 | |
Poppler Utilities | =0.20.0 | |
Poppler Utilities | =0.20.1 | |
Poppler Utilities | =0.20.2 | |
Poppler Utilities | =0.20.3 | |
Poppler Utilities | =0.20.4 | |
Poppler Utilities | =0.20.5 | |
Poppler Utilities | =0.21.0 | |
Poppler Utilities | =0.21.1 | |
Poppler Utilities | =0.21.2 | |
Poppler Utilities | =0.21.3 | |
Poppler Utilities | =0.21.4 | |
Poppler Utilities | =0.22.0 | |
Poppler Utilities | =0.22.1 | |
Poppler Utilities | =0.22.2 | |
Poppler Utilities | =0.22.3 | |
Poppler Utilities | =0.22.4 | |
Poppler Utilities | =0.23.0 | |
Poppler Utilities | =0.23.1 | |
Poppler Utilities | =0.23.2 | |
Poppler Utilities | =0.23.3 | |
Poppler Utilities | =0.23.4 | |
Poppler Utilities | =0.24.0 | |
Poppler Utilities | =0.24.1 | |
Poppler Utilities | =0.24.2 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2013-7296 is classified as a denial of service vulnerability leading to application crashes.
To fix CVE-2013-7296, upgrade Poppler to version 0.24.5 or later.
CVE-2013-7296 affects Poppler versions prior to 0.24.5.
CVE-2013-7296 involves a context-dependent attack exploiting malformed PDF files.
Yes, CVE-2013-7296 can be exploited remotely through maliciously crafted PDF files.