1093076 – (CVE-2018-11033) VUL-1: CVE-2018-11033: xpdf: The DCTStream::readHuffSym function in Stream.cc in the DCT decoder in xpdfbefore 4.00 allows remote attackers to cause a denial of service (applicationcrash) or possibly have unspecified other impact via craf

Bug 1093076 (CVE-2018-11033) - VUL-1: CVE-2018-11033: xpdf: The DCTStream::readHuffSym function in Stream.cc in the DCT decoder in xpdfbefore 4.00 allows remote attackers to cause a denial of service (applicationcrash) or possibly have unspecified other impact via craf

Summary: VUL-1: CVE-2018-11033: xpdf: The DCTStream::readHuffSym function in Stream.cc...

Status:	RESOLVED FIXED

Alias:	CVE-2018-11033

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P4 - Low Severity: Minor
Target Milestone:	---
Assignee:	Security Team bot
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/205740/
Whiteboard:	CVSSv3:SUSE:CVE-2018-11033:3.3:(AV:L...
Keywords:

Depends on:
Blocks:	1133493
	Show dependency tree / graph

Clone This Bug

Reported:	2018-05-14 07:58 UTC by Karol Babioch
Modified:	2023-03-24 11:46 UTC (History)
CC List:	2 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Karol Babioch 2018-05-14 07:58:26 UTC

CVE-2018-11033

The DCTStream::readHuffSym function in Stream.cc in the DCT decoder in xpdf
before 4.00 allows remote attackers to cause a denial of service (application
crash) or possibly have unspecified other impact via crafted JPEG data.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-11033
https://forum.xpdfreader.com/viewtopic.php?f=3&t=40842

Comment 1 Karol Babioch 2018-05-14 07:59:12 UTC

Versions < 4.00 are affected. This boils down to the following codestreams for us:

- SUSE:SLE-10-SP3:Update 
- SUSE:SLE-11:Update

Comment 2 Peter Simons 2018-06-21 08:34:01 UTC

I cannot identify the changeset that fixes this issue. xpdf does not publish its source code some version control system, so all we have are release tarballs that contain many different changes mixed up with each other. I searched the 4.00 release for the bug number, the CVE number, and for various keywords that I thought might be used to describe this issue, but I cannot find any clue that would allow me to derive an applicable patch to fix this issue. Upstream provides no helpful information in their web forum either.

Comment 3 Carlos López 2023-03-24 11:46:04 UTC

xpdf unsupported, closing.