CVE-2023-46049

Name of the Vulnerable Software and Affected Versions LLVM version 15.0.0

Description The issue is related to a NULL pointer dereference in the parseOneMetadata() function. This can be triggered via a crafted pdflatex.fmt file or possibly a crafted .o file to llvm-lto. However, the relationship between pdflatex.fmt and any LLVM language front end is not clearly explained, and some consider a crash of the llvm-lto application to be a usability problem rather than a security issue.

Recommendations For LLVM version 15.0.0, as a temporary workaround, consider disabling the parseOneMetadata() function until a patch is available. Restrict access to crafted files that could trigger this issue to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.