Ecosyste.ms: Advisories

Security Advisories: GSA_kwCzR0hTQS1yY3J4LWZwanAtbWZyd84AAvq7

Unchecked Return Value to NULL Pointer Dereference in PDFDocumentHandler.cpp

Impact

The package muhammara before 2.6.0; all versions of package hummus are vulnerable to Denial of Service (DoS) when supplied with a maliciously crafted PDF file to be appended to another.

Patches

It has been patched in 2.6.0 for muhammara and not at all for hummus

Workarounds

Do not process files from untrusted sources

References

PR: https://github.com/julianhille/MuhammaraJS/pull/194 Issue: https://github.com/julianhille/MuhammaraJS/issues/191 Issue in hummus: https://github.com/galkahana/HummusJS/issues/293

Outline differences to https://nvd.nist.gov/vuln/detail/CVE-2022-25892

The difference is one is in src/deps/PDFWriter/PDFParser.cpp and the other is PDFDocumentHandler.cpp both is a null pointer but for different cases These are totally diffent issues, one is in reading a pdf the other is in appendending a maliciously crafted one. The function calls are different the versions in which they are solved are diffent.

Permalink: https://github.com/advisories/GHSA-rcrx-fpjp-mfrw
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1yY3J4LWZwanAtbWZyd84AAvq7
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: 11 months ago
Updated: 8 months ago

CVSS Score: 7.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Identifiers: GHSA-rcrx-fpjp-mfrw, CVE-2022-39381
References:

• https://github.com/julianhille/MuhammaraJS/security/advisories/GHSA-rcrx-fpjp-mfrw
• https://github.com/galkahana/HummusJS/issues/293
• https://github.com/julianhille/MuhammaraJS/issues/191
• https://github.com/julianhille/MuhammaraJS/pull/194
• https://github.com/galkahana/HummusJS/commit/a9bf2520ab5abb69f9328906e406fbebfb36159a
• https://nvd.nist.gov/vuln/detail/CVE-2022-39381
• https://github.com/advisories/GHSA-rcrx-fpjp-mfrw

Affected Packages