Arch Linux Security Advisory ASA-202101-3 ========================================= Severity: High Date : 2021-01-04 CVE-ID : CVE-2020-35702 Package : poppler Type : arbitrary code execution Remote : No Link : https://security.archlinux.org/AVG-1382 Summary ======= The package poppler before version 21.01.0-1 is vulnerable to arbitrary code execution. Resolution ========== Upgrade to 21.01.0-1. # pacman -Syu "poppler>=21.01.0-1" The problem has been fixed upstream in version 21.01.0. Workaround ========== None. Description =========== DCTStream::getChars in DCTStream.cc in Poppler 20.12.1 has a heap-based buffer overflow via a crafted PDF document. Impact ====== An attacker might be able to execute arbitrary code via a crafted PDF document. References ========== https://gitlab.freedesktop.org/poppler/poppler/-/issues/1011 https://gitlab.freedesktop.org/poppler/poppler/uploads/8455cee26a313a3a0174a01e4ec80e33/poc https://gitlab.freedesktop.org/poppler/poppler/-/commit/ae614bf8ab42c9d0c7ac57ecdfdcbcfc4ff6c639 https://security.archlinux.org/CVE-2020-35702