A reachable Object::dictLookup assertion in Poppler 0.72.0 allows attackers to cause a denial of service due to the lack of a check for the dict data type, as demonstrated by use of the FileSpec class (in FileSpec.cc) in pdfdetach.
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
| Link | Tags |
|---|---|
| https://gitlab.freedesktop.org/poppler/poppler/issues/704 | patch third party advisory issue tracking |
| https://gitlab.freedesktop.org/poppler/poppler/commit/de0c0b8324e776f0b851485e0fc9622fc35695b7 | third party advisory patch |
| http://www.securityfocus.com/bid/106459 | third party advisory vdb entry |
| https://usn.ubuntu.com/3865-1/ | third party advisory vendor advisory |
| https://access.redhat.com/errata/RHSA-2019:2022 | third party advisory vendor advisory |
| https://access.redhat.com/errata/RHSA-2019:2713 | third party advisory vendor advisory |
| https://lists.debian.org/debian-lts-announce/2019/09/msg00033.html | third party advisory mailing list |
| https://lists.debian.org/debian-lts-announce/2020/11/msg00014.html | third party advisory mailing list |
| https://lists.debian.org/debian-lts-announce/2022/09/msg00030.html | third party advisory mailing list |