ALAS2023-2023-289

Amazon Linux 2023 Security Advisory: ALAS-2023-289
Advisory Release Date: 2023-08-03 20:26 Pacific
Advisory Updated Date: 2023-08-09 23:15 Pacific
Severity: Medium
Issue Overview:

Poppler prior to and including 22.08.0 contains an integer overflow in the JBIG2 decoder (JBIG2Stream::readTextRegionSeg() in JBIGStream.cc). Processing a specially crafted PDF file or JBIG2 image could lead to a crash or the execution of arbitrary code. This is similar to the vulnerability described by CVE-2022-38171 in Xpdf. (CVE-2022-38784)


Affected Packages:

poppler


Issue Correction:
Run dnf update poppler --releasever 2023.1.20230809 to update your system.

New Packages:
aarch64:
    poppler-debuginfo-22.08.0-3.amzn2023.0.1.aarch64
    poppler-cpp-debuginfo-22.08.0-3.amzn2023.0.1.aarch64
    poppler-glib-devel-22.08.0-3.amzn2023.0.1.aarch64
    poppler-glib-22.08.0-3.amzn2023.0.1.aarch64
    poppler-glib-debuginfo-22.08.0-3.amzn2023.0.1.aarch64
    poppler-devel-22.08.0-3.amzn2023.0.1.aarch64
    poppler-22.08.0-3.amzn2023.0.1.aarch64
    poppler-utils-debuginfo-22.08.0-3.amzn2023.0.1.aarch64
    poppler-cpp-devel-22.08.0-3.amzn2023.0.1.aarch64
    poppler-cpp-22.08.0-3.amzn2023.0.1.aarch64
    poppler-utils-22.08.0-3.amzn2023.0.1.aarch64
    poppler-debugsource-22.08.0-3.amzn2023.0.1.aarch64

noarch:
    poppler-glib-doc-22.08.0-3.amzn2023.0.1.noarch

src:
    poppler-22.08.0-3.amzn2023.0.1.src

x86_64:
    poppler-cpp-debuginfo-22.08.0-3.amzn2023.0.1.x86_64
    poppler-cpp-devel-22.08.0-3.amzn2023.0.1.x86_64
    poppler-debugsource-22.08.0-3.amzn2023.0.1.x86_64
    poppler-utils-22.08.0-3.amzn2023.0.1.x86_64
    poppler-glib-debuginfo-22.08.0-3.amzn2023.0.1.x86_64
    poppler-debuginfo-22.08.0-3.amzn2023.0.1.x86_64
    poppler-devel-22.08.0-3.amzn2023.0.1.x86_64
    poppler-cpp-22.08.0-3.amzn2023.0.1.x86_64
    poppler-glib-devel-22.08.0-3.amzn2023.0.1.x86_64
    poppler-22.08.0-3.amzn2023.0.1.x86_64
    poppler-utils-debuginfo-22.08.0-3.amzn2023.0.1.x86_64
    poppler-glib-22.08.0-3.amzn2023.0.1.x86_64

Additional References

Red Hat: CVE-2022-38784

Mitre: CVE-2022-38784