First published: Wed Dec 26 2018(Updated: )
A flaw was found in Poppler 0.72.0. A NULL pointer dereference in the XRef::getEntry class in XRef.cc file due to the mishandle of unallocated XRef entries. This allows remote attackers to cause a denial of service via a crafted PDF document, when XRefEntry::setFlag in XRef.h is called from Parser::makeStream in Parser.cc. References: <a href="https://gitlab.freedesktop.org/poppler/poppler/issues/692">https://gitlab.freedesktop.org/poppler/poppler/issues/692</a> Upstream Patch: <a href="https://gitlab.freedesktop.org/poppler/poppler/merge_requests/143">https://gitlab.freedesktop.org/poppler/poppler/merge_requests/143</a>
Credit: cve@mitre.org cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
freedesktop poppler | =0.72.0 | |
Canonical Ubuntu Linux | =14.04 | |
Canonical Ubuntu Linux | =16.04 | |
Canonical Ubuntu Linux | =18.04 | |
Canonical Ubuntu Linux | =18.10 | |
Debian Debian Linux | =8.0 | |
debian/poppler | 20.09.0-3.1+deb11u1 22.12.0-2 24.08.0-2 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2018-20481 is a vulnerability in the Poppler PDF library that allows remote attackers to cause a denial of service (NULL pointer dereference) via a crafted PDF document.
CVE-2018-20481 affects the Poppler package version 0.72.0 and prior on Debian and Ubuntu Linux distributions.
CVE-2018-20481 has a severity rating of 6.5 (medium).
To fix the CVE-2018-20481 vulnerability, you should update the Poppler package to version 0.71.0-5 or later on Debian, or version 0.41.0-0ubuntu1.11 or later on Ubuntu.
More information about CVE-2018-20481 can be found at the following references: [http://www.securityfocus.com/bid/106321](http://www.securityfocus.com/bid/106321) and [https://access.redhat.com/errata/RHSA-2019:2022](https://access.redhat.com/errata/RHSA-2019:2022)