Poppler GooString.h NULL Pointer Dereference Denial of Service Vulnerability



A vulnerability in the GooString.h source code file of Poppler could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on a targeted system.

The vulnerability exists because the filenames of embedded files are insufficiently validated before a save path is constructed, which could cause a NULL pointer dereference condition in the GooString.h source code file of the affected software. An attacker could exploit this vulnerability by persuading a user to access an embedded file that submits malicious input to the targeted system. A successful exploit could cause a NULL pointer dereference condition, which could result in a DoS condition.

Proof-of-concept (PoC) code that demonstrates an exploit of this vulnerability is publicly available.

Poppler has confirmed the vulnerability and released a software patch.

Security Impact Rating: Low

CVE: CVE-2018-19060

Source:: Cisco Multivendor Vulnerability Alerts