Fluid Attacks Database

Description

Poppler prior to and including 22.08.0 contains an integer overflow in the JBIG2 decoder (JBIG2Stream::readTextRegionSeg() in JBIGStream.cc). Processing a specially crafted PDF file or JBIG2 image could lead to a crash or the execution of arbitrary code. This is similar to the vulnerability described by CVE-2022-38171 in Xpdf.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 13	poppler	>=0 <22.08.0-2.1	22.08.0-2.1
debian 11	poppler	=20.09.0-3.1 \|\| >=0 <20.09.0-3.1+deb11u1	20.09.0-3.1+deb11u1
debian 12	poppler	>=0 <22.08.0-2.1	22.08.0-2.1
debian 14	poppler	>=0 <22.08.0-2.1	22.08.0-2.1
rpm rhel7	compat-poppler022	-	-
rpm rhel6	poppler	-	-
rpm rhel7	poppler	-	-
rpm rhel8	poppler	<0:20.11.0-6.el8	0:20.11.0-6.el8
rpm rhel9	poppler	<0:21.01.0-14.el9	0:21.01.0-14.el9

Aliases

1. CVE-2022-387842. NVD-2022-387843. OSV-DEBIAN-2022-387844. OSV-2022-387845. SECURITY-TRACKER-CVE-2022-38784

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.