libpodofo: CVE-2017-5852 - Infinite loop in PoDoFo::PdfPage::GetInheritedKeyFromObject

Debian Bug report logs - #854600
libpodofo: CVE-2017-5852 - Infinite loop in PoDoFo::PdfPage::GetInheritedKeyFromObject

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Guido Günther <agx@sigxcpu.org>

To: submit@bugs.debian.org

Subject: Multiple issues in libpodofo

Date: Sat, 4 Feb 2017 11:47:04 +0100

Package: libpodofo
Severity: serious
Tags: security

Hi,

the following vulnerabilities were published for libpodofo.

CVE-2015-8981[0]:
Heap overflow in the function ReadXRefSubsection

CVE-2017-5852[1]:
Infinite loop in PoDoFo::PdfPage::GetInheritedKeyFromObject

CVE-2017-5853[2]:
Signed integer overflow in PdfParser.cpp

CVE-2017-5854[3]:
NULL pointer dereference in PdfOutputStream.cpp

CVE-2017-5855[4]:
NULL pointer dereference in PoDoFo::PdfParser::ReadXRefSubsection

If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2015-8981
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8981
[1] https://security-tracker.debian.org/tracker/CVE-2017-5852
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5852
[2] https://security-tracker.debian.org/tracker/CVE-2017-5853
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5853
[3] https://security-tracker.debian.org/tracker/CVE-2017-5854
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5854
[4] https://security-tracker.debian.org/tracker/CVE-2017-5855
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5855
Please adjust the affected versions in the BTS as needed.

Message #22 received at 854600@bugs.debian.org (full text, mbox, reply):

From: Mattia Rizzolo <mattia@debian.org>

To: 854600@bugs.debian.org

Subject: #854600: CVE-2017-5852: fixed upstream

Date: Fri, 7 Apr 2017 20:58:52 +0200

[Message part 1 (text/plain, inline)]

Control: tag -1 fixed-upstream

https://sourceforge.net/p/podofo/code/1835

-- 
regards,
                        Mattia Rizzolo

GPG Key: 66AE 2B4A FCCF 3F52 DA18  4D18 4B04 3FCD B944 4540      .''`.
more about me:  https://mapreri.org                             : :'  :
Launchpad user: https://launchpad.net/~mapreri                  `. `'`
Debian QA page: https://qa.debian.org/developer.php?login=mattia  `-

[signature.asc (application/pgp-signature, inline)]

Message #31 received at 854600@bugs.debian.org (full text, mbox, reply):

From: Mattia Rizzolo <mattia@debian.org>

To: Markus Koschany <apo@debian.org>

Cc: debian-lts@lists.debian.org

Subject: Re: Accepted libpodofo 0.9.0-1.1+deb7u1 (source amd64) into oldstable

Date: Wed, 3 May 2017 11:11:10 +0200

[Message part 1 (text/plain, inline)]

Here is why:

On Sun, Apr 30, Mattia Rizzolo:
> On Sun, Apr 30, 2017 at 01:40:13AM +0200, Markus Koschany wrote:
> > Am 29.04.2017 um 23:50 schrieb Mattia Rizzolo:
> > > Hi Markus.
> > > 
> > > Thank you for the upload!
> > > 
> > > Although, I'd have liked if you sent me a debdiff before uploading it,
> > > if nothing else becase I am planning to do an upload to unstable fixing
> > > a first round a CVEs, and I would have liked to do something similar for
> > > all the suites...
> > 
> > You're welcome. When I saw that nobody worked on libpodofo in Wheezy,
> > even some CVEs got marked as no-dsa, I decided to step up and fix what
> > could be reasonably fixed in time. I forgot that you would have
> > preferred to look over the changes, sorry about that, I will remember
> > that for the next time.
> 
> Anyhow, upstream has no consideration for ABI stability (feels like they
> taking breaking ABI every single new release as a feature…) so every
> cherry pick from upstream has to be checked in this regard (all the
> commits till now are fine, IIRC).

QED.

You LTS upload broke libpodofo ABI.  The symbol
_ZNK6PoDoFo7PdfPage25GetInheritedKeyFromObjectEPKcPKNS_9PdfObjectE@Base
as present in the wheezy version (libpodofo0.9.0_0.9.0-1.1+b1_amd64.deb)
became
_ZNK6PoDoFo7PdfPage25GetInheritedKeyFromObjectEPKcPKNS_9PdfObjectEi@Base
in wheezy-security (libpodofo0.9.0_0.9.0-1.1+deb7u1_amd64.deb).

Now, I do not know what's LTS policy about silent ABI breakage, but I
doubt you are OK with that.


That's in particular caused by
https://anonscm.debian.org/git/collab-maint/libpodofo.git/tree/debian/patches/CVE-2017-5852.patch?h=debian/0.9.0-1.1%2bdeb7u1#n123

-    const PdfObject* GetInheritedKeyFromObject( const char* inKey, const PdfObject* inObject ) const; 
+    const PdfObject* GetInheritedKeyFromObject( const char* inKey, const PdfObject* inObject, int depth = 0 ) const;


ATM, I don't know how to fix that CVE without breaking the ABI.

-- 
regards,
                        Mattia Rizzolo

GPG Key: 66AE 2B4A FCCF 3F52 DA18  4D18 4B04 3FCD B944 4540      .''`.
more about me:  https://mapreri.org                             : :'  :
Launchpad user: https://launchpad.net/~mapreri                  `. `'`
Debian QA page: https://qa.debian.org/developer.php?login=mattia  `-

[signature.asc (application/pgp-signature, inline)]

Message #34 received at 854600-submitter@bugs.debian.org (full text, mbox, reply):

From: Mattia Rizzolo <mattia@debian.org>

To: 854600-submitter@bugs.debian.org

Subject: Bug#854600 in libpodofo marked as pending

Date: Sun, 12 Nov 2017 14:59:08 +0000

Control: tag 854600 pending

Hello,

Bug #854600 in libpodofo reported by you has been fixed in the Git repository. You can
see the commit message below, and you can check the diff of the fix at:

    https://anonscm.debian.org/git/collab-maint/libpodofo.git/commit/?id=ccf111f

(this message was generated automatically based on the git commit message)
---
commit ccf111f1eb65b99780f6010d7791ee2704af7a86
Author: Mattia Rizzolo <mattia@debian.org>
Date:   Sun Nov 12 15:28:43 2017 +0100

    Add upstream patch for CVE-2017-5852
    
    Closes: #854600
    Signed-off-by: Mattia Rizzolo <mattia@debian.org>

Message #41 received at 854600-close@bugs.debian.org (full text, mbox, reply):

From: Mattia Rizzolo <mattia@debian.org>

To: 854600-close@bugs.debian.org

Subject: Bug#854600: fixed in libpodofo 0.9.5-7

Date: Sun, 12 Nov 2017 15:20:28 +0000

Source: libpodofo
Source-Version: 0.9.5-7

We believe that the bug you reported is fixed in the latest version of
libpodofo, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 854600@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Mattia Rizzolo <mattia@debian.org> (supplier of updated libpodofo package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sun, 12 Nov 2017 15:36:06 +0100
Source: libpodofo
Binary: libpodofo-dev libpodofo-utils libpodofo0.9.5
Architecture: source
Version: 0.9.5-7
Distribution: unstable
Urgency: medium
Maintainer: Mattia Rizzolo <mattia@debian.org>
Changed-By: Mattia Rizzolo <mattia@debian.org>
Description:
 libpodofo-dev - PoDoFo development files
 libpodofo-utils - PoDoFo utilities
 libpodofo0.9.5 - PoDoFo - library to work with the PDF file format
Closes: 854600 860930 861738
Changes:
 libpodofo (0.9.5-7) unstable; urgency=medium
 .
   * Add upstream patches for security issues:
     + CVE-2017-5852 Closes: #854600
     + CVE-2017-7994 Closes: #860930
     + CVE-2017-8787 Closes: #861738
   * debian/control:
     + Bump Standards-Version to 4.1.1:
       - Move from priority extra (deprecated) to optional.
     + Declare that libpodofo can be built without root: R³:no.
Checksums-Sha1:
 583cea79dc889f439569e0c5b580afef4a2a3e03 2158 libpodofo_0.9.5-7.dsc
 ecfbf316c83bc70b2a6de8b5a2b9c3c0fed828a8 17076 libpodofo_0.9.5-7.debian.tar.xz
 7ed86d8d0650640844bafbbe9fcb4beebd13f981 8380 libpodofo_0.9.5-7_amd64.buildinfo
Checksums-Sha256:
 689ae5801f0c7b82ec21a59fdc325e8a13d940c614bd8dba54712a21887049db 2158 libpodofo_0.9.5-7.dsc
 1dde26ea68feeed2e69cda73ba3800d9a40f83b49a00fcff50ffca3f773cd96c 17076 libpodofo_0.9.5-7.debian.tar.xz
 68dd7097b2153a8ebd55866d2ce4fea18965e9957bd7e9fd6fdad1c6fc4f7f35 8380 libpodofo_0.9.5-7_amd64.buildinfo
Files:
 f3fdfe4f86a218e800533f533def1408 2158 libdevel optional libpodofo_0.9.5-7.dsc
 963699ed102d44b6d543eba193f619bf 17076 libdevel optional libpodofo_0.9.5-7.debian.tar.xz
 fa884094c9a4f5614675a1e25977abc0 8380 libdevel optional libpodofo_0.9.5-7_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEi3hoeGwz5cZMTQpICBa54Yx2K60FAloIYXoACgkQCBa54Yx2
K604Qg//c2NDfAuE+OkbipkrgWNKyodI1BPkcrrrt2JnUXGaVK4MVNWZU7xUliED
SLAxRjz15JWLL4d59ZMWWuqWygLk2dNHsBgnuNmTQSA+pUkZTKSRgieBbC/NdFzU
DgjXp1gX75za7h9JzvtvMsbpmMpnqpgrBbIIrCyKB4lM1plr/67TQ1IG2TyilnuJ
rHEcfp0ePWvY5xAgtu+c2c9Nn6WiqZsJbb2zgeD/ZvmMymLfVZelC8q2cZEWSnAi
vnkM9KrWlM8a1t4PFhQqzp86MKAebpGsrp5pqDnJ8U+7zKYP6ZqVR/Lr7f4HlqhC
P7kC7lBUiIrIOhJIVPWKWseejBNKIvV2k+y1vWR7hanZiRICsAaXgSM+TkiTa6B0
LZndIxAk1zLqytmshNt4t3djxfhX375ACUjfz5/vf3HRf0BXFNC3yhrdWoklxY+B
eRKructXQnWnFDO2xKQIUWodORnemBSZTci9eOrpoZvb8iMci+SMC2xPAKwbn/pJ
FnzgLcf0q1aBo4ZpSlBG5JZPeC1ItAFQF6Xz4nuK73WcLrLQVFnJAqBDXwksOCiZ
fGN/9UpXJkknDkNiUjppid0ARjYCwM9/q+5JIbfaJ4rvkHuA+BlYDX1Z5qS8qKvk
YD2gChCmuhwsEyZLC0A7isjt4T9orEQpeRX0X/25SnsdnJHuc3c=
=XbaS
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.