Test ID:	1.3.6.1.4.1.25623.1.1.10.2020.0294
Category:	Mageia Linux Local Security Checks
Title:	Mageia: Security Advisory (MGASA-2020-0294)
Summary:	The remote host is missing an update for the 'podofo' package(s) announced via the MGASA-2020-0294 advisory.
Description:	Summary: The remote host is missing an update for the 'podofo' package(s) announced via the MGASA-2020-0294 advisory. Vulnerability Insight: The updated packages fix security vulnerabilities: A stack-based buffer over-read in the PdfEncryptMD5Base::ComputeEncryptionKey() function in PdfEncrypt.cpp in PoDoFo 0.9.6-rc1 could be leveraged by remote attackers to cause a denial-of-service via a crafted pdf file. (CVE-2018-12983) An issue was discovered in crop_page in PoDoFo 0.9.6. For a crafted PDF document, pPage->GetObject()->GetDictionary().AddKey(PdfName('MediaBox'),var) can be problematic due to the function GetObject() being called for the pPage NULL pointer object. The value of pPage at this point is 0x0, which causes a NULL pointer dereference. (CVE-2018-20751) PoDoFo::Impose::PdfTranslator::setSource() in pdftranslator.cpp in PoDoFo 0.9.6 has a NULL pointer dereference that can (for example) be triggered by sending a crafted PDF file to the podofoimpose binary. It allows an attacker to cause Denial of Service (Segmentation fault) or possibly have unspecified other impact. (CVE-2019-9199) PoDoFo 0.9.6 has a heap-based buffer overflow in PdfString::ConvertUTF16toUTF8 in base/PdfString.cpp. (CVE-2019-9687) The PoDoFo::PdfVariant::DelayedLoad function in PdfVariant.h in PoDoFo 0.9.6 allows remote attackers to cause a denial of service (NULL pointer dereference) via a crafted file, because of ImageExtractor.cpp. (CVE-2019-20093) Affected Software/OS: 'podofo' package(s) on Mageia 7. Solution: Please install the updated package(s). CVSS Score: 7.5 CVSS Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P
Cross-Ref:	Common Vulnerability Exposure (CVE) ID: CVE-2018-12983 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LEJQUDZT4JRJSPZYY3UPSCTFPAC5TUHK/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UMEMSUUXA3SL3AZAKKCTZFXVPHTBBK3O/ https://bugzilla.redhat.com/show_bug.cgi?id=1595693 Common Vulnerability Exposure (CVE) ID: CVE-2018-20751 https://research.loginsoft.com/bugs/null-pointer-dereference-vulnerability-in-crop_page-podofo-0-9-6/ https://sourceforge.net/p/podofo/tickets/33/ Common Vulnerability Exposure (CVE) ID: CVE-2019-20093 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XHFOCBZCF3GX7A6FWE3JM7P37TQWGINJ/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CTB2J5XWOEGAJYR2N66GAECUIKDG6O2S/ https://sourceforge.net/p/podofo/tickets/75/ Common Vulnerability Exposure (CVE) ID: CVE-2019-9199 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NTJ5AAM6Y4NMSELEH7N5ZG4DNO56BCYF/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CIC2EXSSMBT3MY2HY42IIY4BUQS2SVYB/ https://github.com/jjanku/podofo/commit/ada821df68fb0bf673840ed525daf4ec709dbfd9 https://github.com/mksdev/podofo/commit/1400a9aaf611299b9a56aa2abeb158918b9743c8 https://research.loginsoft.com/bugs/null-pointer-dereference-vulnerability-in-setsource-podofo-0-9-6-trunk-r1967/ https://sourceforge.net/p/podofo/tickets/40/ Common Vulnerability Exposure (CVE) ID: CVE-2019-9687 https://sourceforge.net/p/podofo/code/1969
Copyright	Copyright (C) 2022 Greenbone AG

This is only one of 145615 vulnerability tests in our test suite. Find out more about running a complete security audit. To run a free test of this vulnerability against your system, register below.