ALAS-2023-340

Amazon Linux 2023 Security Advisory: ALAS-2023-340
Advisory Release Date: 2023-08-31 21:47 Pacific
Advisory Updated Date: 2023-09-07 21:19 Pacific
Severity: Medium
Issue Overview:

An issue was discovered in Poppler 22.08.0. There is a reachable assertion in Object.h, will lead to denial of service because PDFDoc::replacePageDict in PDFDoc.cc lacks a stream check before saving an embedded file. (CVE-2022-38349)


Affected Packages:

poppler


Issue Correction:
Run dnf update poppler --releasever 2023.1.20230906 to update your system.

New Packages:
aarch64:
    poppler-debuginfo-22.08.0-3.amzn2023.0.3.aarch64
    poppler-cpp-debuginfo-22.08.0-3.amzn2023.0.3.aarch64
    poppler-glib-devel-22.08.0-3.amzn2023.0.3.aarch64
    poppler-glib-debuginfo-22.08.0-3.amzn2023.0.3.aarch64
    poppler-devel-22.08.0-3.amzn2023.0.3.aarch64
    poppler-cpp-22.08.0-3.amzn2023.0.3.aarch64
    poppler-cpp-devel-22.08.0-3.amzn2023.0.3.aarch64
    poppler-utils-debuginfo-22.08.0-3.amzn2023.0.3.aarch64
    poppler-22.08.0-3.amzn2023.0.3.aarch64
    poppler-debugsource-22.08.0-3.amzn2023.0.3.aarch64
    poppler-glib-22.08.0-3.amzn2023.0.3.aarch64
    poppler-utils-22.08.0-3.amzn2023.0.3.aarch64

noarch:
    poppler-glib-doc-22.08.0-3.amzn2023.0.3.noarch

src:
    poppler-22.08.0-3.amzn2023.0.3.src

x86_64:
    poppler-cpp-devel-22.08.0-3.amzn2023.0.3.x86_64
    poppler-debuginfo-22.08.0-3.amzn2023.0.3.x86_64
    poppler-glib-debuginfo-22.08.0-3.amzn2023.0.3.x86_64
    poppler-cpp-22.08.0-3.amzn2023.0.3.x86_64
    poppler-cpp-debuginfo-22.08.0-3.amzn2023.0.3.x86_64
    poppler-utils-debuginfo-22.08.0-3.amzn2023.0.3.x86_64
    poppler-22.08.0-3.amzn2023.0.3.x86_64
    poppler-devel-22.08.0-3.amzn2023.0.3.x86_64
    poppler-utils-22.08.0-3.amzn2023.0.3.x86_64
    poppler-glib-devel-22.08.0-3.amzn2023.0.3.x86_64
    poppler-glib-22.08.0-3.amzn2023.0.3.x86_64
    poppler-debugsource-22.08.0-3.amzn2023.0.3.x86_64

Additional References

Red Hat: CVE-2022-38349

Mitre: CVE-2022-38349