FS#63980 : [xpdf] <4.0.2 Multiple memory corruption issues, CVE CVE-2019-16927

FS#63980 - [xpdf] <4.0.2 Multiple memory corruption issues, CVE CVE-2019-16927

Attached to Project: Arch Linux
Opened by Pascal Ernster (hardfalcon) - Tuesday, 01 October 2019, 15:20 GMT
Last edited by Jan de Groot (JGC) - Friday, 25 October 2019, 07:35 GMT

Task Type	Bug Report
Category	Security
Status	Closed
Assigned To	No-one
Architecture	All
Severity	High
Priority	Normal
Reported Version
Due in Version	Undecided
Due Date	Undecided
Percent Complete
Votes	0
Private	No

Details

Archlinux corrently ships xpdf 4.01.01-2.

Upstream has released xpdf 4.0.2, fixing a large number of memory corruption issues. The latest of those issues has been assigned CVE-2019-16927, but that one seems to be just the tip of the iceberg. Sadly, the shortened release notes on upstream's internet site don't contain any information whatsoever about security-relevant changes, but at least you can find them in the CHANGES file inside the source code tarball.

MITRE hasn't yet assigned a CVSS rating, but the German government's Federal Office for Information Security considers the CVE's severity "high" and claims it allows a remote attacker to execute malicious code with the victim user's privileges:

https://www.cert-bund.de/advisoryshort/CB-K19-0857

This task depends upon

Closed by Jan de Groot (JGC)
Friday, 25 October 2019, 07:35 GMT
Reason for closing: Fixed
Additional comments about closing: 4.0.2 is packaged

	Tasks related to this task (0)

Duplicate tasks of this task (0)

Arch Linux

FS#63980 - [xpdf] <4.0.2 Multiple memory corruption issues, CVE CVE-2019-16927

Details

Loading...