[xpdf] <4.0.2 Multiple memory corruption issues, CVE CVE-2019-16927
Archlinux corrently ships xpdf 4.01.01-2.
Upstream has released xpdf 4.0.2, fixing a large number of memory corruption issues. The latest of those issues has been assigned CVE-2019-16927, but that one seems to be just the tip of the iceberg. Sadly, the shortened release notes on upstream's internet site don't contain any information whatsoever about security-relevant changes, but at least you can find them in the CHANGES file inside the source code tarball.
MITRE hasn't yet assigned a CVSS rating, but the German government's Federal Office for Information Security considers the CVE's severity "high" and claims it allows a remote attacker to execute malicious code with the victim user's privileges: