Detections
Analytics

RHEL 5 : poppler (Unpatched Vulnerability)

high Nessus Plugin ID 196872

Synopsis

The remote Red Hat 5 host is affected by multiple vulnerabilities that will not be patched.

Description

The remote Redhat Enterprise Linux 5 host has one or more packages installed that are affected by multiple vulnerabilities that have been acknowledged by the vendor but will not be patched.

 - poppler: recursive function call in JBIG2Stream::readGenericBitmap() in JBIG2Stream.cc causing denial of service (CVE-2019-9543)

 - freedesktop.org libpoppler 0.60.1 fails to validate boundaries in TextPool::addWord, leading to overflow in subsequent calculations. (CVE-2017-1000456)

 - In Poppler 0.59.0, a NULL Pointer Dereference exists in the XRef::parseEntry() function in XRef.cc via a crafted PDF document. (CVE-2017-14517)

 - In Poppler 0.59.0, a floating point exception exists in the isImageInterpolationRequired() function in Splash.cc via a crafted PDF document. (CVE-2017-14518)

 - In Poppler 0.59.0, memory corruption occurs in a call to Object::streamGetChar in Object.h after a repeating series of Gfx::display, Gfx::go, Gfx::execOp, Gfx::opShowText, and Gfx::doShowText calls (aka a Gfx.cc infinite loop). (CVE-2017-14519)

 - In Poppler 0.59.0, a floating point exception occurs in the ImageStream class in Stream.cc, which may lead to a potential attack when handling malicious PDF files. (CVE-2017-14617)

 - In Poppler 0.59.0, a NULL Pointer Dereference exists in AnnotRichMedia::Content::Content in Annot.cc via a crafted PDF document. (CVE-2017-14926)

 - In Poppler 0.59.0, a NULL Pointer Dereference exists in the SplashOutputDev::type3D0() function in SplashOutputDev.cc via a crafted PDF document. (CVE-2017-14927)

 - In Poppler 0.59.0, a NULL Pointer Dereference exists in AnnotRichMedia::Configuration::Configuration in Annot.cc via a crafted PDF document. (CVE-2017-14928)

 - In Poppler 0.59.0, memory corruption occurs in a call to Object::dictLookup() in Object.h after a repeating series of Gfx::display, Gfx::go, Gfx::execOp, Gfx::opFill, Gfx::doPatternFill, Gfx::doTilingPatternFill and Gfx::drawForm calls (aka a Gfx.cc infinite loop), a different vulnerability than CVE-2017-14519. (CVE-2017-14929)

 - The FoFiType1C::convertToType0 function in FoFiType1C.cc in Poppler 0.59.0 has a NULL pointer dereference vulnerability because a data structure is not initialized, which allows an attacker to launch a denial of service attack. (CVE-2017-14975)

 - The FoFiType1C::convertToType0 function in FoFiType1C.cc in Poppler 0.59.0 has a heap-based buffer over- read vulnerability if an out-of-bounds font dictionary index is encountered, which allows an attacker to launch a denial of service attack. (CVE-2017-14976)

 - The FoFiTrueType::getCFFBlock function in FoFiTrueType.cc in Poppler 0.59.0 has a NULL pointer dereference vulnerability due to lack of validation of a table pointer, which allows an attacker to launch a denial of service attack. (CVE-2017-14977)

 - In Poppler 0.59.0, a NULL Pointer Dereference exists in the GfxImageColorMap::getGrayLine() function in GfxState.cc via a crafted PDF document. (CVE-2017-15565)

 - The FoFiType1C::cvtGlyph function in fofi/FoFiType1C.cc in Poppler through 0.64.0 allows remote attackers to cause a denial of service (infinite recursion) via a crafted PDF file, as demonstrated by pdftops.
 (CVE-2017-18267)

 - poppler through version 0.55.0 is vulnerable to an uncontrolled recursion in pdfunite resulting into potential denial-of-service. (CVE-2017-7515)

 - poppler 0.54.0, as used in Evince and other products, has a NULL pointer dereference in the JPXStream::readUByte function in JPXStream.cc. For example, the perf_test utility will crash (segmentation fault) when parsing an invalid PDF file. (CVE-2017-9083)

 - In Poppler 0.54.0, a memory leak vulnerability was found in the function gmalloc in gmem.cc, which allows attackers to cause a denial of service via a crafted file. (CVE-2017-9406)

 - In Poppler 0.54.0, a memory leak vulnerability was found in the function Object::initArray in Object.cc, which allows attackers to cause a denial of service via a crafted file. (CVE-2017-9408)

 - Integer overflow leading to Heap buffer overflow in JBIG2Stream.cc in pdftocairo in Poppler before 0.56 allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted PDF document. (CVE-2017-9776)

 - The function GfxImageColorMap::getGray in GfxState.cc in Poppler 0.54.0 allows remote attackers to cause a denial of service (stack-based buffer over-read and application crash) via a crafted PDF document, related to missing color-map validation in ImageOutputDev.cc. (CVE-2017-9865)

 - Poppler through 0.62 contains an out of bounds read vulnerability due to an incorrect memory access that is not mapped in its memory space, as demonstrated by pdfunite. This can result in memory corruption and denial of service. This may be exploitable when a victim opens a specially crafted PDF file.
 (CVE-2018-13988)

 - In Poppler 0.68.0, the Parser::getObj() function in Parser.cc may cause infinite recursion via a crafted file. A remote attacker can leverage this for a DoS attack. (CVE-2018-16646)

 - XRef::getEntry in XRef.cc in Poppler 0.72.0 mishandles unallocated XRef entries, which allows remote attackers to cause a denial of service (NULL pointer dereference) via a crafted PDF document, when XRefEntry::setFlag in XRef.h is called from Parser::makeStream in Parser.cc. (CVE-2018-20481)

 - A reachable Object::dictLookup assertion in Poppler 0.72.0 allows attackers to cause a denial of service due to the lack of a check for the dict data type, as demonstrated by use of the FileSpec class (in FileSpec.cc) in pdfdetach. (CVE-2018-20650)

 - In Poppler 0.72.0, PDFDoc::setup in PDFDoc.cc allows attackers to cause a denial-of-service (application crash caused by Object.h SIGABRT, because of a wrong return value from PDFDoc::setup) by crafting a PDF file in which an xref data structure is mishandled during extractPDFSubtype processing. (CVE-2018-20662)

 - Poppler before 0.66.0 has an integer overflow in Parser::makeStream in Parser.cc. (CVE-2018-21009)

 - FontInfoScanner::scanFonts in FontInfo.cc in Poppler 0.75.0 has infinite recursion, leading to a call to the error function in Error.cc. (CVE-2019-11026)

 - In Poppler through 0.76.1, there is a heap-based buffer over-read in JPXStream::init in JPEG2000Stream.cc via data with inconsistent heights or widths. (CVE-2019-12293)

 - The JPXStream::init function in Poppler 0.78.0 and earlier doesn't check for negative values of stream length, leading to an Integer Overflow, thereby making it possible to allocate a large memory chunk on the heap, with a size controlled by an attacker, as demonstrated by pdftocairo. (CVE-2019-9959)

 - A flaw was found in Poppler in the way certain PDF files were converted into HTML. A remote attacker could exploit this flaw by providing a malicious PDF file that, when processed by the 'pdftohtml' program, would crash the application causing a denial of service. (CVE-2020-27778)

Note that Nessus has not tested for these issues but has instead relied on the package manager's report that the package is installed.

Solution

The vendor has acknowledged the vulnerabilities but no solution has been provided. Refer to the vendor for remediation guidance.

Plugin Details

Severity: High

ID: 196872

File Name: redhat_unpatched-poppler-rhel5.nasl

Version: 1.0

Type: local

Agent: unix

Published: 5/11/2024

Updated: 5/11/2024

Supported Sensors: Agentless Assessment, Frictionless Assessment Agent, Frictionless Assessment AWS, Frictionless Assessment Azure, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Temporal Score: 5.3

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2019-9543

CVSS v3

Risk Factor: High

Base Score: 8.8

Temporal Score: 7.9

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

CPE: cpe:/o:redhat:enterprise_linux:5, cpe:/o:redhat:enterprise_linux:6, cpe:/o:redhat:enterprise_linux:7, cpe:/o:redhat:enterprise_linux:8, p-cpe:/a:redhat:enterprise_linux:compat-poppler022, p-cpe:/a:redhat:enterprise_linux:evince, p-cpe:/a:redhat:enterprise_linux:poppler

Required KB Items: Host/local_checks_enabled, Host/RedHat/release, Host/RedHat/rpm-list, Host/cpu

Exploit Available: true

Exploit Ease: Exploits are available

Vulnerability Publication Date: 5/19/2017

Reference Information

CVE: CVE-2017-1000456, CVE-2017-14517, CVE-2017-14518, CVE-2017-14519, CVE-2017-14617, CVE-2017-14926, CVE-2017-14927, CVE-2017-14928, CVE-2017-14929, CVE-2017-14975, CVE-2017-14976, CVE-2017-14977, CVE-2017-15565, CVE-2017-18267, CVE-2017-7515, CVE-2017-9083, CVE-2017-9406, CVE-2017-9408, CVE-2017-9776, CVE-2017-9865, CVE-2018-13988, CVE-2018-16646, CVE-2018-20481, CVE-2018-20650, CVE-2018-20662, CVE-2018-21009, CVE-2019-11026, CVE-2019-12293, CVE-2019-9543, CVE-2019-9959, CVE-2020-27778