ALT-BU-2022-7256-2
Branch sisyphus update bulletin.
Package poppler-current updated to version 22.11.0-alt1 for branch sisyphus in task 310791.
Closed vulnerabilities
BDU:2021-05087
Уязвимость операционных систем iPadOS, watchOS, iOS, Mac OS, вызванная целочисленным переполнением, позволяющая нарушителю выполнить произвольный код
BDU:2022-05310
Уязвимость функции JBIG2Stream::readTextRegionSeg() (JBIG2Stream.cc) программного обеспечения для просмотра PDF Xpdf, позволяющая нарушителю вызвать отказ в обслуживании или выполнить произвольный код
BDU:2022-05993
Уязвимость функции JBIG2Stream::readTextRegionSeg() декодера JBIG2 библиотеки для отображения PDF-файлов Poppler, позволяющая нарушителю вызвать отказ в обслуживании или выполнить произвольный код
BDU:2022-06926
Уязвимость функции Hints::Hints (poppler/Hints.cc) библиотеки для отображения PDF-файлов Poppler, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2025-02-28
CVE-2021-30860
An integer overflow was addressed with improved input validation. This issue is fixed in Security Update 2021-005 Catalina, iOS 14.8 and iPadOS 14.8, macOS Big Sur 11.6, watchOS 7.6.2. Processing a maliciously crafted PDF may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.
- 20210917 APPLE-SA-2021-09-13-1 iOS 14.8 and iPadOS 14.8
- 20210917 APPLE-SA-2021-09-13-1 iOS 14.8 and iPadOS 14.8
- 20210917 APPLE-SA-2021-09-13-2 watchOS 7.6.2
- 20210917 APPLE-SA-2021-09-13-2 watchOS 7.6.2
- 20210917 APPLE-SA-2021-09-13-3 macOS Big Sur 11.6
- 20210917 APPLE-SA-2021-09-13-3 macOS Big Sur 11.6
- 20210917 APPLE-SA-2021-09-13-4 Security Update 2021-005 Catalina
- 20210917 APPLE-SA-2021-09-13-4 Security Update 2021-005 Catalina
- 20210921 APPLE-SA-2021-09-20-6 Additional information for APPLE-SA-2021-09-13-1 iOS 14.8 and iPadOS 14.8
- 20210921 APPLE-SA-2021-09-20-6 Additional information for APPLE-SA-2021-09-13-1 iOS 14.8 and iPadOS 14.8
- 20210921 APPLE-SA-2021-09-20-7 Additional information for APPLE-SA-2021-09-13-3 macOS Big Sur 11.6
- 20210921 APPLE-SA-2021-09-20-7 Additional information for APPLE-SA-2021-09-13-3 macOS Big Sur 11.6
- 20210921 APPLE-SA-2021-09-20-8 Additional information for APPLE-SA-2021-09-13-4 Security Update 2021-005 Catalina
- 20210921 APPLE-SA-2021-09-20-8 Additional information for APPLE-SA-2021-09-13-4 Security Update 2021-005 Catalina
- 20210924 APPLE-SA-2021-09-23-1 iOS 12.5.5
- 20210924 APPLE-SA-2021-09-23-1 iOS 12.5.5
- [oss-security] 20220902 JBIG2 integer overflow fixed in Xpdf 4.04, Poppler 22.09.0
- [oss-security] 20220902 JBIG2 integer overflow fixed in Xpdf 4.04, Poppler 22.09.0
- GLSA-202209-21
- GLSA-202209-21
- https://support.apple.com/en-us/HT212804
- https://support.apple.com/en-us/HT212804
- https://support.apple.com/en-us/HT212805
- https://support.apple.com/en-us/HT212805
- https://support.apple.com/en-us/HT212806
- https://support.apple.com/en-us/HT212806
- https://support.apple.com/en-us/HT212807
- https://support.apple.com/en-us/HT212807
- https://support.apple.com/kb/HT212824
- https://support.apple.com/kb/HT212824
Modified: 2024-11-21
CVE-2022-27337
A logic error in the Hints::Hints function of Poppler v22.03.0 allows attackers to cause a Denial of Service (DoS) via a crafted PDF file.
- https://gitlab.freedesktop.org/poppler/poppler/-/issues/1230
- https://gitlab.freedesktop.org/poppler/poppler/-/issues/1230
- https://gitlab.freedesktop.org/poppler/poppler/-/issues/1230#note_1372177
- https://gitlab.freedesktop.org/poppler/poppler/-/issues/1230#note_1372177
- [debian-lts-announce] 20220925 [SECURITY] [DLA 3120-1] poppler security update
- [debian-lts-announce] 20220925 [SECURITY] [DLA 3120-1] poppler security update
- FEDORA-2022-ce08b1c643
- FEDORA-2022-ce08b1c643
- DSA-5224
- DSA-5224
Modified: 2024-11-21
CVE-2022-38171
Xpdf prior to version 4.04 contains an integer overflow in the JBIG2 decoder (JBIG2Stream::readTextRegionSeg() in JBIG2Stream.cc). Processing a specially crafted PDF file or JBIG2 image could lead to a crash or the execution of arbitrary code. This is similar to the vulnerability described by CVE-2021-30860 (Apple CoreGraphics).
- [oss-security] 20220902 JBIG2 integer overflow fixed in Xpdf 4.04, Poppler 22.09.0
- http://www.xpdfreader.com/security-fixes.html
- https://dl.xpdfreader.com/xpdf-4.04.tar.gz
- https://github.com/jeffssh/CVE-2021-30860
- https://github.com/zmanion/Vulnerabilities/blob/main/CVE-2022-38171.md
- https://googleprojectzero.blogspot.com/2021/12/a-deep-dive-into-nso-zero-click.html
- https://www.cve.org/CVERecord?id=CVE-2021-30860
- [oss-security] 20220902 JBIG2 integer overflow fixed in Xpdf 4.04, Poppler 22.09.0
- https://www.cve.org/CVERecord?id=CVE-2021-30860
- https://googleprojectzero.blogspot.com/2021/12/a-deep-dive-into-nso-zero-click.html
- https://github.com/zmanion/Vulnerabilities/blob/main/CVE-2022-38171.md
- https://github.com/jeffssh/CVE-2021-30860
- https://dl.xpdfreader.com/xpdf-4.04.tar.gz
- http://www.xpdfreader.com/security-fixes.html
Modified: 2024-11-21
CVE-2022-38784
Poppler prior to and including 22.08.0 contains an integer overflow in the JBIG2 decoder (JBIG2Stream::readTextRegionSeg() in JBIGStream.cc). Processing a specially crafted PDF file or JBIG2 image could lead to a crash or the execution of arbitrary code. This is similar to the vulnerability described by CVE-2022-38171 in Xpdf.
- [oss-security] 20220902 JBIG2 integer overflow fixed in Xpdf 4.04, Poppler 22.09.0
- [oss-security] 20220902 JBIG2 integer overflow fixed in Xpdf 4.04, Poppler 22.09.0
- https://github.com/jeffssh/CVE-2021-30860
- https://github.com/jeffssh/CVE-2021-30860
- https://github.com/zmanion/Vulnerabilities/blob/main/CVE-2022-38171.md
- https://github.com/zmanion/Vulnerabilities/blob/main/CVE-2022-38171.md
- https://gitlab.freedesktop.org/poppler/poppler/-/merge_requests/1261/diffs?commit_id=27354e9d9696ee2bc063910a6c9a6b27c5184a52
- https://gitlab.freedesktop.org/poppler/poppler/-/merge_requests/1261/diffs?commit_id=27354e9d9696ee2bc063910a6c9a6b27c5184a52
- [debian-lts-announce] 20220925 [SECURITY] [DLA 3120-1] poppler security update
- [debian-lts-announce] 20220925 [SECURITY] [DLA 3120-1] poppler security update
- FEDORA-2022-f79aa2bae9
- FEDORA-2022-f79aa2bae9
- FEDORA-2022-f8ec1c06a3
- FEDORA-2022-f8ec1c06a3
- FEDORA-2022-51b27699ce
- FEDORA-2022-51b27699ce
- FEDORA-2022-fcb3b063a6
- FEDORA-2022-fcb3b063a6
- FEDORA-2022-f7b375eae8
- FEDORA-2022-f7b375eae8
- https://poppler.freedesktop.org/releases.html
- https://poppler.freedesktop.org/releases.html
- GLSA-202209-21
- GLSA-202209-21
- https://www.cve.org/CVERecord?id=CVE-2022-38171
- https://www.cve.org/CVERecord?id=CVE-2022-38171
- DSA-5224
- DSA-5224
Closed vulnerabilities
BDU:2021-04029
Уязвимость менеджера для серверов Cockpit, связанная с ошибками при отображении пользовательского интерфейса или фреймов, позволяющая нарушителю внедрить вредоносный код
Modified: 2024-11-21
CVE-2021-3660
Cockpit (and its plugins) do not seem to protect itself against clickjacking. It is possible to render a page from a cockpit server via another website, inside an