A flaw was found in Poppler 0.72.0. A reachable Object::getString assertion allows attackers to cause a denial of service due to construction of invalid rich media annotation assets in the AnnotRichMedia class in Annot.c. References: https://gitlab.freedesktop.org/poppler/poppler/issues/703 Upstream Patch: https://gitlab.freedesktop.org/poppler/poppler/merge_requests/146
Created mingw-poppler tracking bugs for this issue: Affects: fedora-all [bug 1665261] Created poppler tracking bugs for this issue: Affects: fedora-all [bug 1665260]
Unable to reproduce this on Red Hat Enterprise Linux 5,6 or 7. ``` pdfdetach -save 1 poc1.pdf Syntax Error: End of file inside dictionary Syntax Warning: No valid XRef size in trailer Syntax Error: Bad bounding box for annotation Command Line Error: Invalid file number ```
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2019:2713 https://access.redhat.com/errata/RHSA-2019:2713
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2018-20551