Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

libpodofo: CVE-2018-12983

Related Vulnerabilities: CVE-2018-12983  

Source

Debian Bug report logs - #916580
libpodofo: CVE-2018-12983

version graph

Package: src:libpodofo; Maintainer for src:libpodofo is Mattia Rizzolo <mattia@debian.org>;

Reported by: Salvatore Bonaccorso <carnil@debian.org>

Date: Sun, 16 Dec 2018 09:57:01 UTC

Severity: important

Tags: security, upstream

Found in version libpodofo/0.9.6+dfsg-3

Forwarded to https://sourceforge.net/p/podofo/tickets/23

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Mattia Rizzolo <mattia@debian.org>:
Bug#916580; Package src:libpodofo. (Sun, 16 Dec 2018 09:57:03 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Mattia Rizzolo <mattia@debian.org>. (Sun, 16 Dec 2018 09:57:04 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: libpodofo: CVE-2018-12983
Date: Sun, 16 Dec 2018 10:53:26 +0100
Source: libpodofo
Version: 0.9.6+dfsg-3
Severity: important
Tags: security upstream
Forwarded: https://sourceforge.net/p/podofo/tickets/23

Hi,

The following vulnerability was published for libpodofo.

CVE-2018-12983[0]:
| A stack-based buffer over-read in the
| PdfEncryptMD5Base::ComputeEncryptionKey() function in PdfEncrypt.cpp in
| PoDoFo 0.9.6-rc1 could be leveraged by remote attackers to cause a
| denial-of-service via a crafted pdf file.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2018-12983
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12983
[1] https://sourceforge.net/p/podofo/tickets/23

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Information forwarded to debian-bugs-dist@lists.debian.org, Mattia Rizzolo <mattia@debian.org>:
Bug#916580; Package src:libpodofo. (Sun, 17 Mar 2019 19:39:08 GMT) (full text, mbox, link).

Acknowledgement sent to Moritz Mühlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Mattia Rizzolo <mattia@debian.org>. (Sun, 17 Mar 2019 19:39:09 GMT) (full text, mbox, link).

Message #10 received at 916580@bugs.debian.org (full text, mbox, reply):

From: Moritz Mühlenhoff <jmm@inutil.org>
To: 916580@bugs.debian.org
Subject: Re: libpodofo: CVE-2018-12983
Date: Sun, 17 Mar 2019 20:36:50 +0100
On Sun, Dec 16, 2018 at 10:53:26AM +0100, Salvatore Bonaccorso wrote:
> Source: libpodofo
> Version: 0.9.6+dfsg-3
> Severity: important
> Tags: security upstream
> Forwarded: https://sourceforge.net/p/podofo/tickets/23
> 
> Hi,
> 
> The following vulnerability was published for libpodofo.
> 
> CVE-2018-12983[0]:
> | A stack-based buffer over-read in the
> | PdfEncryptMD5Base::ComputeEncryptionKey() function in PdfEncrypt.cpp in
> | PoDoFo 0.9.6-rc1 could be leveraged by remote attackers to cause a
> | denial-of-service via a crafted pdf file.

> [1] https://sourceforge.net/p/podofo/tickets/23

The ticket has a proposed patch, could you ping upstream to review/merge it?

Cheers,
        Moritz

Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#916580; Package src:libpodofo. (Sun, 17 Mar 2019 21:09:06 GMT) (full text, mbox, link).

Message #13 received at 916580@bugs.debian.org (full text, mbox, reply):

From: Mattia Rizzolo <mattia@debian.org>
To: Moritz Mühlenhoff <jmm@inutil.org>, 916580@bugs.debian.org
Subject: Re: Bug#916580: libpodofo: CVE-2018-12983
Date: Sun, 17 Mar 2019 22:05:47 +0100
[Message part 1 (text/plain, inline)]
On Sun, Mar 17, 2019 at 08:36:50PM +0100, Moritz Mühlenhoff wrote:
> > [1] https://sourceforge.net/p/podofo/tickets/23
> 
> The ticket has a proposed patch, could you ping upstream to review/merge it?

No, because the one who proposed that patch (Matthew Brincke) _is_
upstream, and he is asking for an external review because he doesn't
trust himself with it.

-- 
regards,
                        Mattia Rizzolo

GPG Key: 66AE 2B4A FCCF 3F52 DA18  4D18 4B04 3FCD B944 4540      .''`.
more about me:  https://mapreri.org                             : :'  :
Launchpad user: https://launchpad.net/~mapreri                  `. `'`
Debian QA page: https://qa.debian.org/developer.php?login=mattia  `-

[signature.asc (application/pgp-signature, inline)]

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 13:05:53 2019; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started