Re: poppler: CVE-2018-16646 denial-of-service via crafted file
On Fri, Sep 28, 2018 at 08:32:25PM +0200, Markus Koschany wrote:
> Package: poppler
> X-Debbugs-CC: team@security.debian.org
> Severity: important
> Tags: security
>
> Hi,
>
> The following vulnerability was published for poppler.
>
> CVE-2018-16646[0]:
> | In Poppler 0.68.0, the Parser::getObj() function in Parser.cc may cause
> | infinite recursion via a crafted file. A remote attacker can leverage
> | this for a DoS attack.
For jessie the wrong patches got applied. They are based on MR 67, which
didn't get merged in favour of the patch from MR 91.
On a more general notice: This bug has virtually no security impact, it's
hard too see why this change was made for an LTS release to begin with,
but at least wait until it's applied/fixed in unstable before backporting.
Cheers,
Moritz
Reply to: