Debian Bug report logs -
#861563
libpodofo: CVE-2017-6846
Reported by: Moritz Muehlenhoff <jmm@debian.org>
Date: Thu, 2 Mar 2017 18:33:01 UTC
Severity: important
Tags: fixed-upstream, security, upstream
Fixed in version libpodofo/0.9.5-9
Done: Mattia Rizzolo <mattia@debian.org>
Bug is archived. No further changes may be made.
Forwarded to https://sourceforge.net/p/podofo/tickets/9
Outlook: https://blogs.gentoo.org/ago/2017/03/02/podofo-null-pointer-dereference-in-podofopdfcoloroperator-pdfcolor-cpp/
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Mattia Rizzolo <mattia@debian.org>:
Bug#856592; Package src:libpodofo.
(Thu, 02 Mar 2017 18:33:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Mattia Rizzolo <mattia@debian.org>.
(Thu, 02 Mar 2017 18:33:03 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: libpodofo
Severity: grave
Tags: security
New podofo issues (no CVEs yet):
http://www.openwall.com/lists/oss-security/2017/03/02/10
http://www.openwall.com/lists/oss-security/2017/03/02/9
http://www.openwall.com/lists/oss-security/2017/03/02/8
http://www.openwall.com/lists/oss-security/2017/03/02/7
http://www.openwall.com/lists/oss-security/2017/03/02/6
http://www.openwall.com/lists/oss-security/2017/03/02/5
http://www.openwall.com/lists/oss-security/2017/03/02/4
http://www.openwall.com/lists/oss-security/2017/03/02/3
http://www.openwall.com/lists/oss-security/2017/03/02/2
Cheers,
Moritz
Information forwarded
to debian-bugs-dist@lists.debian.org, Mattia Rizzolo <mattia@debian.org>:
Bug#856592; Package src:libpodofo.
(Fri, 03 Mar 2017 05:45:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Mattia Rizzolo <mattia@debian.org>.
(Fri, 03 Mar 2017 05:45:03 GMT) (full text, mbox, link).
Message #10 received at 856592@bugs.debian.org (full text, mbox, reply):
Hello,
On Thu, Mar 02, 2017 at 07:28:23PM +0100, Moritz Muehlenhoff wrote:
> Source: libpodofo
> Severity: grave
> Tags: security
>
> New podofo issues (no CVEs yet):
>
> http://www.openwall.com/lists/oss-security/2017/03/02/10
> http://www.openwall.com/lists/oss-security/2017/03/02/9
> http://www.openwall.com/lists/oss-security/2017/03/02/8
> http://www.openwall.com/lists/oss-security/2017/03/02/7
> http://www.openwall.com/lists/oss-security/2017/03/02/6
> http://www.openwall.com/lists/oss-security/2017/03/02/5
> http://www.openwall.com/lists/oss-security/2017/03/02/4
> http://www.openwall.com/lists/oss-security/2017/03/02/3
> http://www.openwall.com/lists/oss-security/2017/03/02/2
And http://www.openwall.com/lists/oss-security/2017/03/02/1 in the
above list.
I'm not sure if Agostino Sarubbo has already requested CVEs (I hope
so). Otherwise it's not going to be easy to track those issues, apart
from opening individual bugs for each item.
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org:
Bug#856592; Package src:libpodofo.
(Fri, 03 Mar 2017 07:45:07 GMT) (full text, mbox, link).
Message #13 received at 856592@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
On Fri, Mar 03, 2017 at 06:43:03AM +0100, Salvatore Bonaccorso wrote:
> in the above list.
aheam, what a list.
Anyway, you (Moritz) opened this bug as RC, but is it fine to downgrade
to important if I deem the issues not grave enough to be RC?
They are all crashes, with maliciously crafted PDFs…
> I'm not sure if Agostino Sarubbo has already requested CVEs (I hope
> so).
I hope so too, if he read that email about the move to that web form.
> Otherwise it's not going to be easy to track those issues, apart
> from opening individual bugs for each item.
which I would have preferred anyway :)
I think I will clone+retitle this bug appropriately (and take care of
updating CVE/list if/when I'll do so).
--
regards,
Mattia Rizzolo
GPG Key: 66AE 2B4A FCCF 3F52 DA18 4D18 4B04 3FCD B944 4540 .''`.
more about me: https://mapreri.org : :' :
Launchpad user: https://launchpad.net/~mapreri `. `'`
Debian QA page: https://qa.debian.org/developer.php?login=mattia `-
[signature.asc (application/pgp-signature, inline)]
Severity set to 'important' from 'grave'
Request was from Mattia Rizzolo <mattia@debian.org>
to control@bugs.debian.org.
(Fri, 03 Mar 2017 22:57:02 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Mattia Rizzolo <mattia@debian.org>:
Bug#856592; Package src:libpodofo.
(Sun, 12 Mar 2017 21:09:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Mühlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Mattia Rizzolo <mattia@debian.org>.
(Sun, 12 Mar 2017 21:09:06 GMT) (full text, mbox, link).
Message #20 received at 856592@bugs.debian.org (full text, mbox, reply):
On Fri, Mar 03, 2017 at 08:40:37AM +0100, Mattia Rizzolo wrote:
> On Fri, Mar 03, 2017 at 06:43:03AM +0100, Salvatore Bonaccorso wrote:
> > in the above list.
>
> aheam, what a list.
> Anyway, you (Moritz) opened this bug as RC, but is it fine to downgrade
> to important if I deem the issues not grave enough to be RC?
> They are all crashes, with maliciously crafted PDFs…
Which is the most common attack vector on desktop systems...
If there's no upstream (or failing that, maintainer) activity in
fixing these security issues in the forthcoming months towards the
stretch release, stretch is better off without it.
Cheers,
Moritz
Information forwarded
to debian-bugs-dist@lists.debian.org, Mattia Rizzolo <mattia@debian.org>:
Bug#856592; Package src:libpodofo.
(Mon, 13 Mar 2017 11:24:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Mattia Rizzolo <mattia@debian.org>.
(Mon, 13 Mar 2017 11:24:04 GMT) (full text, mbox, link).
Message #25 received at 856592@bugs.debian.org (full text, mbox, reply):
Hi,
On Fri, Mar 03, 2017 at 06:43:03AM +0100, Salvatore Bonaccorso wrote:
> Hello,
>
> On Thu, Mar 02, 2017 at 07:28:23PM +0100, Moritz Muehlenhoff wrote:
> > Source: libpodofo
> > Severity: grave
> > Tags: security
> >
> > New podofo issues (no CVEs yet):
> >
> > http://www.openwall.com/lists/oss-security/2017/03/02/10
> > http://www.openwall.com/lists/oss-security/2017/03/02/9
> > http://www.openwall.com/lists/oss-security/2017/03/02/8
> > http://www.openwall.com/lists/oss-security/2017/03/02/7
> > http://www.openwall.com/lists/oss-security/2017/03/02/6
> > http://www.openwall.com/lists/oss-security/2017/03/02/5
> > http://www.openwall.com/lists/oss-security/2017/03/02/4
> > http://www.openwall.com/lists/oss-security/2017/03/02/3
> > http://www.openwall.com/lists/oss-security/2017/03/02/2
>
> And http://www.openwall.com/lists/oss-security/2017/03/02/1 in the
> above list.
FTR, for all of those CVEs have been assigned.
Regards,
Salvatore
Severity set to 'grave' from 'important'
Request was from Moritz Muehlenhoff <jmm@debian.org>
to control@bugs.debian.org.
(Sun, 19 Mar 2017 18:18:08 GMT) (full text, mbox, link).
Added tag(s) help.
Request was from Mattia Rizzolo <mattia@debian.org>
to control@bugs.debian.org.
(Sun, 26 Mar 2017 20:21:07 GMT) (full text, mbox, link).
Bug 856592 cloned as bugs 861557, 861558, 861559, 861560, 861561, 861562, 861563, 861564, 861565, 861566
Request was from Mattia Rizzolo <mattia@debian.org>
to control@bugs.debian.org.
(Sun, 30 Apr 2017 18:57:14 GMT) (full text, mbox, link).
Changed Bug title to 'libpodofo: CVE-2017-6845' from 'Multiple security issues'.
Request was from Mattia Rizzolo <mattia@debian.org>
to control@bugs.debian.org.
(Sun, 30 Apr 2017 18:57:18 GMT) (full text, mbox, link).
Outlook recorded from message bug 861563 message
Request was from Mattia Rizzolo <mattia@debian.org>
to control@bugs.debian.org.
(Sun, 30 Apr 2017 18:57:19 GMT) (full text, mbox, link).
Changed Bug title to 'libpodofo: CVE-2017-6846' from 'libpodofo: CVE-2017-6845'.
Request was from Mattia Rizzolo <mattia@debian.org>
to control@bugs.debian.org.
(Wed, 03 May 2017 10:18:02 GMT) (full text, mbox, link).
Severity set to 'important' from 'grave'
Request was from Mattia Rizzolo <mattia@debian.org>
to control@bugs.debian.org.
(Wed, 24 May 2017 21:54:05 GMT) (full text, mbox, link).
Added tag(s) upstream.
Request was from Mattia Rizzolo <mattia@debian.org>
to control@bugs.debian.org.
(Sun, 04 Feb 2018 20:15:09 GMT) (full text, mbox, link).
Removed tag(s) help.
Request was from Mattia Rizzolo <mattia@debian.org>
to control@bugs.debian.org.
(Sat, 10 Mar 2018 16:15:09 GMT) (full text, mbox, link).
Added tag(s) fixed-upstream.
Request was from bts-link-upstream@lists.alioth.debian.org
to control@bugs.debian.org.
(Thu, 15 Mar 2018 17:54:31 GMT) (full text, mbox, link).
Marked as fixed in versions libpodofo/0.9.5-9.
Request was from Mattia Rizzolo <mattia@debian.org>
to control@bugs.debian.org.
(Mon, 09 Jul 2018 10:12:03 GMT) (full text, mbox, link).
Marked Bug as done
Request was from Mattia Rizzolo <mattia@debian.org>
to control@bugs.debian.org.
(Mon, 09 Jul 2018 10:12:04 GMT) (full text, mbox, link).
Notification sent
to Moritz Muehlenhoff <jmm@debian.org>:
Bug acknowledged by developer.
(Mon, 09 Jul 2018 10:12:04 GMT) (full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Tue, 07 Aug 2018 07:28:59 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 17:58:39 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon