Bug 1180397 - (CVE-2020-35702) VUL-1: CVE-2020-35702: poppler: DCTStream:getChars has a heap-based buffer overflow via a crafted PDF document
(CVE-2020-35702)
VUL-1: CVE-2020-35702: poppler: DCTStream:getChars has a heap-based buffer ov...
Status: RESOLVED INVALID
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P5 - None : Minor
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/274023/
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2020-12-28 10:19 UTC by Wolfgang Frisch
Modified: 2020-12-28 10:22 UTC (History)
1 user (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Wolfgang Frisch 2020-12-28 10:19:10 UTC
CVE-2020-35702

DCTStream::getChars in DCTStream.cc in Poppler 20.12.1 has a heap-based buffer
overflow via a crafted PDF document.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-35702
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-35702
https://gitlab.freedesktop.org/poppler/poppler/-/issues/1011
Comment 1 Wolfgang Frisch 2020-12-28 10:22:54 UTC
The bug was introduced with commit f1c3ded779582aef5f2cbaf29bc5da7a8eae6f69 (2 weeks ago). This commit is not present in any released version.

SUSE:SLE-11-SP1:Update  Not affected
SUSE:SLE-12:Update      Not affected
SUSE:SLE-12-SP2:Update  Not affected
SUSE:SLE-15:Update      Not affected
SUSE:SLE-15-SP2:Update  Not affected
openSUSE:Factory        Not affected