Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

libpodofo: CVE-2017-5854/CVE-2018-5308 - NULL pointer dereference in PdfOutputStream.cpp

Related Vulnerabilities: CVE-2017-5854   CVE-2018-5308   CVE-2015-8981   CVE-2017-5852   CVE-2017-5853   CVE-2017-5855   CVE-2017-6844   CVE-2017-5886   CVE-2017-7379  

Source

Debian Bug report logs - #854602
libpodofo: CVE-2017-5854/CVE-2018-5308 - NULL pointer dereference in PdfOutputStream.cpp

version graph

Package: libpodofo; Maintainer for libpodofo is Mattia Rizzolo <mattia@debian.org>;

Reported by: Guido Günther <agx@sigxcpu.org>

Date: Sat, 4 Feb 2017 10:51:02 UTC

Severity: important

Tags: fixed-upstream, security, upstream

Found in versions 0.9.4-5, 0.9.0-1.1

Fixed in version 0.9.5-9

Done: Mattia Rizzolo <mattia@debian.org>

Bug is archived. No further changes may be made.

Forwarded to https://sourceforge.net/p/podofo/mailman/podofo-users/thread/12497325.VLNgGImML2%40blackgate/#msg35640936

Outlook: https://blogs.gentoo.org/ago/2017/02/01/podofo-null-pointer-dereference-in-pdfoutputstream-cpp/

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, Mattia Rizzolo <mattia@debian.org>:
Bug#854118; Package libpodofo. (Sat, 04 Feb 2017 10:51:04 GMT) (full text, mbox, link).

Acknowledgement sent to Guido Günther <agx@sigxcpu.org>:
New Bug report received and forwarded. Copy sent to Mattia Rizzolo <mattia@debian.org>. (Sat, 04 Feb 2017 10:51:04 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Guido Günther <agx@sigxcpu.org>
To: submit@bugs.debian.org
Subject: Multiple issues in libpodofo
Date: Sat, 4 Feb 2017 11:47:04 +0100
Package: libpodofo
Severity: serious
Tags: security

Hi,

the following vulnerabilities were published for libpodofo.

CVE-2015-8981[0]:
Heap overflow in the function ReadXRefSubsection

CVE-2017-5852[1]:
Infinite loop in PoDoFo::PdfPage::GetInheritedKeyFromObject

CVE-2017-5853[2]:
Signed integer overflow in PdfParser.cpp

CVE-2017-5854[3]:
NULL pointer dereference in PdfOutputStream.cpp

CVE-2017-5855[4]:
NULL pointer dereference in PoDoFo::PdfParser::ReadXRefSubsection

If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2015-8981
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8981
[1] https://security-tracker.debian.org/tracker/CVE-2017-5852
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5852
[2] https://security-tracker.debian.org/tracker/CVE-2017-5853
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5853
[3] https://security-tracker.debian.org/tracker/CVE-2017-5854
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5854
[4] https://security-tracker.debian.org/tracker/CVE-2017-5855
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5855
Please adjust the affected versions in the BTS as needed.

Set Bug forwarded-to-address to 'https://sourceforge.net/p/podofo/mailman/podofo-users/thread/20170204121312.lq26ge6osbiuwnjo%40mapreri.org/#msg35646469'. Request was from Mattia Rizzolo <mattia@debian.org> to control@bugs.debian.org. (Sat, 04 Feb 2017 14:06:07 GMT) (full text, mbox, link).

Severity set to 'important' from 'serious' Request was from Mattia Rizzolo <mattia@debian.org> to control@bugs.debian.org. (Wed, 08 Feb 2017 16:21:10 GMT) (full text, mbox, link).

Added tag(s) upstream. Request was from Mattia Rizzolo <mattia@debian.org> to control@bugs.debian.org. (Wed, 08 Feb 2017 16:21:11 GMT) (full text, mbox, link).

Bug 854118 cloned as bugs 854599, 854600, 854601, 854602, 854603, 854604, 854605 Request was from Mattia Rizzolo <mattia@debian.org> to control@bugs.debian.org. (Wed, 08 Feb 2017 16:21:11 GMT) (full text, mbox, link).

Changed Bug title to 'libpodofo: CVE-2017-5854 - NULL pointer dereference in PdfOutputStream.cpp' from 'Multiple issues in libpodofo'. Request was from Mattia Rizzolo <mattia@debian.org> to control@bugs.debian.org. (Wed, 08 Feb 2017 16:21:14 GMT) (full text, mbox, link).

Changed Bug forwarded-to-address to 'https://sourceforge.net/p/podofo/mailman/podofo-users/thread/12497325.VLNgGImML2%40blackgate/#msg35640936' from 'https://sourceforge.net/p/podofo/mailman/podofo-users/thread/20170204121312.lq26ge6osbiuwnjo%40mapreri.org/#msg35646469'. Request was from Mattia Rizzolo <mattia@debian.org> to control@bugs.debian.org. (Wed, 08 Feb 2017 16:21:24 GMT) (full text, mbox, link).

Outlook recorded from message bug 854602 message Request was from Mattia Rizzolo <mattia@debian.org> to control@bugs.debian.org. (Wed, 08 Feb 2017 16:21:24 GMT) (full text, mbox, link).

Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#854602; Package libpodofo. (Fri, 07 Apr 2017 19:03:08 GMT) (full text, mbox, link).

Message #22 received at 854602@bugs.debian.org (full text, mbox, reply):

From: Mattia Rizzolo <mattia@debian.org>
To: 854602@bugs.debian.org
Subject: 854602: CVE-2017-5854: fixed upstream
Date: Fri, 7 Apr 2017 21:00:57 +0200
[Message part 1 (text/plain, inline)]
Control: tag -1 fixed-upstream

https://sourceforge.net/p/podofo/code/1836

-- 
regards,
                        Mattia Rizzolo

GPG Key: 66AE 2B4A FCCF 3F52 DA18  4D18 4B04 3FCD B944 4540      .''`.
more about me:  https://mapreri.org                             : :'  :
Launchpad user: https://launchpad.net/~mapreri                  `. `'`
Debian QA page: https://qa.debian.org/developer.php?login=mattia  `-

[signature.asc (application/pgp-signature, inline)]

Added tag(s) fixed-upstream. Request was from Mattia Rizzolo <mattia@debian.org> to 854602-submit@bugs.debian.org. (Fri, 07 Apr 2017 19:03:08 GMT) (full text, mbox, link).

Marked as fixed in versions 0.9.0-1.1+deb7u1. Request was from Mattia Rizzolo <mattia@debian.org> to control@bugs.debian.org. (Sun, 30 Apr 2017 18:57:13 GMT) (full text, mbox, link).

Marked as found in versions 0.9.0-1.1. Request was from Mattia Rizzolo <mattia@debian.org> to control@bugs.debian.org. (Sun, 30 Apr 2017 19:03:06 GMT) (full text, mbox, link).

Message sent on to Guido Günther <agx@sigxcpu.org>:
Bug#854602. (Wed, 03 May 2017 09:51:10 GMT) (full text, mbox, link).

Message #31 received at 854602-submitter@bugs.debian.org (full text, mbox, reply):

From: Mattia Rizzolo <mattia@debian.org>
To: 854602-submitter@bugs.debian.org
Subject: Bug#854602 in libpodofo marked as pending
Date: Wed, 03 May 2017 09:47:28 +0000
Control: tag 854602 pending

Hello,

Bug #854602 in libpodofo reported by you has been fixed in the Git repository. You can
see the commit message below, and you can check the diff of the fix at:

    https://anonscm.debian.org/git/collab-maint/libpodofo.git/commit/?id=b4008ea

(this message was generated automatically based on the git commit message)
---
commit b4008ea6d5f388c6b8640614e6199d8cbdfab31e
Author: Mattia Rizzolo <mattia@debian.org>
Date:   Wed May 3 10:43:43 2017 +0200

    Add upstream patch for CVE-2017-5854
    
    Closes: #854602
    Signed-off-by: Mattia Rizzolo <mattia@debian.org>

Added tag(s) pending. Request was from Mattia Rizzolo <mattia@debian.org> to 854602-submitter@bugs.debian.org. (Wed, 03 May 2017 09:51:10 GMT) (full text, mbox, link).

Reply sent to Mattia Rizzolo <mattia@debian.org>:
You have taken responsibility. (Wed, 03 May 2017 10:06:06 GMT) (full text, mbox, link).

Notification sent to Guido Günther <agx@sigxcpu.org>:
Bug acknowledged by developer. (Wed, 03 May 2017 10:06:06 GMT) (full text, mbox, link).

Message #38 received at 854602-close@bugs.debian.org (full text, mbox, reply):

From: Mattia Rizzolo <mattia@debian.org>
To: 854602-close@bugs.debian.org
Subject: Bug#854602: fixed in libpodofo 0.9.4-5
Date: Wed, 03 May 2017 10:03:30 +0000
Source: libpodofo
Source-Version: 0.9.4-5

We believe that the bug you reported is fixed in the latest version of
libpodofo, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 854602@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Mattia Rizzolo <mattia@debian.org> (supplier of updated libpodofo package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Wed, 03 May 2017 11:41:19 +0200
Source: libpodofo
Binary: libpodofo-dev libpodofo-utils libpodofo0.9.4
Architecture: source
Version: 0.9.4-5
Distribution: unstable
Urgency: high
Maintainer: Mattia Rizzolo <mattia@debian.org>
Changed-By: Mattia Rizzolo <mattia@debian.org>
Description:
 libpodofo-dev - PoDoFo development files
 libpodofo-utils - PoDoFo utilities
 libpodofo0.9.4 - PoDoFo - library to work with the PDF file format
Closes: 854601 854602 854604 856592 859331
Changes:
 libpodofo (0.9.4-5) unstable; urgency=high
 .
   * Add upstream patch for security issues:
     + CVE-2017-5853 Closes: #854601
     + CVE-2017-6844 Closes: #856592
     + CVE-2017-5854 Closes: #854602
     + CVE-2017-5886 Closes: #854604
     + CVE-2017-7379 Closes: #859331
Checksums-Sha1:
 efa896f42140fd0ac2e5cc36014a339cab5dad29 2119 libpodofo_0.9.4-5.dsc
 6238655d640b0738601fd4f35fafd4f39d4ae60a 13308 libpodofo_0.9.4-5.debian.tar.xz
 c0a2be46333e68a33bb4ccf60639480aadca9d9d 8325 libpodofo_0.9.4-5_amd64.buildinfo
Checksums-Sha256:
 60de0684a1a38fff67e1c49bf49f55aec41167eb2cb5c3a4034cc4de063944ef 2119 libpodofo_0.9.4-5.dsc
 fc150e0534bf808588350c8c6d82bec033481a7039dfbd28742033cc8eddc455 13308 libpodofo_0.9.4-5.debian.tar.xz
 14ded71340b21dad144d906c0d58e34f7e6416de7abc2c913195fbb099614f08 8325 libpodofo_0.9.4-5_amd64.buildinfo
Files:
 7f3a7c904e54eeb655044c8adb56d902 2119 libdevel extra libpodofo_0.9.4-5.dsc
 a8a35d56d295eab92b7356bfcc378ea7 13308 libdevel extra libpodofo_0.9.4-5.debian.tar.xz
 742c1b148d7356cc3c18eeb9f1fd6f4d 8325 libdevel extra libpodofo_0.9.4-5_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEi3hoeGwz5cZMTQpICBa54Yx2K60FAlkJpsgACgkQCBa54Yx2
K628GQ//dXA9Zo8CS2DoRRBRc3awfFH5WhMiU5urTB3fBWnpmSk28gSS7znHhAZQ
C5QJl9CSK2AHuU2lnYiIilCzWeJZD9gA5VOKNHqiSUnKUDrvgM/xIr3OHoXcl4ti
t5oEODgxFnSu1W5WEwR8ocSbC6oEt50CSGpa2ZFFSWYCGOxeiGjZblwvlsR1Fgh/
s/Yx4wUJ8HXjHhV9BuXlvh733QJ4SLuS0AR/gjykxQo1LdgcenP1VbrQANrvr/b1
mJMFwOhbc6DHdZ9KZbNuN+DZwAPUW1mpg6hJoj1HbfjHr0HV0pu2xHJxs41YIDwM
k5Ir5E/cq5H3tj/cqfW9VMedu4fPBYLqYtR+UDfSv1FJwuFZAhEq6RPaaXbeyRRg
GNRrkH6DCrKgebixct6MxcWXnN32BaSmaUg+HOgAQ06ei9z2YwB03CiSEL3mK0Dd
HX4XjBHZ3V/OUkOv9KlMYpyWwaVoM6E8TdCZZR4Zd5BHVnAQt7YbsQtGgaT5ZVdc
mR1hHvEPaYfaFjGgX/ifObeTsGwTu22IO/7ywIRHDh6j/OIjGoMlqTAechzqo20f
CeI/ksJMNJjD9LDrd9LoV2dLx1kbpurBfbTaz4aNKxH0zl1yK/Tk+4m7OgCt0RrW
e1i4KO/XOiM8cIpQtOqJjG/jNKnZGxCLKKZV8JuV9JNSiDCTThk=
=DN+/
-----END PGP SIGNATURE-----

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sat, 17 Jun 2017 07:24:51 GMT) (full text, mbox, link).

Bug unarchived. Request was from Mattia Rizzolo <mattia@debian.org> to control@bugs.debian.org. (Fri, 15 Jun 2018 08:39:08 GMT) (full text, mbox, link).

Marked as found in versions 0.9.4-5; no longer marked as fixed in versions libpodofo/0.9.4-5 and reopened. Request was from Mattia Rizzolo <mattia@debian.org> to control@bugs.debian.org. (Fri, 15 Jun 2018 08:39:08 GMT) (full text, mbox, link).

Marked as fixed in versions 0.9.5-9. Request was from Mattia Rizzolo <mattia@debian.org> to control@bugs.debian.org. (Fri, 15 Jun 2018 08:39:09 GMT) (full text, mbox, link).

Changed Bug title to 'libpodofo: CVE-2017-5854/CVE-2018-5308 - NULL pointer dereference in PdfOutputStream.cpp' from 'libpodofo: CVE-2017-5854 - NULL pointer dereference in PdfOutputStream.cpp'. Request was from Mattia Rizzolo <mattia@debian.org> to control@bugs.debian.org. (Fri, 15 Jun 2018 08:39:11 GMT) (full text, mbox, link).

No longer marked as fixed in versions 0.9.0-1.1+deb7u1. Request was from Mattia Rizzolo <mattia@debian.org> to control@bugs.debian.org. (Fri, 15 Jun 2018 08:51:03 GMT) (full text, mbox, link).

Marked Bug as done Request was from Mattia Rizzolo <mattia@debian.org> to control@bugs.debian.org. (Fri, 15 Jun 2018 08:51:04 GMT) (full text, mbox, link).

Notification sent to Guido Günther <agx@sigxcpu.org>:
Bug acknowledged by developer. (Fri, 15 Jun 2018 08:51:04 GMT) (full text, mbox, link).

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sat, 14 Jul 2018 07:24:55 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 17:32:03 2019; Machine Name: beach

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started