Common Vulnerabilities and Exposures assigned an identifier CVE-2009-0755 to the following vulnerability: Name: CVE-2009-0755 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0755 Assigned: 20090303 Reference: MLIST:[oss-security] 20090213 CVE Request: Poppler -Two Denial of Service Vulnerabilities Reference: URL: http://www.openwall.com/lists/oss-security/2009/02/13/1 Reference: MLIST:[oss-security] 20090219 Re: CVE Request: Poppler -Two Denial of Service Vulnerabilities Reference: URL: http://www.openwall.com/lists/oss-security/2009/02/19/2 Reference: MLIST:[poppler] 20090128 poppler/Form.cc Reference: URL: http://lists.freedesktop.org/archives/poppler/2009-January/004406.html Reference: CONFIRM: http://bugs.freedesktop.org/show_bug.cgi?id=19790 Reference: SECUNIA:33853 Reference: URL: http://secunia.com/advisories/33853 The FormWidgetChoice::loadDefaults function in Poppler before 0.10.4 allows remote attackers to cause a denial of service (crash) via a PDF file with an invalid Form Opt entry.
Upstream commit is: http://cgit.freedesktop.org/poppler/poppler/commit/?id=1fc342eadcbbb41302f190b215c5daf23c9ec9b1 This causes out of bounds read and crash. Affected code is not part of poppler shipped in Red Hat Enterprise Linux 5, any xpdf version (including latest upstream 3.02pl3), or any other xpdf-based reader shipped in Red Hat Enterprise Linux 3, 4, or 5. Fedora 11 and later currently includes poppler 0.10.5 or later, which already contains the fix. This flaw only exists in Fedora 10 at the moment. So possible candidate for inclusion in future F10 poppler update, if any.
As noted above, this currently only affect poppler version in F10. As F10 will reach EOL soon and no other poppler update is planned for more important bug or security fix, this will remain unfixed in F10.