Debian Bug report logs -
#854601
libpodofo: CVE-2017-5853 - Signed integer overflow in PdfParser.cpp
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Mattia Rizzolo <mattia@debian.org>
:
Bug#854118
; Package libpodofo
.
(Sat, 04 Feb 2017 10:51:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Guido Günther <agx@sigxcpu.org>
:
New Bug report received and forwarded. Copy sent to Mattia Rizzolo <mattia@debian.org>
.
(Sat, 04 Feb 2017 10:51:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: libpodofo
Severity: serious
Tags: security
Hi,
the following vulnerabilities were published for libpodofo.
CVE-2015-8981[0]:
Heap overflow in the function ReadXRefSubsection
CVE-2017-5852[1]:
Infinite loop in PoDoFo::PdfPage::GetInheritedKeyFromObject
CVE-2017-5853[2]:
Signed integer overflow in PdfParser.cpp
CVE-2017-5854[3]:
NULL pointer dereference in PdfOutputStream.cpp
CVE-2017-5855[4]:
NULL pointer dereference in PoDoFo::PdfParser::ReadXRefSubsection
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2015-8981
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8981
[1] https://security-tracker.debian.org/tracker/CVE-2017-5852
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5852
[2] https://security-tracker.debian.org/tracker/CVE-2017-5853
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5853
[3] https://security-tracker.debian.org/tracker/CVE-2017-5854
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5854
[4] https://security-tracker.debian.org/tracker/CVE-2017-5855
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5855
Please adjust the affected versions in the BTS as needed.
Severity set to 'important' from 'serious'
Request was from Mattia Rizzolo <mattia@debian.org>
to control@bugs.debian.org
.
(Wed, 08 Feb 2017 16:21:10 GMT) (full text, mbox, link).
Added tag(s) upstream.
Request was from Mattia Rizzolo <mattia@debian.org>
to control@bugs.debian.org
.
(Wed, 08 Feb 2017 16:21:11 GMT) (full text, mbox, link).
Changed Bug title to 'libpodofo: CVE-2017-5853 - Signed integer overflow in PdfParser.cpp' from 'Multiple issues in libpodofo'.
Request was from Mattia Rizzolo <mattia@debian.org>
to control@bugs.debian.org
.
(Wed, 08 Feb 2017 16:21:14 GMT) (full text, mbox, link).
Outlook recorded from message bug 854601 message
Request was from Mattia Rizzolo <mattia@debian.org>
to control@bugs.debian.org
.
(Wed, 08 Feb 2017 16:21:23 GMT) (full text, mbox, link).
Marked as fixed in versions 0.9.0-1.1+deb7u1.
Request was from Mattia Rizzolo <mattia@debian.org>
to control@bugs.debian.org
.
(Sun, 30 Apr 2017 18:57:12 GMT) (full text, mbox, link).
Message sent on
to Guido Günther <agx@sigxcpu.org>
:
Bug#854601.
(Wed, 03 May 2017 09:51:08 GMT) (full text, mbox, link).
Message #24 received at 854601-submitter@bugs.debian.org (full text, mbox, reply):
Control: tag 854601 pending
Hello,
Bug #854601 in libpodofo reported by you has been fixed in the Git repository. You can
see the commit message below, and you can check the diff of the fix at:
https://anonscm.debian.org/git/collab-maint/libpodofo.git/commit/?id=14c34ec
(this message was generated automatically based on the git commit message)
---
commit 14c34ec02223c7689f504b2428acf1170450e1a3
Author: Mattia Rizzolo <mattia@debian.org>
Date: Wed May 3 10:36:55 2017 +0200
Add upstream patch for CVE-2017-5853 and CVE-2017-6844
Closes: #854601, #856592
Signed-off-by: Mattia Rizzolo <mattia@debian.org>
Added tag(s) pending.
Request was from Mattia Rizzolo <mattia@debian.org>
to 854601-submitter@bugs.debian.org
.
(Wed, 03 May 2017 09:51:08 GMT) (full text, mbox, link).
Reply sent
to Mattia Rizzolo <mattia@debian.org>
:
You have taken responsibility.
(Wed, 03 May 2017 10:06:04 GMT) (full text, mbox, link).
Notification sent
to Guido Günther <agx@sigxcpu.org>
:
Bug acknowledged by developer.
(Wed, 03 May 2017 10:06:04 GMT) (full text, mbox, link).
Message #31 received at 854601-close@bugs.debian.org (full text, mbox, reply):
Source: libpodofo
Source-Version: 0.9.4-5
We believe that the bug you reported is fixed in the latest version of
libpodofo, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 854601@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Mattia Rizzolo <mattia@debian.org> (supplier of updated libpodofo package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 03 May 2017 11:41:19 +0200
Source: libpodofo
Binary: libpodofo-dev libpodofo-utils libpodofo0.9.4
Architecture: source
Version: 0.9.4-5
Distribution: unstable
Urgency: high
Maintainer: Mattia Rizzolo <mattia@debian.org>
Changed-By: Mattia Rizzolo <mattia@debian.org>
Description:
libpodofo-dev - PoDoFo development files
libpodofo-utils - PoDoFo utilities
libpodofo0.9.4 - PoDoFo - library to work with the PDF file format
Closes: 854601 854602 854604 856592 859331
Changes:
libpodofo (0.9.4-5) unstable; urgency=high
.
* Add upstream patch for security issues:
+ CVE-2017-5853 Closes: #854601
+ CVE-2017-6844 Closes: #856592
+ CVE-2017-5854 Closes: #854602
+ CVE-2017-5886 Closes: #854604
+ CVE-2017-7379 Closes: #859331
Checksums-Sha1:
efa896f42140fd0ac2e5cc36014a339cab5dad29 2119 libpodofo_0.9.4-5.dsc
6238655d640b0738601fd4f35fafd4f39d4ae60a 13308 libpodofo_0.9.4-5.debian.tar.xz
c0a2be46333e68a33bb4ccf60639480aadca9d9d 8325 libpodofo_0.9.4-5_amd64.buildinfo
Checksums-Sha256:
60de0684a1a38fff67e1c49bf49f55aec41167eb2cb5c3a4034cc4de063944ef 2119 libpodofo_0.9.4-5.dsc
fc150e0534bf808588350c8c6d82bec033481a7039dfbd28742033cc8eddc455 13308 libpodofo_0.9.4-5.debian.tar.xz
14ded71340b21dad144d906c0d58e34f7e6416de7abc2c913195fbb099614f08 8325 libpodofo_0.9.4-5_amd64.buildinfo
Files:
7f3a7c904e54eeb655044c8adb56d902 2119 libdevel extra libpodofo_0.9.4-5.dsc
a8a35d56d295eab92b7356bfcc378ea7 13308 libdevel extra libpodofo_0.9.4-5.debian.tar.xz
742c1b148d7356cc3c18eeb9f1fd6f4d 8325 libdevel extra libpodofo_0.9.4-5_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEi3hoeGwz5cZMTQpICBa54Yx2K60FAlkJpsgACgkQCBa54Yx2
K628GQ//dXA9Zo8CS2DoRRBRc3awfFH5WhMiU5urTB3fBWnpmSk28gSS7znHhAZQ
C5QJl9CSK2AHuU2lnYiIilCzWeJZD9gA5VOKNHqiSUnKUDrvgM/xIr3OHoXcl4ti
t5oEODgxFnSu1W5WEwR8ocSbC6oEt50CSGpa2ZFFSWYCGOxeiGjZblwvlsR1Fgh/
s/Yx4wUJ8HXjHhV9BuXlvh733QJ4SLuS0AR/gjykxQo1LdgcenP1VbrQANrvr/b1
mJMFwOhbc6DHdZ9KZbNuN+DZwAPUW1mpg6hJoj1HbfjHr0HV0pu2xHJxs41YIDwM
k5Ir5E/cq5H3tj/cqfW9VMedu4fPBYLqYtR+UDfSv1FJwuFZAhEq6RPaaXbeyRRg
GNRrkH6DCrKgebixct6MxcWXnN32BaSmaUg+HOgAQ06ei9z2YwB03CiSEL3mK0Dd
HX4XjBHZ3V/OUkOv9KlMYpyWwaVoM6E8TdCZZR4Zd5BHVnAQt7YbsQtGgaT5ZVdc
mR1hHvEPaYfaFjGgX/ifObeTsGwTu22IO/7ywIRHDh6j/OIjGoMlqTAechzqo20f
CeI/ksJMNJjD9LDrd9LoV2dLx1kbpurBfbTaz4aNKxH0zl1yK/Tk+4m7OgCt0RrW
e1i4KO/XOiM8cIpQtOqJjG/jNKnZGxCLKKZV8JuV9JNSiDCTThk=
=DN+/
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Sat, 17 Jun 2017 07:24:45 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 13:40:25 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.