Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

libpodofo: CVE-2019-9687

Related Vulnerabilities: CVE-2019-9687   CVE-2019-9199  

Source

Debian Bug report logs - #924430
libpodofo: CVE-2019-9687

version graph

Package: src:libpodofo; Maintainer for src:libpodofo is Mattia Rizzolo <mattia@debian.org>;

Reported by: Salvatore Bonaccorso <carnil@debian.org>

Date: Tue, 12 Mar 2019 21:39:04 UTC

Severity: important

Tags: security, upstream

Found in version libpodofo/0.9.6+dfsg-4

Fixed in version libpodofo/0.9.6+dfsg-5

Done: Mattia Rizzolo <mattia@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Mattia Rizzolo <mattia@debian.org>:
Bug#924430; Package src:libpodofo. (Tue, 12 Mar 2019 21:39:06 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Mattia Rizzolo <mattia@debian.org>. (Tue, 12 Mar 2019 21:39:06 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: libpodofo: CVE-2019-9687
Date: Tue, 12 Mar 2019 22:38:20 +0100
Source: libpodofo
Version: 0.9.6+dfsg-4
Severity: important
Tags: security upstream

Hi,

The following vulnerability was published for libpodofo.

CVE-2019-9687[0]:
| PoDoFo 0.9.6 has a heap-based buffer overflow in
| PdfString::ConvertUTF16toUTF8 in base/PdfString.cpp.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2019-9687
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9687
[1] https://sourceforge.net/p/podofo/code/1969

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Information forwarded to debian-bugs-dist@lists.debian.org, Mattia Rizzolo <mattia@debian.org>:
Bug#924430; Package src:libpodofo. (Sun, 17 Mar 2019 19:33:10 GMT) (full text, mbox, link).

Acknowledgement sent to Moritz Mühlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Mattia Rizzolo <mattia@debian.org>. (Sun, 17 Mar 2019 19:33:10 GMT) (full text, mbox, link).

Message #10 received at 924430@bugs.debian.org (full text, mbox, reply):

From: Moritz Mühlenhoff <jmm@inutil.org>
To: 924430@bugs.debian.org
Subject: Re: libpodofo: CVE-2019-9687
Date: Sun, 17 Mar 2019 20:29:42 +0100
On Tue, Mar 12, 2019 at 10:38:20PM +0100, Salvatore Bonaccorso wrote:
> Source: libpodofo
> Version: 0.9.6+dfsg-4
> Severity: important
> Tags: security upstream
> 
> Hi,
> 
> The following vulnerability was published for libpodofo.
> 
> CVE-2019-9687[0]:
> | PoDoFo 0.9.6 has a heap-based buffer overflow in
> | PdfString::ConvertUTF16toUTF8 in base/PdfString.cpp.

This is now fixed upstream, see https://sourceforge.net/p/podofo/code/1969

Cheers,
        Moritz

Added tag(s) pending. Request was from Mattia Rizzolo <mattia@debian.org> to control@bugs.debian.org. (Wed, 27 Mar 2019 15:06:02 GMT) (full text, mbox, link).

Reply sent to Mattia Rizzolo <mattia@debian.org>:
You have taken responsibility. (Sun, 21 Apr 2019 15:51:05 GMT) (full text, mbox, link).

Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Sun, 21 Apr 2019 15:51:05 GMT) (full text, mbox, link).

Message #17 received at 924430-close@bugs.debian.org (full text, mbox, reply):

From: Mattia Rizzolo <mattia@debian.org>
To: 924430-close@bugs.debian.org
Subject: Bug#924430: fixed in libpodofo 0.9.6+dfsg-5
Date: Sun, 21 Apr 2019 15:49:06 +0000
Source: libpodofo
Source-Version: 0.9.6+dfsg-5

We believe that the bug you reported is fixed in the latest version of
libpodofo, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 924430@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Mattia Rizzolo <mattia@debian.org> (supplier of updated libpodofo package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sun, 21 Apr 2019 17:13:10 +0200
Source: libpodofo
Architecture: source
Version: 0.9.6+dfsg-5
Distribution: unstable
Urgency: medium
Maintainer: Mattia Rizzolo <mattia@debian.org>
Changed-By: Mattia Rizzolo <mattia@debian.org>
Closes: 923469 924430
Changes:
 libpodofo (0.9.6+dfsg-5) unstable; urgency=medium
 .
   * Add upstream patches for security issues:
     CVE-2019-9199 Closes: #923469
     CVE-2019-9687 Closes: #924430
Checksums-Sha1:
 02638012f6eb39089205c5ff13cccbb8b8be3670 2182 libpodofo_0.9.6+dfsg-5.dsc
 54f683b8bb848bedae913a84a1028dacf33164cc 19692 libpodofo_0.9.6+dfsg-5.debian.tar.xz
 1f003342456fef36ec47afd6162f96522dc6beea 8520 libpodofo_0.9.6+dfsg-5_amd64.buildinfo
Checksums-Sha256:
 1cb85ff0a5190820ff46e9035f68110a8249c3f8b6b08ac0c3a39b3114f3a029 2182 libpodofo_0.9.6+dfsg-5.dsc
 d593b2873535768ffbf75fa8003517e7397581264c560fec6359f3106d93daca 19692 libpodofo_0.9.6+dfsg-5.debian.tar.xz
 233718fe7d5755293db4b21fc41db28f48c94e3ee603d08fd9490cf7512f9186 8520 libpodofo_0.9.6+dfsg-5_amd64.buildinfo
Files:
 105d1f5ba636e0c71f2752c852d9145d 2182 libdevel optional libpodofo_0.9.6+dfsg-5.dsc
 23a356f738d0f14dd46bd9596fde8c23 19692 libdevel optional libpodofo_0.9.6+dfsg-5.debian.tar.xz
 a70acdb95e1d021015c4f0d5b91b0a00 8520 libdevel optional libpodofo_0.9.6+dfsg-5_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEi3hoeGwz5cZMTQpICBa54Yx2K60FAly8iiAACgkQCBa54Yx2
K604lxAAsXEshnPZwWDlvxiMcQ1hapZMVjSfqkfCdDShO79l6NOhvh4fneoOyntN
Ty8EwY8XolcILZpx3QNmXMftPR0PoFdmmj/oqIZm4+QEC/+rkH/+3ja0SgseEICG
pOdkJdudNCA+yiRg5Ga5wvKmRWCf5Hg/2kasNjAod21pfuMVNv2QhOT8ySC9kowS
xiF+4HDoB4ivcH9qkS6Blwo/fPRGS3/hrGbSLt8QkmFdP7vkddHahxoPeTHMVChr
kSXLmPXus4Zf6pzgh9o5I8HDowYjottPI2Gjw+iobEsq/qej1ut2m0zwUpVLekdp
CWW/NtBMSpjHcrQudFh7x4v6a6Q6WXjpBFvq3Z9yq8v2mSgLGNYx2xYbvdrUl5z+
I0rKC4a5orA3TT4mJTIodjBsZsTsSxhzWHsQfKdktsN+51dlsvZlB9qw0pzcvmF2
IX0/j2uHAKqwqflo94ysGGDdvbKvBpADQSr6rqPL0+YYgbYTm+4T3TWBivH464Ak
xbDDi0ZQhYWKbck4mtsOUs5zFEnmDyVfpVtdFbDHFFvznSBBV7NLB2nHlP/NgEZR
4O3h4h5tAFCy1DEB4Qq0qpDTcskiRHlNK4gkdeqU1GvpD5dA6cYe8M3kVTW3zvbW
h0/EHV/HjNbzqtW/jDca6zBYK93cWVrJG13ZLCyZuthCtmkShZU=
=w6Lm
-----END PGP SIGNATURE-----

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 20 May 2019 07:25:57 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 15:09:12 2019; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started