[Poppler-bugs] [Bug 91414] New: Vulnerabilities report on libpoppler 0.18.4
bugzilla-daemon at freedesktop.org
bugzilla-daemon at freedesktop.org
Tue Jul 21 07:57:39 PDT 2015
https://bugs.freedesktop.org/show_bug.cgi?id=91414
Bug ID: 91414
Summary: Vulnerabilities report on libpoppler 0.18.4
Product: poppler
Version: unspecified
Hardware: All
OS: All
Status: NEW
Severity: normal
Priority: medium
Component: general
Assignee: poppler-bugs at lists.freedesktop.org
Reporter: vulns.bfs at ssi.gouv.fr
Created attachment 117276
--> https://bugs.freedesktop.org/attachment.cgi?id=117276&action=edit
detailed vulnerabilities report and proof of concept files
Hi,
On behalf of the CERT-FR (CERT of the ANSSI, French Network and Information
Security Agency), I'd like to report several vulnerabilities or defects on
libpoppler. These problems were identified by Guillaume Endignoux during his
internship at the ANSSI, under the supervision of Olivier Levillain.
Guillaume has crafted several PDF files from the specification
(sample-pdf-files.tgz in poppler-report.zip). When opened with Evince, specific
files will cause a crash or an infinite loop. We did not investigate further to
determine if the crashes were exploitable.
As we think that these problems lie in libpoppler, we thought that it would be
more useful to contact you directly instead of Evince's maintainer.
If you can confirm to us that the defects described in
20150716_Vulnerability_Evince_export_v1.pdf will handled as vulnerabilities
from your side, we will then contact the MITRE to request CVE identifiers.
Do not hesitate to get back to me if you need further information on this
report.
Best regards,
--
Julien Perrot
Vulnerabilities and signatures unit
ANSSI
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freedesktop.org/archives/poppler-bugs/attachments/20150721/dec65e95/attachment.html>
More information about the Poppler-bugs
mailing list