Debian Bug report logs -
#916240
libpodofo: CVE-2018-14320
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Tue, 11 Dec 2018 20:27:01 UTC
Severity: important
Tags: fixed-upstream, patch, security, upstream
Found in version libpodofo/0.9.6+dfsg-3
Fixed in version libpodofo/0.9.6+dfsg-4
Done: Mattia Rizzolo <mattia@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Mattia Rizzolo <mattia@debian.org>:
Bug#916240; Package src:libpodofo.
(Tue, 11 Dec 2018 20:27:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Mattia Rizzolo <mattia@debian.org>.
(Tue, 11 Dec 2018 20:27:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: libpodofo
Version: 0.9.6+dfsg-3
Severity: important
Tags: patch security upstream
Hi,
The following vulnerability was published for libpodofo.
CVE-2018-14320[0]:
| This vulnerability allows remote attackers to disclose sensitive
| information on vulnerable installations of PoDoFo. User interaction is
| required to exploit this vulnerability in that the target must visit a
| malicious page or open a malicious file. The specific flaw exists
| within PdfEncoding::ParseToUnicode. The issue results from the lack of
| proper validation of user-supplied data, which can result in a memory
| corruption condition. An attacker can leverage this in conjunction
| with other vulnerabilities to execute arbitrary code in the context of
| the current process. Was ZDI-CAN-5673.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2018-14320
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14320
[1] https://www.zerodayinitiative.com/advisories/ZDI-18-1046/
[2] https://sourceforge.net/p/podofo/code/1953
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Added tag(s) fixed-upstream.
Request was from Mattia Rizzolo <mattia@debian.org>
to control@bugs.debian.org.
(Mon, 11 Feb 2019 16:15:05 GMT) (full text, mbox, link).
Message sent on
to Salvatore Bonaccorso <carnil@debian.org>:
Bug#916240.
(Mon, 11 Feb 2019 18:03:07 GMT) (full text, mbox, link).
Message #10 received at 916240-submitter@bugs.debian.org (full text, mbox, reply):
Control: tag -1 pending
Hello,
Bug #916240 in libpodofo reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:
https://salsa.debian.org/debian/libpodofo/commit/d45e0d7e48e5a12b7720dad53317f925b1ff0869
------------------------------------------------------------------------
Add upstream patch for 2018-14320
Closes: #916240
Signed-off-by: Mattia Rizzolo <mattia@debian.org>
------------------------------------------------------------------------
(this message was generated automatically)
--
Greetings
https://bugs.debian.org/916240
Added tag(s) pending.
Request was from Mattia Rizzolo <mattia@debian.org>
to 916240-submitter@bugs.debian.org.
(Mon, 11 Feb 2019 18:03:08 GMT) (full text, mbox, link).
Reply sent
to Mattia Rizzolo <mattia@debian.org>:
You have taken responsibility.
(Mon, 11 Feb 2019 18:39:09 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Mon, 11 Feb 2019 18:39:09 GMT) (full text, mbox, link).
Message #17 received at 916240-close@bugs.debian.org (full text, mbox, reply):
Source: libpodofo
Source-Version: 0.9.6+dfsg-4
We believe that the bug you reported is fixed in the latest version of
libpodofo, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 916240@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Mattia Rizzolo <mattia@debian.org> (supplier of updated libpodofo package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 11 Feb 2019 18:49:43 +0100
Source: libpodofo
Architecture: source
Version: 0.9.6+dfsg-4
Distribution: unstable
Urgency: medium
Maintainer: Mattia Rizzolo <mattia@debian.org>
Changed-By: Mattia Rizzolo <mattia@debian.org>
Closes: 916085 916142 916240 916581 916583 916585
Changes:
libpodofo (0.9.6+dfsg-4) unstable; urgency=medium
.
* Add upstream patches for security issues:
+ CVE-2018-5783; Closes: #916142
+ CVE-2018-11254; Closes: #916585
+ CVE-2018-11256; Closes: #916583
+ CVE-2018-12982; Closes: #916581
+ CVE-2018-14320; Closes: #916240
+ CVE-2018-19532; Closes: #916085
+ CVE-2018-20751
* d/control:
+ Bump Standards-Version to 4.3.0, no changes needed.
+ Bump debhelper compat level to 12.
* d/copyright:
+ Add a Comment field to explain the +dfsg repack, appeasing lintian.
+ Bump the year for debian/*.
Checksums-Sha1:
fb966e283068d6f32aff125b2844f780ec310f7e 2182 libpodofo_0.9.6+dfsg-4.dsc
d44e6fd45940ef38258aae7de71c510ed5cf83aa 18588 libpodofo_0.9.6+dfsg-4.debian.tar.xz
319d6216ce2466e0f8d8a6be242f48bb52456589 8519 libpodofo_0.9.6+dfsg-4_amd64.buildinfo
Checksums-Sha256:
850a7b1deebee175825a5b3ad68367025d1b1ed4953f3de710986a685e7827c6 2182 libpodofo_0.9.6+dfsg-4.dsc
e59a6071dd9a6c2daaddf4d31b0f87d0551e11758ec818ea75920b9d774a1d5d 18588 libpodofo_0.9.6+dfsg-4.debian.tar.xz
ff2cff9b389f77debdac70a44dea12bd725248c02d2c642458de7bdc3910cb0d 8519 libpodofo_0.9.6+dfsg-4_amd64.buildinfo
Files:
3dd35b794e2684e188057b100c7cb3b7 2182 libdevel optional libpodofo_0.9.6+dfsg-4.dsc
302ca51a0534cfb91c1f8f40a12f257e 18588 libdevel optional libpodofo_0.9.6+dfsg-4.debian.tar.xz
9bd0ec6c07eee37754d01f16b0b6015a 8519 libdevel optional libpodofo_0.9.6+dfsg-4_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEi3hoeGwz5cZMTQpICBa54Yx2K60FAlxhuiAACgkQCBa54Yx2
K63nqQ//Rd3q4bB0rH85p7GADF2j2WxYLKlq7kGgCKpQlH7n7pWO/ldY48gF72XJ
h9yCTXDo6arHdAnrfkYvNV+OrQdaeZzLEVaT33pkXWn5G3qSbsE68lns09YM/NQz
ZbODrUDihL2tqZJscNBCiDyNJfkUvoxyo3y5CPrEOk+g0p/lz2ioFn9uCMF7bPOU
YSJ9izjEHxvkOxlYNNZOozhPD3+w2DAQiNMZvEjWyuVy5fvhjg0wghufqNl7TcIb
VW/tw2Xfihw7mohRnrQNaG73LsXl7G/gbKAUma2P96WZJBq8bMr6/+QIcxdHyUSp
ia876j6ahXa/evSC6T98HT3TajuHXeH3uNGoRmRHGR8m9VTqCceV1M6i4uWZnUjr
LuN/Sqf1CyCBQ3MHWVq4Ogkuv0+x/z0vsB5vl0+31y/YbJGkuoygmtApA9UykwgR
UPnYGyEDUTugyfYiMs4FbeZNUDyhXE1Cea2zk7zwyBHXNwkz2zAyMApABeY3zuUO
nymIYBmk9gE87ZPxDt2eK9OOa58GOIauJ9vsAQcJ/swObXRwZIkaCr7xF1W5Jprp
Q2RvA32UZtww4SCaFe1OyO4j5cVhV92NuuBnjvqht/ogBg8mCKdmQoWbosxM2CIt
3LuPYELWTqwmauuSZiy+LzJ5gHHt4gNYRjvCvJC/Pp7HCegQVoE=
=9HOa
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Tue, 12 Mar 2019 07:28:13 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 14:04:54 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon