Critical vulnerability in libpoppler PDF rendering library
The Open Source Computer Emergency Response Team (oCERT) has warned of a critical vulnerability in open source PDF rendering library libpoppler. The library, which arose as a fork of xpdf 3.0, is used by PDF viewers including Evince, ePDFView and Okular. A memory management error when initialising the pageWidget object makes it possible to inject code onto a system using crafted PDF files and execute the code with the user's privileges.
All versions up to and including 0.8.4 are vulnerable. A source code patch to fix the problem is available. Some Linux distributors have already released updated packages. An official libpoppler update is scheduled for the end of July.
See also:
- libpoppler uninitialized pointer, Advisory from oCERT
- Poppler <= 0.8.4 libpoppler uninitialized pointer Code Execution PoC, Report from Felipe Andres Manzano
(trk)