libpodofo: CVE-2017-8378

Debian Bug report logs - #861597
libpodofo: CVE-2017-8378

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: libpodofo: CVE-2017-8378

Date: Mon, 01 May 2017 11:22:45 +0200

Source: libpodofo
Version: 0.9.4-1
Severity: important
Tags: upstream security

Hi,

the following vulnerability was published for libpodofo.

CVE-2017-8378[0]:
| Heap-based buffer overflow in the PdfParser::ReadObjects function in
| base/PdfParser.cpp in PoDoFo 0.9.5 allows remote attackers to cause a
| denial of service (application crash) or possibly have unspecified
| other impact via vectors related to m_offsets.size.

AFAICS, but please double-check/confirm, the same issue is at least
present in 0.9.4, the m_offsets.size is not checked. Or do I miss
soemthing?

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-8378
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8378
[1] https://github.com/xiangxiaobo/poc_and_report/tree/master/podofo_heapoverflow_PdfParser.ReadObjects

Please adjust the affected versions in the BTS as needed, specifically
older versions have not yet been checked.

Regards,
Salvatore

Message #10 received at 861597@bugs.debian.org (full text, mbox, reply):

From: Ola Lundqvist <ola@inguza.com>

To: 861597@bugs.debian.org

Subject: Proposed patch for CVE-2017-8378 (for wheezy)

Date: Mon, 5 Jun 2017 15:25:24 +0200

[Message part 1 (text/plain, inline)]

Hi

When investigating CVE-2017-8378 for wheezy I wrote a patch. However
when trying to reproduce the problem with libpodofo-utils I failed to
do so as it exited before this problem occured. This means that it is
not worth fixing in wheezy.

However you may be interested in the patch anyway. So here it is.

Best regards

// Ola

-- 
 --- Inguza Technology AB --- MSc in Information Technology ----
/  ola@inguza.com                    Folkebogatan 26            \
|  opal@debian.org                   654 68 KARLSTAD            |
|  http://inguza.com/                Mobile: +46 (0)70-332 1551 |
\  gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9  /
 ---------------------------------------------------------------

[CVE-2017-8378.patch (text/x-patch, attachment)]

Message #15 received at 861597@bugs.debian.org (full text, mbox, reply):

From: Matthias Brinke <podofo-sec-contrib@mailbox.org>

To: 861597@bugs.debian.org

Subject: libpodofo: CVE-2017-8378 was already fixed upstream

Date: Fri, 24 Nov 2017 22:59:29 +0100 (CET)

Hello,

this bug was already fixed upstream before being reported here.
I'm sorry to not have noted that here earlier.
The fix is in svn r1833 [1] of the upstream PoDoFo repository
trunk, committed on 2017-03-24 as "Fix a crash when passing a PDF
file with an encryption dictionary reference to a nonexistent object".

[1] https://sourceforge.net/p/podofo/code/1833/

Best regards, Matthias

Message #20 received at 861597-submitter@bugs.debian.org (full text, mbox, reply):

From: mattia@debian.org

To: 861597-submitter@bugs.debian.org

Subject: Bug #861597 in libpodofo marked as pending

Date: Sat, 24 Feb 2018 10:41:20 +0000

Control: tag -1 pending

Hello,

Bug #861597 in libpodofo reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below, and you can check the diff of the fix at:

https://salsa.debian.org/debian/libpodofo/commit/6d8bae6f7dc8cf2ec019e15d31c3bc68beb6d02c

------------------------------------------------------------------------
Add upstream patch for CVE-2017-8378

Closes: #861597
Signed-off-by: Mattia Rizzolo <mattia@debian.org>

------------------------------------------------------------------------

(this message was generated automatically)
-- 
Greetings

Message #27 received at 861597-close@bugs.debian.org (full text, mbox, reply):

From: Mattia Rizzolo <mattia@debian.org>

To: 861597-close@bugs.debian.org

Subject: Bug#861597: fixed in libpodofo 0.9.5-9

Date: Sat, 24 Feb 2018 11:22:46 +0000

Source: libpodofo
Source-Version: 0.9.5-9

We believe that the bug you reported is fixed in the latest version of
libpodofo, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 861597@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Mattia Rizzolo <mattia@debian.org> (supplier of updated libpodofo package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 24 Feb 2018 11:38:43 +0100
Source: libpodofo
Binary: libpodofo-dev libpodofo-utils libpodofo0.9.5
Architecture: source
Version: 0.9.5-9
Distribution: unstable
Urgency: medium
Maintainer: Mattia Rizzolo <mattia@debian.org>
Changed-By: Mattia Rizzolo <mattia@debian.org>
Description:
 libpodofo-dev - PoDoFo development files
 libpodofo-utils - PoDoFo utilities
 libpodofo0.9.5 - PoDoFo - library to work with the PDF file format
Closes: 860995 861562 861597 889511
Changes:
 libpodofo (0.9.5-9) unstable; urgency=medium
 .
   * Add upstream patches for security issues:
     + CVE-2017-6845 Closes: #861562
     + CVE-2017-8054 Closes: #860995
     + CVE-2017-8378 Closes: #861597
     + CVE-2018-5295 Closes: #889511
     + CVE-2018-5308
   * d/control:
     + Move the packaging to salsa.debian.org.
     + Bump Standards-Version to 4.1.3, no changes needed.
     + Move libpodofo-utils to section utils.
   * d/rules: Move from the deprecated dh_install --fail-missing to dh_missing.
   * d/copyright: Bump copyright year for debian/*.
   * Bump debhelper compat level to 11.
Checksums-Sha1:
 22265a95e4d0632000785feba79a12ba39026a91 2126 libpodofo_0.9.5-9.dsc
 f56846ede8d87fceb1d0384fcb2a98b0b9f54057 19888 libpodofo_0.9.5-9.debian.tar.xz
 bb9b6965c6a64da60a9fef215b7adde0c551adea 8544 libpodofo_0.9.5-9_amd64.buildinfo
Checksums-Sha256:
 09f495d02231c98b2d95dcd6fe0f4d3aadc280fde10cb97e75efc8ca75fb6012 2126 libpodofo_0.9.5-9.dsc
 31536fd0e81bc910ce3378840646f54c69463e230161c575bb1eeb38175fafd6 19888 libpodofo_0.9.5-9.debian.tar.xz
 84be9aa7806fe40e11b5fa7457300ced1421eea668f227d2c22bab4c5ab184ce 8544 libpodofo_0.9.5-9_amd64.buildinfo
Files:
 eb706e4b75cf4c71e9164347ceab5329 2126 libdevel optional libpodofo_0.9.5-9.dsc
 1acf189b272bde337c5e53a8a1f098b6 19888 libdevel optional libpodofo_0.9.5-9.debian.tar.xz
 746639378cf7664488a6d1fad869a854 8544 libdevel optional libpodofo_0.9.5-9_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEi3hoeGwz5cZMTQpICBa54Yx2K60FAlqRRZkACgkQCBa54Yx2
K60Djw/7B6Z8jdudjAFNY5yxQhm2urku6Lwbl1he1weOPLgdjbvnTMZhSociIhgV
GM4jGxqSacyA7v27p+jTl9UAXRU7uNamcq8QpKo15QB0zBu+HGVO+oyeZGREJHCM
Ph6PVpmFXrRyzhf5NKftzsi4abft0F9rUDtTaj4VJAJSBVuqyWjM6GLhcDsYCm3u
wUVsrqnP283+J44OfZbqWtVcSQimPwVN6DQ+5oxIRRyFiEFBkpjm+m0LpDFFhWP/
raqo+uBprDZd5X/9NQ4ZdNlyuKwSLC0gOhZtAlBUFgFE+MjZaYk1HQxRFvEKoS+P
ExV/vgBl/I0Au5XKixjM/YyzkXiPNAbPSio9hUXDEPmGJXI9qlBnv005VxtYFj4g
jzzudnNpuVNmsjFmPsjM3R4493k5JDKf7N8mqqpUBMWV4/9C8AbW5WGmTGLVBhdA
ONeP5kcjmetI5CqNNVDJKdpR60n0XhAjr8FxQW/UlXAq9XXcSkGIbM+4dmxiQPq/
ojLe7bCYGgPH0AgNZPVLA0NzBn7+fUh8vWVYUVUF2a+wQY8lyPSOPkmVULV4g+gu
H/4Eb3O39UxGTwzHq9V9KjRtXJVPfp+k9jAL5aLFmVwSghCgq2H+7su/8jT9uU/o
5xyRg+GBTgju/CID/MFYfXYjWb5m5XYtN5RhptXOXMB0+oEUd/8=
=ZRNu
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.