Bug 1140746 - (CVE-2019-13291) VUL-1: CVE-2019-13291: xpdf,poppler: In Xpdf 4.01.01, there is a heap-based buffer over-read in the function DCTStream:readScan() located at Stream.cc. It can, for example, be triggered by sending a crafted PDF document to the pdftops tool.
(CVE-2019-13291)
VUL-1: CVE-2019-13291: xpdf,poppler: In Xpdf 4.01.01, there is a heap-based b...
Status: NEW
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P4 - Low : Minor
: ---
Assigned To: Peter Simons
Security Team bot
https://smash.suse.de/issue/236469/
CVSSv3:SUSE:CVE-2019-13291:3.9:(AV:L/...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2019-07-08 15:38 UTC by Wolfgang Frisch
Modified: 2020-07-17 16:32 UTC (History)
1 user (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
PoC: pdftops CVE-2019-13291--poc.pdf (4.47 KB, application/pdf)
2019-07-08 15:38 UTC, Wolfgang Frisch
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Wolfgang Frisch 2019-07-08 15:38:36 UTC
Created attachment 809711 [details]
PoC: pdftops CVE-2019-13291--poc.pdf

CVE-2019-13291

In Xpdf 4.01.01, there is a heap-based buffer over-read in the function
DCTStream::readScan() located at Stream.cc. It can, for example, be triggered by
sending a crafted PDF document to the pdftops tool. It might allow an attacker
to cause Information Disclosure.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-13291
http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-13291.html
http://www.cvedetails.com/cve/CVE-2019-13291/
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13291
https://forum.xpdfreader.com/viewtopic.php?f=3&t=41818