Debian Bug report logs -
#860995
libpodofo: CVE-2017-8054
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Mattia Rizzolo <mattia@debian.org>
:
Bug#860995
; Package src:libpodofo
.
(Sun, 23 Apr 2017 11:33:07 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Mattia Rizzolo <mattia@debian.org>
.
(Sun, 23 Apr 2017 11:33:07 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: libpodofo
Version: 0.9.4-1
Severity: important
Tags: security upstream
Hi,
the following vulnerability was published for libpodofo.
CVE-2017-8054[0]:
| The function PdfPagesTree::GetPageNodeFromArray in PdfPageTree.cpp:464
| in PoDoFo 0.9.5 allows remote attackers to cause a denial of service
| (infinite recursion and application crash) via a crafted PDF document.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-8054
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8054
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org, Mattia Rizzolo <mattia@debian.org>
:
Bug#860995
; Package src:libpodofo
.
(Sun, 05 Nov 2017 23:06:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Matthias Brinke <podofo-sec-contrib@mailbox.org>
:
Extra info received and forwarded to list. Copy sent to Mattia Rizzolo <mattia@debian.org>
.
(Sun, 05 Nov 2017 23:06:03 GMT) (full text, mbox, link).
Message #10 received at 860995@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hello,
attached is a patch (tested with jessie, I don't use Debian 9/stretch yet) to fix CVE-2017-8054.
The source code for a program using PoDoFo to generate the PoC I tested with is also attached.
Best regards, Matthias
[CVE-2017-8054-my.patch (text/x-patch, attachment)]
[create-CVE-2017-8054-PoC.cpp (text/x-c++src, attachment)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Mattia Rizzolo <mattia@debian.org>
:
Bug#860995
; Package src:libpodofo
.
(Wed, 20 Dec 2017 23:21:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Matthias Brinke <podofo-sec-contrib@mailbox.org>
:
Extra info received and forwarded to list. Copy sent to Mattia Rizzolo <mattia@debian.org>
.
(Wed, 20 Dec 2017 23:21:03 GMT) (full text, mbox, link).
Message #15 received at 860995@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hello,
I'm sorry to have had missed attaching (in my earlier post to
this bug) what is now attached here: the source code of the test
program for verifying the fix (for both jessie and sid, but the
fix doesn't work with sid's g++-7/libstdc++6, a corrected fix
which I tested in a sid chroot in the meantime will be sent
shortly) and the workaround header for jessie to make available
the method PdfFontFactory::CreateBase14Font(), which the program
generating my PoC needs on jessie. That program also didn't build
on sid, an adapted version will also be provided in my next post.
Best regards, Matthias
[workaround_create_base14.h (text/x-chdr, attachment)]
[test-CVE-2017-8054.cpp (text/x-c++src, attachment)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Mattia Rizzolo <mattia@debian.org>
:
Bug#860995
; Package src:libpodofo
.
(Thu, 21 Dec 2017 16:36:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Matthias Brinke <podofo-sec-contrib@mailbox.org>
:
Extra info received and forwarded to list. Copy sent to Mattia Rizzolo <mattia@debian.org>
.
(Thu, 21 Dec 2017 16:36:03 GMT) (full text, mbox, link).
Message #20 received at 860995@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Dear maintainer, hello all,
I have simplified my fix for CVE-2017-8054 (stack overflow
by infinite recursion from loop in pages tree) and tested
it again in an unstable chroot (entered by sbuild from
jessie-backports), which was clean, up-to-date and maybe
also minimal (why does it contain GNU autotools?). It is,
of course, attached here. The source for a generator just
using PoDoFo outputting the simple/mostly-minimal PoC I
tested with is also attached. Please accept it for your
next upload (could you please do it before upstream puts
out its next release or rc tarball?) and bump the shlibs
version, too, because a PdfError constructor is added by it.
Best regards, Matthias
[CVE-2017-8054.patch (text/x-patch, attachment)]
[create-CVE-2017-8054-PoC.cpp (text/x-c++src, attachment)]
Information forwarded
to debian-bugs-dist@lists.debian.org
:
Bug#860995
; Package src:libpodofo
.
(Thu, 21 Dec 2017 21:57:02 GMT) (full text, mbox, link).
Message #23 received at 860995@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Control: tag -1 patch
On Thu, Dec 21, 2017 at 04:55:00PM +0100, Matthias Brinke wrote:
> I have simplified my fix for CVE-2017-8054 (stack overflow
> by infinite recursion from loop in pages tree) and tested
> it again in an unstable chroot (entered by sbuild from
> jessie-backports), which was clean, up-to-date and maybe
> also minimal (why does it contain GNU autotools?). It is,
> of course, attached here. The source for a generator just
> using PoDoFo outputting the simple/mostly-minimal PoC I
> tested with is also attached. Please accept it for your
> next upload (could you please do it before upstream puts
> out its next release or rc tarball?)
I could, but could you please send it upstream?
The only way to interact with upstream is the podofo-users ML
https://sourceforge.net/p/podofo/mailman/podofo-users/
--
regards,
Mattia Rizzolo
GPG Key: 66AE 2B4A FCCF 3F52 DA18 4D18 4B04 3FCD B944 4540 .''`.
more about me: https://mapreri.org : :' :
Launchpad user: https://launchpad.net/~mapreri `. `'`
Debian QA page: https://qa.debian.org/developer.php?login=mattia `-
[signature.asc (application/pgp-signature, inline)]
Added tag(s) patch.
Request was from Mattia Rizzolo <mattia@debian.org>
to 860995-submit@bugs.debian.org
.
(Thu, 21 Dec 2017 21:57:02 GMT) (full text, mbox, link).
Added tag(s) fixed-upstream.
Request was from Mattia Rizzolo <mattia@debian.org>
to control@bugs.debian.org
.
(Fri, 26 Jan 2018 08:30:07 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Mattia Rizzolo <mattia@debian.org>
:
Bug#860995
; Package src:libpodofo
.
(Tue, 06 Feb 2018 00:27:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Matthias Brinke <podofo-sec-contrib@mailbox.org>
:
Extra info received and forwarded to list. Copy sent to Mattia Rizzolo <mattia@debian.org>
.
(Tue, 06 Feb 2018 00:27:03 GMT) (full text, mbox, link).
Message #34 received at 860995@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hello Mattia,
> Mattia Rizzolo has written on 21 December 2017 at 22:54:
>
>
> Control: tag -1 patch
>
> On Thu, Dec 21, 2017 at 04:55:00PM +0100, Matthias Brinke wrote:
>> I have simplified my fix for CVE-2017-8054 (stack overflow
>> by infinite recursion from loop in pages tree) and tested
>> it again in an unstable chroot (entered by sbuild from
>> ... snip ...
>
> I could, but could you please send it upstream?
> The only way to interact with upstream is the podofo-users ML
> https://sourceforge.net/p/podofo/mailman/podofo-users/
There is a post on the podofo-users mailing list by zyx which
says that running test/unit/podofo-test a heap-use-after-free
bug was detected [1]. I've investigated that and implemented a
correction, which I tested with -fsanitize=address (ASan) in
a Debian sid chroot (up-to-date, mostly? minimal) through
sbuild (from jessie-backports), attached here. Only memory leaks
were detected, therefore the test log is not attached here, also
because it's 292 KiB large (many leaks, but that's OT here). As
far as I've already seen, the leaks seems to be elsewhere.
This patch is complete to add to the Debian package, so please
disregard the older (and incorrect) patch in this bug thread.
I'm sorry I'm answering only now, the divergence between the
package and the upstream svn repository (also through the partial
revert) presented some challenges in patch handling. Because of
this, the patch is also not for forwarding (it wouldn't apply there).
I'm not changing the fixed-upstream tag as the partial revert is
already mentioned in the security-tracker notes and would've been
reflected in the (removal of the) tag if it was necessary, right?
>
> --
> regards,
> Mattia Rizzolo
>
Best regards, Matthias Brinke
[1] https://sourceforge.net/p/podofo/mailman/message/36215307/
[CVE-2017-8054-correction.patch (text/x-patch, attachment)]
Information forwarded
to debian-bugs-dist@lists.debian.org
:
Bug#860995
; Package src:libpodofo
.
(Tue, 06 Feb 2018 01:03:03 GMT) (full text, mbox, link).
Message #37 received at 860995@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Control: tag -1 -fixed-upstream
On Tue, Feb 06, 2018 at 01:26:00AM +0100, Matthias Brinke wrote:
> I've investigated that and implemented a
> correction, which I tested with -fsanitize=address (ASan) in
> a Debian sid chroot (up-to-date, mostly? minimal) through
> sbuild (from jessie-backports), attached here.
Thank you!
> This patch is complete to add to the Debian package, so please
> disregard the older (and incorrect) patch in this bug thread.
>
> I'm sorry I'm answering only now, the divergence between the
> package and the upstream svn repository (also through the partial
> revert) presented some challenges in patch handling. Because of
> this, the patch is also not for forwarding (it wouldn't apply there).
Well, in cases like this I usually try to make it apply to the upstream
SVN tree and forward it.
It's a job that one day or another I'd need to do anyway (consider what
would happen if I applied it to the debian package, then an upstream
release happened without it, I'd need to rebase it at that point). :)
> I'm not changing the fixed-upstream tag as the partial revert is
> already mentioned in the security-tracker notes and would've been
> reflected in the (removal of the) tag if it was necessary, right?
I actually just forgot to do it, while updating the sec tracker I didn't
check this bug status.
Thank you again for your patches!
--
regards,
Mattia Rizzolo
GPG Key: 66AE 2B4A FCCF 3F52 DA18 4D18 4B04 3FCD B944 4540 .''`.
more about me: https://mapreri.org : :' :
Launchpad user: https://launchpad.net/~mapreri `. `'`
Debian QA page: https://qa.debian.org/developer.php?login=mattia `-
[signature.asc (application/pgp-signature, inline)]
Removed tag(s) fixed-upstream.
Request was from Mattia Rizzolo <mattia@debian.org>
to 860995-submit@bugs.debian.org
.
(Tue, 06 Feb 2018 01:03:03 GMT) (full text, mbox, link).
Message sent on
to Salvatore Bonaccorso <carnil@debian.org>
:
Bug#860995.
(Sat, 24 Feb 2018 10:45:05 GMT) (full text, mbox, link).
Message #42 received at 860995-submitter@bugs.debian.org (full text, mbox, reply):
Control: tag -1 pending
Hello,
Bug #860995 in libpodofo reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below, and you can check the diff of the fix at:
https://salsa.debian.org/debian/libpodofo/commit/59101d899b7f920b86514b38de45ad9f92e37341
------------------------------------------------------------------------
Add upstream patch for CVE-2017-8054
Closes: #860995
Signed-off-by: Mattia Rizzolo <mattia@debian.org>
------------------------------------------------------------------------
(this message was generated automatically)
--
Greetings
Added tag(s) pending.
Request was from mattia@debian.org
to 860995-submitter@bugs.debian.org
.
(Sat, 24 Feb 2018 10:45:05 GMT) (full text, mbox, link).
Reply sent
to Mattia Rizzolo <mattia@debian.org>
:
You have taken responsibility.
(Sat, 24 Feb 2018 11:27:12 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Bug acknowledged by developer.
(Sat, 24 Feb 2018 11:27:12 GMT) (full text, mbox, link).
Message #49 received at 860995-close@bugs.debian.org (full text, mbox, reply):
Source: libpodofo
Source-Version: 0.9.5-9
We believe that the bug you reported is fixed in the latest version of
libpodofo, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 860995@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Mattia Rizzolo <mattia@debian.org> (supplier of updated libpodofo package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 24 Feb 2018 11:38:43 +0100
Source: libpodofo
Binary: libpodofo-dev libpodofo-utils libpodofo0.9.5
Architecture: source
Version: 0.9.5-9
Distribution: unstable
Urgency: medium
Maintainer: Mattia Rizzolo <mattia@debian.org>
Changed-By: Mattia Rizzolo <mattia@debian.org>
Description:
libpodofo-dev - PoDoFo development files
libpodofo-utils - PoDoFo utilities
libpodofo0.9.5 - PoDoFo - library to work with the PDF file format
Closes: 860995 861562 861597 889511
Changes:
libpodofo (0.9.5-9) unstable; urgency=medium
.
* Add upstream patches for security issues:
+ CVE-2017-6845 Closes: #861562
+ CVE-2017-8054 Closes: #860995
+ CVE-2017-8378 Closes: #861597
+ CVE-2018-5295 Closes: #889511
+ CVE-2018-5308
* d/control:
+ Move the packaging to salsa.debian.org.
+ Bump Standards-Version to 4.1.3, no changes needed.
+ Move libpodofo-utils to section utils.
* d/rules: Move from the deprecated dh_install --fail-missing to dh_missing.
* d/copyright: Bump copyright year for debian/*.
* Bump debhelper compat level to 11.
Checksums-Sha1:
22265a95e4d0632000785feba79a12ba39026a91 2126 libpodofo_0.9.5-9.dsc
f56846ede8d87fceb1d0384fcb2a98b0b9f54057 19888 libpodofo_0.9.5-9.debian.tar.xz
bb9b6965c6a64da60a9fef215b7adde0c551adea 8544 libpodofo_0.9.5-9_amd64.buildinfo
Checksums-Sha256:
09f495d02231c98b2d95dcd6fe0f4d3aadc280fde10cb97e75efc8ca75fb6012 2126 libpodofo_0.9.5-9.dsc
31536fd0e81bc910ce3378840646f54c69463e230161c575bb1eeb38175fafd6 19888 libpodofo_0.9.5-9.debian.tar.xz
84be9aa7806fe40e11b5fa7457300ced1421eea668f227d2c22bab4c5ab184ce 8544 libpodofo_0.9.5-9_amd64.buildinfo
Files:
eb706e4b75cf4c71e9164347ceab5329 2126 libdevel optional libpodofo_0.9.5-9.dsc
1acf189b272bde337c5e53a8a1f098b6 19888 libdevel optional libpodofo_0.9.5-9.debian.tar.xz
746639378cf7664488a6d1fad869a854 8544 libdevel optional libpodofo_0.9.5-9_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEi3hoeGwz5cZMTQpICBa54Yx2K60FAlqRRZkACgkQCBa54Yx2
K60Djw/7B6Z8jdudjAFNY5yxQhm2urku6Lwbl1he1weOPLgdjbvnTMZhSociIhgV
GM4jGxqSacyA7v27p+jTl9UAXRU7uNamcq8QpKo15QB0zBu+HGVO+oyeZGREJHCM
Ph6PVpmFXrRyzhf5NKftzsi4abft0F9rUDtTaj4VJAJSBVuqyWjM6GLhcDsYCm3u
wUVsrqnP283+J44OfZbqWtVcSQimPwVN6DQ+5oxIRRyFiEFBkpjm+m0LpDFFhWP/
raqo+uBprDZd5X/9NQ4ZdNlyuKwSLC0gOhZtAlBUFgFE+MjZaYk1HQxRFvEKoS+P
ExV/vgBl/I0Au5XKixjM/YyzkXiPNAbPSio9hUXDEPmGJXI9qlBnv005VxtYFj4g
jzzudnNpuVNmsjFmPsjM3R4493k5JDKf7N8mqqpUBMWV4/9C8AbW5WGmTGLVBhdA
ONeP5kcjmetI5CqNNVDJKdpR60n0XhAjr8FxQW/UlXAq9XXcSkGIbM+4dmxiQPq/
ojLe7bCYGgPH0AgNZPVLA0NzBn7+fUh8vWVYUVUF2a+wQY8lyPSOPkmVULV4g+gu
H/4Eb3O39UxGTwzHq9V9KjRtXJVPfp+k9jAL5aLFmVwSghCgq2H+7su/8jT9uU/o
5xyRg+GBTgju/CID/MFYfXYjWb5m5XYtN5RhptXOXMB0+oEUd/8=
=ZRNu
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Thu, 29 Mar 2018 07:29:46 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 16:45:07 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.