Fluid Attacks Database

Description

A stack-based buffer over-read exists in FoFiTrueType::dumpString in fofi/FoFiTrueType.cc in Xpdf 4.01.01. It can, for example, be triggered by sending crafted TrueType data in a PDF document to the pdftops tool. It might allow an attacker to cause Denial of Service or leak memory data into dump content.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 13	poppler	>=0 <0.38.0-2	0.38.0-2
debian 14	poppler	>=0 <0.38.0-2	0.38.0-2
debian 11	poppler	>=0 <0.38.0-2	0.38.0-2
debian 12	poppler	>=0 <0.38.0-2	0.38.0-2
rpm rhel5	poppler	-	-
rpm rhel6	poppler	-	-
rpm rhel7	poppler	-	-

Aliases

1. CVE-2019-123602. NVD-2019-123603. OSV-DEBIAN-2019-123604. OSV-2019-123605. SECURITY-TRACKER-CVE-2019-12360

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.