Bugzilla – Bug 1127514
VUL-1: CVE-2018-20797: podofo: excessive memory allocation in PoDoFo:podofo_calloc in base/PdfMemoryManagement.cpp
Last modified: 2024-06-21 15:35:49 UTC
An issue was discovered in PoDoFo 0.9.6. There is an attempted excessive memory allocation in PoDoFo::podofo_calloc in base/PdfMemoryManagement.cpp when called from PoDoFo::PdfPredictorDecoder::PdfPredictorDecoder in base/PdfFiltersPrivate.cpp. References: https://bugzilla.redhat.com/show_bug.cgi?id=1683914 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-20797 https://sourceforge.net/p/podofo/tickets/34/
According to the git history the affected lines first apepared with commit 09db7d9b and they are not in our sources (based on 0.9.2). Therefor SLE-12 is not affected, Leap probably is.
https://build.opensuse.org/request/show/974857
I just submitted the fix to SP3 in https://build.suse.de/request/show/336305
SUSE-SU-2024:2137-1: An update that solves three vulnerabilities can now be installed. Category: security (moderate) Bug References: 1127514, 1127855, 1131544 CVE References: CVE-2018-20797, CVE-2019-10723, CVE-2019-9199 Maintenance Incident: [SUSE:Maintenance:34443](https://smelt.suse.de/incident/34443/) Sources used: openSUSE Leap 15.3 (src): podofo-0.9.6-150300.3.9.1 openSUSE Leap 15.5 (src): podofo-0.9.6-150300.3.9.1 openSUSE Leap 15.6 (src): podofo-0.9.6-150300.3.9.1 SUSE Package Hub 15 15-SP5 (src): podofo-0.9.6-150300.3.9.1 SUSE Package Hub 15 15-SP6 (src): podofo-0.9.6-150300.3.9.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.