Security update for podofo SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2024:2137-1 Final 1 1 2024-06-21T11:08:09Z current 2024-06-21T11:08:09Z 2024-06-21T11:08:09Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for podofo This update for podofo fixes the following issues: - CVE-2019-9199: Fixed a NULL pointer dereference in podofoimpose (bsc#1127855) - CVE-2018-20797: Fixed an excessive memory allocation in PoDoFo:podofo_calloc (bsc#1127514) - CVE-2019-10723: Fixed a memory leak in PdfPagesTreeCache (bsc#1131544) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2024-2137,SUSE-SLE-Module-Packagehub-Subpackages-15-SP5-2024-2137,SUSE-SLE-Module-Packagehub-Subpackages-15-SP6-2024-2137,openSUSE-SLE-15.5-2024-2137,openSUSE-SLE-15.6-2024-2137 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2024/suse-su-20242137-1/ Link for SUSE-SU-2024:2137-1 https://lists.suse.com/pipermail/sle-updates/2024-June/035680.html E-Mail link for SUSE-SU-2024:2137-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1127514 SUSE Bug 1127514 https://bugzilla.suse.com/1127855 SUSE Bug 1127855 https://bugzilla.suse.com/1131544 SUSE Bug 1131544 https://www.suse.com/security/cve/CVE-2018-20797/ SUSE CVE CVE-2018-20797 page https://www.suse.com/security/cve/CVE-2019-10723/ SUSE CVE CVE-2019-10723 page https://www.suse.com/security/cve/CVE-2019-9199/ SUSE CVE CVE-2019-9199 page SUSE Linux Enterprise Module for Package Hub 15 SP5 SUSE Linux Enterprise Module for Package Hub 15 SP6 openSUSE Leap 15.5 openSUSE Leap 15.6 libpodofo-devel-0.9.6-150300.3.9.1 libpodofo0_9_6-0.9.6-150300.3.9.1 podofo-0.9.6-150300.3.9.1 libpodofo-devel-0.9.6-150300.3.9.1 as a component of SUSE Linux Enterprise Module for Package Hub 15 SP5 libpodofo0_9_6-0.9.6-150300.3.9.1 as a component of SUSE Linux Enterprise Module for Package Hub 15 SP5 podofo-0.9.6-150300.3.9.1 as a component of SUSE Linux Enterprise Module for Package Hub 15 SP5 libpodofo-devel-0.9.6-150300.3.9.1 as a component of SUSE Linux Enterprise Module for Package Hub 15 SP6 libpodofo0_9_6-0.9.6-150300.3.9.1 as a component of SUSE Linux Enterprise Module for Package Hub 15 SP6 podofo-0.9.6-150300.3.9.1 as a component of SUSE Linux Enterprise Module for Package Hub 15 SP6 libpodofo-devel-0.9.6-150300.3.9.1 as a component of openSUSE Leap 15.5 libpodofo0_9_6-0.9.6-150300.3.9.1 as a component of openSUSE Leap 15.5 podofo-0.9.6-150300.3.9.1 as a component of openSUSE Leap 15.5 libpodofo-devel-0.9.6-150300.3.9.1 as a component of openSUSE Leap 15.6 libpodofo0_9_6-0.9.6-150300.3.9.1 as a component of openSUSE Leap 15.6 podofo-0.9.6-150300.3.9.1 as a component of openSUSE Leap 15.6 An issue was discovered in PoDoFo 0.9.6. There is an attempted excessive memory allocation in PoDoFo::podofo_calloc in base/PdfMemoryManagement.cpp when called from PoDoFo::PdfPredictorDecoder::PdfPredictorDecoder in base/PdfFiltersPrivate.cpp. CVE-2018-20797 SUSE Linux Enterprise Module for Package Hub 15 SP5:libpodofo-devel-0.9.6-150300.3.9.1 SUSE Linux Enterprise Module for Package Hub 15 SP5:libpodofo0_9_6-0.9.6-150300.3.9.1 SUSE Linux Enterprise Module for Package Hub 15 SP5:podofo-0.9.6-150300.3.9.1 SUSE Linux Enterprise Module for Package Hub 15 SP6:libpodofo-devel-0.9.6-150300.3.9.1 SUSE Linux Enterprise Module for Package Hub 15 SP6:libpodofo0_9_6-0.9.6-150300.3.9.1 SUSE Linux Enterprise Module for Package Hub 15 SP6:podofo-0.9.6-150300.3.9.1 openSUSE Leap 15.5:libpodofo-devel-0.9.6-150300.3.9.1 openSUSE Leap 15.5:libpodofo0_9_6-0.9.6-150300.3.9.1 openSUSE Leap 15.5:podofo-0.9.6-150300.3.9.1 openSUSE Leap 15.6:libpodofo-devel-0.9.6-150300.3.9.1 openSUSE Leap 15.6:libpodofo0_9_6-0.9.6-150300.3.9.1 openSUSE Leap 15.6:podofo-0.9.6-150300.3.9.1 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242137-1/ https://www.suse.com/security/cve/CVE-2018-20797.html CVE-2018-20797 https://bugzilla.suse.com/1127514 SUSE Bug 1127514 An issue was discovered in PoDoFo 0.9.6. The PdfPagesTreeCache class in doc/PdfPagesTreeCache.cpp has an attempted excessive memory allocation because nInitialSize is not validated. CVE-2019-10723 SUSE Linux Enterprise Module for Package Hub 15 SP5:libpodofo-devel-0.9.6-150300.3.9.1 SUSE Linux Enterprise Module for Package Hub 15 SP5:libpodofo0_9_6-0.9.6-150300.3.9.1 SUSE Linux Enterprise Module for Package Hub 15 SP5:podofo-0.9.6-150300.3.9.1 SUSE Linux Enterprise Module for Package Hub 15 SP6:libpodofo-devel-0.9.6-150300.3.9.1 SUSE Linux Enterprise Module for Package Hub 15 SP6:libpodofo0_9_6-0.9.6-150300.3.9.1 SUSE Linux Enterprise Module for Package Hub 15 SP6:podofo-0.9.6-150300.3.9.1 openSUSE Leap 15.5:libpodofo-devel-0.9.6-150300.3.9.1 openSUSE Leap 15.5:libpodofo0_9_6-0.9.6-150300.3.9.1 openSUSE Leap 15.5:podofo-0.9.6-150300.3.9.1 openSUSE Leap 15.6:libpodofo-devel-0.9.6-150300.3.9.1 openSUSE Leap 15.6:libpodofo0_9_6-0.9.6-150300.3.9.1 openSUSE Leap 15.6:podofo-0.9.6-150300.3.9.1 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242137-1/ https://www.suse.com/security/cve/CVE-2019-10723.html CVE-2019-10723 https://bugzilla.suse.com/1131544 SUSE Bug 1131544 PoDoFo::Impose::PdfTranslator::setSource() in pdftranslator.cpp in PoDoFo 0.9.6 has a NULL pointer dereference that can (for example) be triggered by sending a crafted PDF file to the podofoimpose binary. It allows an attacker to cause Denial of Service (Segmentation fault) or possibly have unspecified other impact. CVE-2019-9199 SUSE Linux Enterprise Module for Package Hub 15 SP5:libpodofo-devel-0.9.6-150300.3.9.1 SUSE Linux Enterprise Module for Package Hub 15 SP5:libpodofo0_9_6-0.9.6-150300.3.9.1 SUSE Linux Enterprise Module for Package Hub 15 SP5:podofo-0.9.6-150300.3.9.1 SUSE Linux Enterprise Module for Package Hub 15 SP6:libpodofo-devel-0.9.6-150300.3.9.1 SUSE Linux Enterprise Module for Package Hub 15 SP6:libpodofo0_9_6-0.9.6-150300.3.9.1 SUSE Linux Enterprise Module for Package Hub 15 SP6:podofo-0.9.6-150300.3.9.1 openSUSE Leap 15.5:libpodofo-devel-0.9.6-150300.3.9.1 openSUSE Leap 15.5:libpodofo0_9_6-0.9.6-150300.3.9.1 openSUSE Leap 15.5:podofo-0.9.6-150300.3.9.1 openSUSE Leap 15.6:libpodofo-devel-0.9.6-150300.3.9.1 openSUSE Leap 15.6:libpodofo0_9_6-0.9.6-150300.3.9.1 openSUSE Leap 15.6:podofo-0.9.6-150300.3.9.1 moderate 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242137-1/ https://www.suse.com/security/cve/CVE-2019-9199.html CVE-2019-9199 https://bugzilla.suse.com/1127855 SUSE Bug 1127855