Freedesktop Security Vulnerabilities

CVE-2017-14518

In Poppler 0.59.0, a floating point exception exists in the isImageInterpolationRequired() function in Splash.cc via a crafted PDF...

CVE-2017-14517

In Poppler 0.59.0, a NULL Pointer Dereference exists in the XRef::parseEntry() function in XRef.cc via a crafted PDF...

CVE-2017-14520

In Poppler 0.59.0, a floating point exception occurs in Splash::scaleImageYuXd() in Splash.cc, which may lead to a potential attack when handling malicious PDF...

CVE-2017-14519

In Poppler 0.59.0, memory corruption occurs in a call to Object::streamGetChar in Object.h after a repeating series of Gfx::display, Gfx::go, Gfx::execOp, Gfx::opShowText, and Gfx::doShowText calls (aka a Gfx.cc infinite...

CVE-2017-2814

An exploitable heap overflow vulnerability exists in the image rendering functionality of Poppler 0.53.0. A specifically crafted pdf can cause an image resizing after allocation has already occurred, resulting in heap corruption which can lead to code execution. An attacker controlled PDF file can....

CVE-2017-2818

An exploitable heap overflow vulnerability exists in the image rendering functionality of Poppler 0.53.0. A specifically crafted PDF can cause an overly large number of color components during image rendering, resulting in heap corruption. An attacker controlled PDF file can be used to trigger...

CVE-2017-9865

The function GfxImageColorMap::getGray in GfxState.cc in Poppler 0.54.0 allows remote attackers to cause a denial of service (stack-based buffer over-read and application crash) via a crafted PDF document, related to missing color-map validation in...

CVE-2017-9776

Integer overflow leading to Heap buffer overflow in JBIG2Stream.cc in pdftocairo in Poppler before 0.56 allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted PDF...

CVE-2017-9775

Stack buffer overflow in GfxState.cc in pdftocairo in Poppler before 0.56 allows remote attackers to cause a denial of service (application crash) via a crafted PDF...

CVE-2017-7515

poppler through version 0.55.0 is vulnerable to an uncontrolled recursion in pdfunite resulting into potential...

CVE-2017-9406

In Poppler 0.54.0, a memory leak vulnerability was found in the function gmalloc in gmem.cc, which allows attackers to cause a denial of service via a crafted...

CVE-2017-9408

In Poppler 0.54.0, a memory leak vulnerability was found in the function Object::initArray in Object.cc, which allows attackers to cause a denial of service via a crafted...

CVE-2017-7511

poppler since version 0.17.3 has been vulnerable to NULL pointer dereference in pdfunite triggered by specially crafted...

CVE-2017-9083

poppler 0.54.0, as used in Evince and other products, has a NULL pointer dereference in the JPXStream::readUByte function in JPXStream.cc. For example, the perf_test utility will crash (segmentation fault) when parsing an invalid PDF...

CVE-2017-6355

Integer overflow in the vrend_create_shader function in vrend_renderer.c in virglrenderer before 0.6.0 allows local guest OS users to cause a denial of service (process crash) via crafted pkt_length and offlen values, which trigger an out-of-bounds...

CVE-2016-2568

pkexec, when used with --user nonpriv, allows local users to escape to the parent session via a crafted TIOCSTI ioctl call, which pushes characters to the terminal's input...

CVE-2015-8868

Heap-based buffer overflow in the ExponentialFunction::ExponentialFunction function in Poppler before 0.40.0 allows remote attackers to cause a denial of service (memory corruption and crash) or possibly execute arbitrary code via an invalid blend mode in the ExtGState dictionary in a crafted PDF.....

CVE-2010-5110

DCTStream.cc in Poppler before 0.13.3 allows remote attackers to cause a denial of service (crash) via a crafted PDF...

CVE-2013-4472

The openTempFile function in goo/gfile.cc in Xpdf and Poppler 0.24.3 and earlier, when running on a system other than Unix, allows local users to overwrite arbitrary files via a symlink attack on temporary files with predictable...

CVE-2013-7296

The JBIG2Stream::readSegments method in JBIG2Stream.cc in Poppler before 0.24.5 does not use the correct specifier within a format string, which allows context-dependent attackers to cause a denial of service (segmentation fault and application crash) via a crafted PDF...

CVE-2013-4473

Stack-based buffer overflow in the extractPages function in utils/pdfseparate.cc in poppler before 0.24.2 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a source...

CVE-2013-4474

Format string vulnerability in the extractPages function in utils/pdfseparate.cc in poppler before 0.24.3 allows remote attackers to cause a denial of service (crash) via format string specifiers in a destination...

CVE-2013-1788

poppler before 0.22.1 allows context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via vectors that trigger an "invalid memory access" in (1) splash/Splash.cc, (2) poppler/Function.cc, and (3)...

CVE-2013-1790

poppler/Stream.cc in poppler before 0.22.1 allows context-dependent attackers to have an unspecified impact via vectors that trigger a read of uninitialized memory by the CCITTFaxStream::lookChar...

CVE-2013-0292

The dbus_g_proxy_manager_filter function in dbus-gproxy in Dbus-glib before 0.100.1 does not properly verify the sender of NameOwnerChanged signals, which allows local users to gain privileges via a spoofed...

CVE-2011-2533

The configure script in D-Bus (aka DBus) 1.2.x before 1.2.28 allows local users to overwrite arbitrary files via a symlink attack on an unspecified file in...

CVE-2011-1000

jingle-factory.c in Telepathy Gabble 0.11 before 0.11.7, 0.10 before 0.10.5, and 0.8 before 0.8.15 allows remote attackers to sniff audio and video calls via a crafted google:jingleinfo stanza that specifies an alternate server for streamed...

CVE-2010-3702

The Gfx::getPos function in the PDF parser in xpdf before 3.02pl5, poppler 0.8.7 and possibly other versions up to 0.15.1, CUPS, kdegraphics, and possibly other products allows context-dependent attackers to cause a denial of service (crash) via unknown vectors that trigger an uninitialized...

CVE-2010-1172

DBus-GLib 0.73 disregards the access flag of exported GObject properties, which allows local users to bypass intended access restrictions and possibly cause a denial of service by modifying properties, as demonstrated by properties of the (1) DeviceKit-Power, (2) NetworkManager, and (3)...

CVE-2010-1149

probers/udisks-dm-export.c in udisks before 1.0.1 exports UDISKS_DM_TARGETS_PARAMS information to udev even for a crypt UDISKS_DM_TARGETS_TYPE, which allows local users to discover encryption keys by (1) running a certain udevadm command or (2) reading a certain file under...

CVE-2010-0750

pkexec.c in pkexec in libpolkit in PolicyKit 0.96 allows local users to determine the existence of arbitrary files via the...

CVE-2009-0068

Interaction error in xdg-open allows remote attackers to execute arbitrary code by sending a file with a dangerous MIME type but using a safe type that Firefox sends to xdg-open, which causes xdg-open to process the dangerous file type through automatic type detection, as demonstrated by...

CVE-2008-4311

The default configuration of system.conf in D-Bus (aka DBus) before 1.2.6 omits the send_type attribute in certain rules, which allows local users to bypass intended access restrictions by (1) sending messages, related to send_requested_reply; and possibly (2) receiving messages, related to...

CVE-2008-4984

scratchbox2 1.99.0.24 allows local users to overwrite arbitrary files via a symlink attack on (a) /tmp/dpkg.#####.tmp, (b) /tmp/missing_deps.#####, and (c) /tmp/sb2-pkg-chk.$tstamp.##### temporary files, related to the (1) dpkg-checkbuilddeps and (2) sb2-check-pkg-mappings...

CVE-2008-3834

The dbus_signature_validate function in the D-bus library (libdbus) before 1.2.4 allows remote attackers to cause a denial of service (application abort) via a message containing a malformed signature, which triggers a failed assertion...