Debian Bug report logs -
#859331
libpodofo: CVE-2017-7379: heap-based buffer overflow in PoDoFo::PdfSimpleEncoding::ConvertToEncoding (PdfEncoding.cpp)
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Sun, 2 Apr 2017 12:03:10 UTC
Severity: important
Tags: security, upstream
Fixed in versions libpodofo/0.9.0-1.1+deb7u1, libpodofo/0.9.4-5
Done: Mattia Rizzolo <mattia@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Mattia Rizzolo <mattia@debian.org>:
Bug#859331; Package src:libpodofo.
(Sun, 02 Apr 2017 12:03:12 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Mattia Rizzolo <mattia@debian.org>.
(Sun, 02 Apr 2017 12:03:12 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: libpodofo
Severity: important
Tags: security upstream
Hi,
the following vulnerability was published for libpodofo.
CVE-2017-7379[0]:
|heap-based buffer overflow in
|PoDoFo::PdfSimpleEncoding::ConvertToEncoding (PdfEncoding.cpp)
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-7379
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7379
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Marked as fixed in versions libpodofo/0.9.0-1.1+deb7u1.
Request was from Mattia Rizzolo <mattia@debian.org>
to control@bugs.debian.org.
(Sun, 30 Apr 2017 18:57:11 GMT) (full text, mbox, link).
Message sent on
to Salvatore Bonaccorso <carnil@debian.org>:
Bug#859331.
(Wed, 03 May 2017 09:51:17 GMT) (full text, mbox, link).
Message #10 received at 859331-submitter@bugs.debian.org (full text, mbox, reply):
Control: tag 859331 pending
Hello,
Bug #859331 in libpodofo reported by you has been fixed in the Git repository. You can
see the commit message below, and you can check the diff of the fix at:
https://anonscm.debian.org/git/collab-maint/libpodofo.git/commit/?id=7010679
(this message was generated automatically based on the git commit message)
---
commit 7010679657835e284debb49e446cfd8cc066cd0a
Author: Mattia Rizzolo <mattia@debian.org>
Date: Wed May 3 10:47:40 2017 +0200
Add upstream patch for CVE-2017-7379
Closes: #859331
Signed-off-by: Mattia Rizzolo <mattia@debian.org>
Added tag(s) pending.
Request was from Mattia Rizzolo <mattia@debian.org>
to 859331-submitter@bugs.debian.org.
(Wed, 03 May 2017 09:51:17 GMT) (full text, mbox, link).
Reply sent
to Mattia Rizzolo <mattia@debian.org>:
You have taken responsibility.
(Wed, 03 May 2017 10:06:12 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Wed, 03 May 2017 10:06:12 GMT) (full text, mbox, link).
Message #17 received at 859331-close@bugs.debian.org (full text, mbox, reply):
Source: libpodofo
Source-Version: 0.9.4-5
We believe that the bug you reported is fixed in the latest version of
libpodofo, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 859331@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Mattia Rizzolo <mattia@debian.org> (supplier of updated libpodofo package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 03 May 2017 11:41:19 +0200
Source: libpodofo
Binary: libpodofo-dev libpodofo-utils libpodofo0.9.4
Architecture: source
Version: 0.9.4-5
Distribution: unstable
Urgency: high
Maintainer: Mattia Rizzolo <mattia@debian.org>
Changed-By: Mattia Rizzolo <mattia@debian.org>
Description:
libpodofo-dev - PoDoFo development files
libpodofo-utils - PoDoFo utilities
libpodofo0.9.4 - PoDoFo - library to work with the PDF file format
Closes: 854601 854602 854604 856592 859331
Changes:
libpodofo (0.9.4-5) unstable; urgency=high
.
* Add upstream patch for security issues:
+ CVE-2017-5853 Closes: #854601
+ CVE-2017-6844 Closes: #856592
+ CVE-2017-5854 Closes: #854602
+ CVE-2017-5886 Closes: #854604
+ CVE-2017-7379 Closes: #859331
Checksums-Sha1:
efa896f42140fd0ac2e5cc36014a339cab5dad29 2119 libpodofo_0.9.4-5.dsc
6238655d640b0738601fd4f35fafd4f39d4ae60a 13308 libpodofo_0.9.4-5.debian.tar.xz
c0a2be46333e68a33bb4ccf60639480aadca9d9d 8325 libpodofo_0.9.4-5_amd64.buildinfo
Checksums-Sha256:
60de0684a1a38fff67e1c49bf49f55aec41167eb2cb5c3a4034cc4de063944ef 2119 libpodofo_0.9.4-5.dsc
fc150e0534bf808588350c8c6d82bec033481a7039dfbd28742033cc8eddc455 13308 libpodofo_0.9.4-5.debian.tar.xz
14ded71340b21dad144d906c0d58e34f7e6416de7abc2c913195fbb099614f08 8325 libpodofo_0.9.4-5_amd64.buildinfo
Files:
7f3a7c904e54eeb655044c8adb56d902 2119 libdevel extra libpodofo_0.9.4-5.dsc
a8a35d56d295eab92b7356bfcc378ea7 13308 libdevel extra libpodofo_0.9.4-5.debian.tar.xz
742c1b148d7356cc3c18eeb9f1fd6f4d 8325 libdevel extra libpodofo_0.9.4-5_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEi3hoeGwz5cZMTQpICBa54Yx2K60FAlkJpsgACgkQCBa54Yx2
K628GQ//dXA9Zo8CS2DoRRBRc3awfFH5WhMiU5urTB3fBWnpmSk28gSS7znHhAZQ
C5QJl9CSK2AHuU2lnYiIilCzWeJZD9gA5VOKNHqiSUnKUDrvgM/xIr3OHoXcl4ti
t5oEODgxFnSu1W5WEwR8ocSbC6oEt50CSGpa2ZFFSWYCGOxeiGjZblwvlsR1Fgh/
s/Yx4wUJ8HXjHhV9BuXlvh733QJ4SLuS0AR/gjykxQo1LdgcenP1VbrQANrvr/b1
mJMFwOhbc6DHdZ9KZbNuN+DZwAPUW1mpg6hJoj1HbfjHr0HV0pu2xHJxs41YIDwM
k5Ir5E/cq5H3tj/cqfW9VMedu4fPBYLqYtR+UDfSv1FJwuFZAhEq6RPaaXbeyRRg
GNRrkH6DCrKgebixct6MxcWXnN32BaSmaUg+HOgAQ06ei9z2YwB03CiSEL3mK0Dd
HX4XjBHZ3V/OUkOv9KlMYpyWwaVoM6E8TdCZZR4Zd5BHVnAQt7YbsQtGgaT5ZVdc
mR1hHvEPaYfaFjGgX/ifObeTsGwTu22IO/7ywIRHDh6j/OIjGoMlqTAechzqo20f
CeI/ksJMNJjD9LDrd9LoV2dLx1kbpurBfbTaz4aNKxH0zl1yK/Tk+4m7OgCt0RrW
e1i4KO/XOiM8cIpQtOqJjG/jNKnZGxCLKKZV8JuV9JNSiDCTThk=
=DN+/
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sat, 17 Jun 2017 07:27:12 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 17:22:22 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon