Source: libpodofo Version: 0.9.6+dfsg-3 Severity: important Tags: patch security upstream
Hi, The following vulnerability was published for libpodofo. CVE-2018-14320[0]: | This vulnerability allows remote attackers to disclose sensitive | information on vulnerable installations of PoDoFo. User interaction is | required to exploit this vulnerability in that the target must visit a | malicious page or open a malicious file. The specific flaw exists | within PdfEncoding::ParseToUnicode. The issue results from the lack of | proper validation of user-supplied data, which can result in a memory | corruption condition. An attacker can leverage this in conjunction | with other vulnerabilities to execute arbitrary code in the context of | the current process. Was ZDI-CAN-5673. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2018-14320 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14320 [1] https://www.zerodayinitiative.com/advisories/ZDI-18-1046/ [2] https://sourceforge.net/p/podofo/code/1953 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
