Canonical’s Ubuntu Security Team has announced fixes for multiple vulnerabilities affecting the PoDoFo library, a popular PDF manipulation library, in several versions of Ubuntu.
PoDoFo is an open-source C++ library for working with the Portable Document Format (PDF). It provides functionality for manipulating PDF files, such as reading, writing, and modifying them.
The advisory, identified as USN-7217-1 addresses security risks that could allow attackers to disrupt systems or execute malicious actions by exploiting flaws in the library.
The vulnerabilities impact the following Ubuntu releases and their derivatives:
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS
Vulnerabilities Details
Several vulnerabilities were discovered in the PoDoFo library, affecting various Ubuntu versions, which could potentially lead to denial of service (DoS), buffer overflows, or arbitrary code execution when handling crafted PDF files.
CVE-2018-11255 is a null pointer dereference issue, where PoDoFo could dereference a NULL pointer when retrieving the number of pages in a PDF, leading to DoS.
This affects Ubuntu 14.04 LTS, 16.04 LTS, 18.04 LTS, and 20.04 LTS. CVE-2018-12983 deals with improper memory handling during encryption key computation, potentially causing a buffer overflow and resulting in DoS. This issue affects all mentioned Ubuntu versions.
CVE-2018-20797 involves improper memory allocation, leading to DoS when a crafted PDF is opened. It affects Ubuntu 18.04 LTS, 20.04 LTS, and 22.04 LTS. CVE-2018-5308 addresses improper validation of memcpy arguments, which could lead to DoS or arbitrary code execution. This vulnerability is present in Ubuntu 14.04 LTS and 16.04 LTS.
CVE-2017-5886 is a buffer overflow issue in the GetNextToken function, potentially causing DoS. This affects only Ubuntu 16.04 LTS. CVE-2018-8002, CVE-2020-18971, CVE-2021-30471, and CVE-2021-30470 involve an infinite loop that could lead to a stack overflow, causing DoS or arbitrary code execution. This affects Ubuntu 20.04 LTS and 22.04 LTS.
Finally, CVE-2019-10723 involves invalid memory allocation due to unvalidated nInitialSize, which could also lead to DoS. This issue affects Ubuntu 14.04 LTS, 16.04 LTS, 18.04 LTS, and 20.04 LTS.
It is recommended that users of affected Ubuntu versions update their systems immediately to patch these critical vulnerabilities.
The PoDoFo library was found to contain several critical vulnerabilities, including:
Here’s the updated table with the CVE IDs as links:
| CVE ID | Vulnerability Description | Affected Ubuntu Versions | Impact |
|---|---|---|---|
| CVE-2018-11255 | NULL pointer dereference when handling crafted PDFs. | 14.04, 16.04, 18.04, 20.04 | Denial of Service (DoS) |
| CVE-2018-12983 | Buffer overflow during encryption key calculation. | All affected versions | Denial of Service (DoS) |
| CVE-2018-20797 | Improper memory allocation leading to denial of service. | 18.04, 20.04, 22.04 | Denial of Service (DoS) |
| CVE-2018-5308 | Invalid memcpy argument handling via malicious PDFs. |
14.04, 16.04 | DoS or Remote Code Execution |
| CVE-2017-5886 | Buffer overflow in the GetNextToken function. |
16.04 | Denial of Service (DoS) |
| CVE-2018-8002, CVE-2020-18971, CVE-2021-30470, CVE-2021-30471 | Infinite loop and stack overflow vulnerabilities. | 20.04, 22.04 | DoS or Arbitrary Code Execution |
| CVE-2019-10723 | Memory allocation validation failure, exploiting improper memory checks. | 14.04, 16.04, 18.04, 20.04 | Denial of Service (DoS) |
Suppose a user or application is tricked into opening a maliciously crafted PDF file. In that case, attackers may exploit these vulnerabilities to cause a denial of service, stack overflow, or even execute arbitrary code. This could lead to system crashes or a compromise of sensitive data.
Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free
Fixes and Updates
Canonical recommends updating to the latest package versions to mitigate the risks. Updates are now available with Ubuntu Pro, a service providing extended security maintenance (ESM) for older Ubuntu releases.
Updated Package Versions:
| Ubuntu Version | Affected Packages and Versions |
|---|---|
| Ubuntu 22.04 LTS | libpodofo0.9.7 and libpodofo-utils version 0.9.7+dfsg-3ubuntu0.1~esm1 |
| Ubuntu 20.04 LTS | Version 0.9.6+dfsg-5ubuntu0.1~esm1 |
| Ubuntu 18.04 LTS | Version 0.9.5-9ubuntu0.1~esm1 |
| Ubuntu 16.04 LTS | Version 0.9.3-4ubuntu0.1~esm1 |
| Ubuntu 14.04 LTS | Version 0.9.0-1.2ubuntu0.1~esm3 |
Users can apply the updates using the system’s standard software update tools.
Canonical advises users to perform a system update with the following command to ensure all patches are applied:
sudo apt-get update && sudo apt-get upgradeUsers on older releases who wish to access these updates must ensure they have Ubuntu Pro enabled. Ubuntu Pro offers an extended support period for legacy systems, ensuring continued security compliance.
Integrating Application Security into Your CI/CD Workflows Using Jenkins & Jira -> Free Webinar