Debian Bug report logs -
#916580
libpodofo: CVE-2018-12983
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Mattia Rizzolo <mattia@debian.org>
:
Bug#916580
; Package src:libpodofo
.
(Sun, 16 Dec 2018 09:57:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Mattia Rizzolo <mattia@debian.org>
.
(Sun, 16 Dec 2018 09:57:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: libpodofo
Version: 0.9.6+dfsg-3
Severity: important
Tags: security upstream
Forwarded: https://sourceforge.net/p/podofo/tickets/23
Hi,
The following vulnerability was published for libpodofo.
CVE-2018-12983[0]:
| A stack-based buffer over-read in the
| PdfEncryptMD5Base::ComputeEncryptionKey() function in PdfEncrypt.cpp in
| PoDoFo 0.9.6-rc1 could be leveraged by remote attackers to cause a
| denial-of-service via a crafted pdf file.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2018-12983
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12983
[1] https://sourceforge.net/p/podofo/tickets/23
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org, Mattia Rizzolo <mattia@debian.org>
:
Bug#916580
; Package src:libpodofo
.
(Sun, 17 Mar 2019 19:39:08 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Mühlenhoff <jmm@inutil.org>
:
Extra info received and forwarded to list. Copy sent to Mattia Rizzolo <mattia@debian.org>
.
(Sun, 17 Mar 2019 19:39:09 GMT) (full text, mbox, link).
Message #10 received at 916580@bugs.debian.org (full text, mbox, reply):
On Sun, Dec 16, 2018 at 10:53:26AM +0100, Salvatore Bonaccorso wrote:
> Source: libpodofo
> Version: 0.9.6+dfsg-3
> Severity: important
> Tags: security upstream
> Forwarded: https://sourceforge.net/p/podofo/tickets/23
>
> Hi,
>
> The following vulnerability was published for libpodofo.
>
> CVE-2018-12983[0]:
> | A stack-based buffer over-read in the
> | PdfEncryptMD5Base::ComputeEncryptionKey() function in PdfEncrypt.cpp in
> | PoDoFo 0.9.6-rc1 could be leveraged by remote attackers to cause a
> | denial-of-service via a crafted pdf file.
> [1] https://sourceforge.net/p/podofo/tickets/23
The ticket has a proposed patch, could you ping upstream to review/merge it?
Cheers,
Moritz
Information forwarded
to debian-bugs-dist@lists.debian.org
:
Bug#916580
; Package src:libpodofo
.
(Sun, 17 Mar 2019 21:09:06 GMT) (full text, mbox, link).
Message #13 received at 916580@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
On Sun, Mar 17, 2019 at 08:36:50PM +0100, Moritz Mühlenhoff wrote:
> > [1] https://sourceforge.net/p/podofo/tickets/23
>
> The ticket has a proposed patch, could you ping upstream to review/merge it?
No, because the one who proposed that patch (Matthew Brincke) _is_
upstream, and he is asking for an external review because he doesn't
trust himself with it.
--
regards,
Mattia Rizzolo
GPG Key: 66AE 2B4A FCCF 3F52 DA18 4D18 4B04 3FCD B944 4540 .''`.
more about me: https://mapreri.org : :' :
Launchpad user: https://launchpad.net/~mapreri `. `'`
Debian QA page: https://qa.debian.org/developer.php?login=mattia `-
[signature.asc (application/pgp-signature, inline)]
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 13:05:53 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.