Debian Bug report logs -
#861564
libpodofo: CVE-2017-6847
Reported by: Moritz Muehlenhoff <jmm@debian.org>
Date: Thu, 2 Mar 2017 18:33:01 UTC
Severity: grave
Tags: help, security
Fixed in version libpodofo/0.9.4-6
Done: Mattia Rizzolo <mattia@debian.org>
Bug is archived. No further changes may be made.
Outlook: https://blogs.gentoo.org/ago/2017/03/02/podofo-null-pointer-dereference-in-podofopdfvariantdelayedload-pdfvariant-h/
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Mattia Rizzolo <mattia@debian.org>:
Bug#856592; Package src:libpodofo.
(Thu, 02 Mar 2017 18:33:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Mattia Rizzolo <mattia@debian.org>.
(Thu, 02 Mar 2017 18:33:03 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: libpodofo
Severity: grave
Tags: security
New podofo issues (no CVEs yet):
http://www.openwall.com/lists/oss-security/2017/03/02/10
http://www.openwall.com/lists/oss-security/2017/03/02/9
http://www.openwall.com/lists/oss-security/2017/03/02/8
http://www.openwall.com/lists/oss-security/2017/03/02/7
http://www.openwall.com/lists/oss-security/2017/03/02/6
http://www.openwall.com/lists/oss-security/2017/03/02/5
http://www.openwall.com/lists/oss-security/2017/03/02/4
http://www.openwall.com/lists/oss-security/2017/03/02/3
http://www.openwall.com/lists/oss-security/2017/03/02/2
Cheers,
Moritz
Information forwarded
to debian-bugs-dist@lists.debian.org, Mattia Rizzolo <mattia@debian.org>:
Bug#856592; Package src:libpodofo.
(Fri, 03 Mar 2017 05:45:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Mattia Rizzolo <mattia@debian.org>.
(Fri, 03 Mar 2017 05:45:03 GMT) (full text, mbox, link).
Message #10 received at 856592@bugs.debian.org (full text, mbox, reply):
Hello,
On Thu, Mar 02, 2017 at 07:28:23PM +0100, Moritz Muehlenhoff wrote:
> Source: libpodofo
> Severity: grave
> Tags: security
>
> New podofo issues (no CVEs yet):
>
> http://www.openwall.com/lists/oss-security/2017/03/02/10
> http://www.openwall.com/lists/oss-security/2017/03/02/9
> http://www.openwall.com/lists/oss-security/2017/03/02/8
> http://www.openwall.com/lists/oss-security/2017/03/02/7
> http://www.openwall.com/lists/oss-security/2017/03/02/6
> http://www.openwall.com/lists/oss-security/2017/03/02/5
> http://www.openwall.com/lists/oss-security/2017/03/02/4
> http://www.openwall.com/lists/oss-security/2017/03/02/3
> http://www.openwall.com/lists/oss-security/2017/03/02/2
And http://www.openwall.com/lists/oss-security/2017/03/02/1 in the
above list.
I'm not sure if Agostino Sarubbo has already requested CVEs (I hope
so). Otherwise it's not going to be easy to track those issues, apart
from opening individual bugs for each item.
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org:
Bug#856592; Package src:libpodofo.
(Fri, 03 Mar 2017 07:45:07 GMT) (full text, mbox, link).
Message #13 received at 856592@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
On Fri, Mar 03, 2017 at 06:43:03AM +0100, Salvatore Bonaccorso wrote:
> in the above list.
aheam, what a list.
Anyway, you (Moritz) opened this bug as RC, but is it fine to downgrade
to important if I deem the issues not grave enough to be RC?
They are all crashes, with maliciously crafted PDFs…
> I'm not sure if Agostino Sarubbo has already requested CVEs (I hope
> so).
I hope so too, if he read that email about the move to that web form.
> Otherwise it's not going to be easy to track those issues, apart
> from opening individual bugs for each item.
which I would have preferred anyway :)
I think I will clone+retitle this bug appropriately (and take care of
updating CVE/list if/when I'll do so).
--
regards,
Mattia Rizzolo
GPG Key: 66AE 2B4A FCCF 3F52 DA18 4D18 4B04 3FCD B944 4540 .''`.
more about me: https://mapreri.org : :' :
Launchpad user: https://launchpad.net/~mapreri `. `'`
Debian QA page: https://qa.debian.org/developer.php?login=mattia `-
[signature.asc (application/pgp-signature, inline)]
Severity set to 'important' from 'grave'
Request was from Mattia Rizzolo <mattia@debian.org>
to control@bugs.debian.org.
(Fri, 03 Mar 2017 22:57:02 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Mattia Rizzolo <mattia@debian.org>:
Bug#856592; Package src:libpodofo.
(Sun, 12 Mar 2017 21:09:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Mühlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Mattia Rizzolo <mattia@debian.org>.
(Sun, 12 Mar 2017 21:09:06 GMT) (full text, mbox, link).
Message #20 received at 856592@bugs.debian.org (full text, mbox, reply):
On Fri, Mar 03, 2017 at 08:40:37AM +0100, Mattia Rizzolo wrote:
> On Fri, Mar 03, 2017 at 06:43:03AM +0100, Salvatore Bonaccorso wrote:
> > in the above list.
>
> aheam, what a list.
> Anyway, you (Moritz) opened this bug as RC, but is it fine to downgrade
> to important if I deem the issues not grave enough to be RC?
> They are all crashes, with maliciously crafted PDFs…
Which is the most common attack vector on desktop systems...
If there's no upstream (or failing that, maintainer) activity in
fixing these security issues in the forthcoming months towards the
stretch release, stretch is better off without it.
Cheers,
Moritz
Information forwarded
to debian-bugs-dist@lists.debian.org, Mattia Rizzolo <mattia@debian.org>:
Bug#856592; Package src:libpodofo.
(Mon, 13 Mar 2017 11:24:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Mattia Rizzolo <mattia@debian.org>.
(Mon, 13 Mar 2017 11:24:04 GMT) (full text, mbox, link).
Message #25 received at 856592@bugs.debian.org (full text, mbox, reply):
Hi,
On Fri, Mar 03, 2017 at 06:43:03AM +0100, Salvatore Bonaccorso wrote:
> Hello,
>
> On Thu, Mar 02, 2017 at 07:28:23PM +0100, Moritz Muehlenhoff wrote:
> > Source: libpodofo
> > Severity: grave
> > Tags: security
> >
> > New podofo issues (no CVEs yet):
> >
> > http://www.openwall.com/lists/oss-security/2017/03/02/10
> > http://www.openwall.com/lists/oss-security/2017/03/02/9
> > http://www.openwall.com/lists/oss-security/2017/03/02/8
> > http://www.openwall.com/lists/oss-security/2017/03/02/7
> > http://www.openwall.com/lists/oss-security/2017/03/02/6
> > http://www.openwall.com/lists/oss-security/2017/03/02/5
> > http://www.openwall.com/lists/oss-security/2017/03/02/4
> > http://www.openwall.com/lists/oss-security/2017/03/02/3
> > http://www.openwall.com/lists/oss-security/2017/03/02/2
>
> And http://www.openwall.com/lists/oss-security/2017/03/02/1 in the
> above list.
FTR, for all of those CVEs have been assigned.
Regards,
Salvatore
Severity set to 'grave' from 'important'
Request was from Moritz Muehlenhoff <jmm@debian.org>
to control@bugs.debian.org.
(Sun, 19 Mar 2017 18:18:08 GMT) (full text, mbox, link).
Added tag(s) help.
Request was from Mattia Rizzolo <mattia@debian.org>
to control@bugs.debian.org.
(Sun, 26 Mar 2017 20:21:07 GMT) (full text, mbox, link).
Bug 856592 cloned as bugs 861557, 861558, 861559, 861560, 861561, 861562, 861563, 861564, 861565, 861566
Request was from Mattia Rizzolo <mattia@debian.org>
to control@bugs.debian.org.
(Sun, 30 Apr 2017 18:57:14 GMT) (full text, mbox, link).
Changed Bug title to 'libpodofo: CVE-2017-6847' from 'Multiple security issues'.
Request was from Mattia Rizzolo <mattia@debian.org>
to control@bugs.debian.org.
(Sun, 30 Apr 2017 18:57:17 GMT) (full text, mbox, link).
Outlook recorded from message bug 861564 message
Request was from Mattia Rizzolo <mattia@debian.org>
to control@bugs.debian.org.
(Sun, 30 Apr 2017 18:57:18 GMT) (full text, mbox, link).
Message sent on
to Moritz Muehlenhoff <jmm@debian.org>:
Bug#861564.
(Wed, 17 May 2017 13:03:21 GMT) (full text, mbox, link).
Message #38 received at 861564-submitter@bugs.debian.org (full text, mbox, reply):
Control: tag 861564 pending
Hello,
Bug #861564 in libpodofo reported by you has been fixed in the Git repository. You can
see the commit message below, and you can check the diff of the fix at:
https://anonscm.debian.org/git/collab-maint/libpodofo.git/commit/?id=8c2a55f
(this message was generated automatically based on the git commit message)
---
commit 8c2a55fba83169795faa0c6cc7c033055d3d5af3
Author: Mattia Rizzolo <mattia@debian.org>
Date: Wed May 17 14:36:55 2017 +0200
Add upstream patch for CVE-2017-6847 and CVE-2017-6848
Closes: #861564
Closes: #861565
Signed-off-by: Mattia Rizzolo <mattia@debian.org>
Added tag(s) pending.
Request was from Mattia Rizzolo <mattia@debian.org>
to 861564-submitter@bugs.debian.org.
(Wed, 17 May 2017 13:03:21 GMT) (full text, mbox, link).
Reply sent
to Mattia Rizzolo <mattia@debian.org>:
You have taken responsibility.
(Wed, 17 May 2017 15:09:16 GMT) (full text, mbox, link).
Notification sent
to Moritz Muehlenhoff <jmm@debian.org>:
Bug acknowledged by developer.
(Wed, 17 May 2017 15:09:16 GMT) (full text, mbox, link).
Message #45 received at 861564-close@bugs.debian.org (full text, mbox, reply):
Source: libpodofo
Source-Version: 0.9.4-6
We believe that the bug you reported is fixed in the latest version of
libpodofo, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 861564@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Mattia Rizzolo <mattia@debian.org> (supplier of updated libpodofo package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 17 May 2017 14:54:40 +0200
Source: libpodofo
Binary: libpodofo-dev libpodofo-utils libpodofo0.9.4
Architecture: source
Version: 0.9.4-6
Distribution: unstable
Urgency: high
Maintainer: Mattia Rizzolo <mattia@debian.org>
Changed-By: Mattia Rizzolo <mattia@debian.org>
Description:
libpodofo-dev - PoDoFo development files
libpodofo-utils - PoDoFo utilities
libpodofo0.9.4 - PoDoFo - library to work with the PDF file format
Closes: 854603 859329 859330 861557 861559 861560 861564 861565
Changes:
libpodofo (0.9.4-6) unstable; urgency=high
.
* Add upstream patches for security issues:
+ CVE-2017-5855 Closes: #854603
+ CVE-2017-6840 Closes: #861557
+ CVE-2017-6842 Closes: #861559
+ CVE-2017-6843 Closes: #861560
+ CVE-2017-6847 Closes: #861564
+ CVE-2017-6848 Closes: #861565
+ CVE-2017-7378 Closes: #859330
+ CVE-2017-7380 CVE-2017-7381 CVE-2017-7382 CVE-2017-7383 Closes: #859329
Checksums-Sha1:
a0141f73e16d353888dfb632826662ec66cc548c 2119 libpodofo_0.9.4-6.dsc
93562112a91591e5c6b9c948a9aa066bad8c4f1a 14512 libpodofo_0.9.4-6.debian.tar.xz
f1cd3ed5a17a27a0104ef4c119260df641d8301d 8322 libpodofo_0.9.4-6_amd64.buildinfo
Checksums-Sha256:
1d96e62e5dc05c3da75b27c119f38059632a4b38b449a09f261609c658ac6501 2119 libpodofo_0.9.4-6.dsc
2d93ad73a0a76fb8c81bf8d8e4e28295521b2201de75bf43921c56fdde184ada 14512 libpodofo_0.9.4-6.debian.tar.xz
378cbccde338b4d202fb9d0e3ffd4db6d236d8afbc3afd555a710096baa8be8c 8322 libpodofo_0.9.4-6_amd64.buildinfo
Files:
616f6d73552c644f07f9aac81c68d586 2119 libdevel extra libpodofo_0.9.4-6.dsc
69ed783b68d73ee280d264db44b0be2b 14512 libdevel extra libpodofo_0.9.4-6.debian.tar.xz
3b44532d73422eca5c039607ce5be072 8322 libdevel extra libpodofo_0.9.4-6_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEi3hoeGwz5cZMTQpICBa54Yx2K60FAlkcSacACgkQCBa54Yx2
K60wIA//Srh+elVV8U5HZ+/WygzwNsd4fCZdpvsTxgesLM5HCl80M3adaSZsHyFJ
zBiD5n/Xkgtc/fr4nLU3X2k++rkyiBulIuB2+vT/qDwa1oYgyQDWTH/DTJ+Y363d
9Bb6gI4LqytsgYgvDU2ZEEq73DYeQa5P7bGB4Bt+XYOlfKjd+xLAuVU6srWNuXSA
/sBshQhWDzvC+WAgXF0AW6Qe+Nz2g0LS4mw2qO80eZ5Tu0vLofpMvC+w7PssdPlK
RfPAngL9uEy28s6DFKf/GcAfCkd2CYfVQTU2QGoGeQei/GyTXXFzrDBK9UOXeMlz
XZuYfhBqwj6AYo1W7freJBzrOw5haTrGkZKUipcWUD7qlJRP0Sa54IOV9cr/R+3D
PljaLbIZQXrIO/z8xtVs3Yu6mKHgWPciPwu/nvs8U9Z4h7XSfHCVOM+vYyjW7imG
gkYR2G/2VnBI0wbs6+gepafSzZ60q9GNMAsMin1dllpRGEOiPpln/5ZFYHksZwDF
rqbNsYLOov/bNbgHKpy4Erf/qtKoa6QLrojN0vNQFjLiioTc3E1C667CvKH/hwn0
qwdQR4KUrG55lVJEAf4B707xeibU0i6oad59jxO0rK9YKXBac1zHyBcobU3hluhv
lp+AK8MgSrzwYwteG28eAfPEzRAz7CeK0KW6mVTRo696l5k7S0U=
=8FKk
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Wed, 21 Jun 2017 07:28:17 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 13:43:48 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon