New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
invalid memory access in GfxIndexedColorSpace::mapColorToBase( ) #46
Comments
|
@kermitt2 @lfoppiano There's this CVE https://nvd.nist.gov/vuln/detail/CVE-2019-9878?cpeVersion=2.2 I asked Derek of Xpdf and told me that it was fixed in version 4.0.1. The last version is 4.0.2 and pdf-alto uses 4.0.0 if I'm not wrong. Is it possible to rebuild pdf-alto with this fixes of the new version and include the binaries in Grobid to avoid this security issues? |
|
@diegomon Can you point to where it shows that 4.01 fixes this issue? Looking at the changelog I see 7 different vulns, all with CVE-2018 assignments, but no mention of this issue. I think the solution was probably 4.01.01 instead, and suspect this may have been fixed based on wording and the fix coming a day after this bug report: 4.01.01 (2019-mar-14)Fixed a missing array bounds check in PSOutputDev. [Thanks to If anyone could confirm that would be great! |
|
@attritionorg This is the answer of Derek of xpdf when I asked about the CVE The relevant change was this (in two places):
On Wed, 22 Apr 2020 06:47:17 +0000, Diego Moncayo
|
|
Updated to xpdf-4.03, which solves this issue. |
Description - we observed a invalid memory access in function GfxIndexedColorSpace::mapColorToBase( ) located in GfxState.cc .The same be triggered by sending a crafted pdf file to the pdfalto binary. It allows an attacker to cause Denial of Service (Segmentation fault) or possibly have unspecified other impact.
Command - : ./pdfalto -f 1 -l 2 -noText -noImage -outline -annotation -cutPages -blocks -readingOrder -ocr -fullFontName $POC
POC - REPRODUCER
Degub -
The text was updated successfully, but these errors were encountered: