CVE-2020-9549: 
Linux Debian vulnerability analysis and mitigation

In PDFResurrect versions 0.12 through 0.19, a vulnerability was discovered in the get_type function within pdf.c that allows for an out-of-bounds write via a crafted PDF document. The vulnerability was assigned CVE-2020-9549 and was disclosed on March 2, 2020. The issue affects the PDFResurrect tool, which is used for extracting versioning data from PDF documents (NVD, Ubuntu).

The vulnerability occurs in the get_type() function in pdf.c where if the buffer (buf) does not contain one of the expected terminating characters (whitespace, /, >), the pointer 'c' can point to an address outside the buffer, causing a null byte to be written out-of-bounds. The vulnerability has been assigned a CVSS v3.1 base score of 7.8 (High) with the vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, indicating local access, low attack complexity, no privileges required, and user interaction required (GitHub Issue).

The vulnerability can lead to out-of-bounds writes, potentially resulting in a denial of service (system crash) or arbitrary code execution. While benign examples may cause read operations to segfault, carefully crafted input could lead to more severe out-of-bounds write operations (Ubuntu Notice).

Various Linux distributions have released patches to address this vulnerability. Ubuntu has provided fixes across multiple versions: Ubuntu 20.04 LTS (0.19-1ubuntu0.1~esm1), Ubuntu 18.04 LTS (0.14-1ubuntu0.1~esm1), and Ubuntu 16.04 LTS (0.12-6ubuntu0.2). Debian has also released security updates, with version 0.12-5+deb8u1 for Debian 8 'Jessie' (Debian Notice).