Vulnerability Spotlight: Google PDFium JBIG2 Image ComposeToOpt2WithRect Information Disclosure Vulnerability
Discovered by Aleksandar Nikolic of Cisco Talos
Cisco Talos is releasing details of a new vulnerability in Google PDFium’s JBIG2 library. An exploitable out-of-bounds read on the heap vulnerability exists in the JBIG2-parsing code in Google Chrome, version 67.0.3396.99. A specially crafted PDF document can trigger an out-of-bounds read, which can possibly lead to an information leak. That leak could be used as part of an exploit. An attacker needs to trick the user into visiting a malicious site to trigger the vulnerability.
In accordance with our coordinated disclosure policy, Cisco Talos has worked with Google to ensure that these issues have been resolved and that an update has been made available for affected users. It is recommended that this update is applied as quickly as possible to ensure that systems are no longer affected by this vulnerability.