Package: libpodofo X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security
Hi, the following vulnerabilities were published for libpodofo. CVE-2018-8000[0]: | In PoDoFo 0.9.5, there exists a heap-based buffer overflow | vulnerability in PoDoFo::PdfTokenizer::GetNextToken() in | PdfTokenizer.cpp, a related issue to CVE-2017-5886. Remote attackers | could leverage this vulnerability to cause a denial-of-service or | potentially execute arbitrary code via a crafted pdf file. CVE-2018-8001[1]: | In PoDoFo 0.9.5, there exists a heap-based buffer over-read | vulnerability in UnescapeName() in PdfName.cpp. Remote attackers could | leverage this vulnerability to cause a denial-of-service or possibly | unspecified other impact via a crafted pdf file. CVE-2018-8002[2]: | In PoDoFo 0.9.5, there exists an infinite loop vulnerability in | PdfParserObject::ParseFileComplete() in PdfParserObject.cpp which may | result in stack overflow. Remote attackers could leverage this | vulnerability to cause a denial-of-service or possibly unspecified | other impact via a crafted pdf file. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2018-8000 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8000 [1] https://security-tracker.debian.org/tracker/CVE-2018-8001 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8001 [2] https://security-tracker.debian.org/tracker/CVE-2018-8002 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8002 Please adjust the affected versions in the BTS as needed.
