Debian Bug report logs -
#892556
libpodofo: CVE-2018-8001
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, Mattia Rizzolo <mattia@debian.org>:
Bug#892520; Package libpodofo.
(Sat, 10 Mar 2018 05:33:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Luciano Bello <luciano@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Mattia Rizzolo <mattia@debian.org>.
(Sat, 10 Mar 2018 05:33:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: libpodofo
X-Debbugs-CC: team@security.debian.org
Severity: grave
Tags: security
Hi,
the following vulnerabilities were published for libpodofo.
CVE-2018-8000[0]:
| In PoDoFo 0.9.5, there exists a heap-based buffer overflow
| vulnerability in PoDoFo::PdfTokenizer::GetNextToken() in
| PdfTokenizer.cpp, a related issue to CVE-2017-5886. Remote attackers
| could leverage this vulnerability to cause a denial-of-service or
| potentially execute arbitrary code via a crafted pdf file.
CVE-2018-8001[1]:
| In PoDoFo 0.9.5, there exists a heap-based buffer over-read
| vulnerability in UnescapeName() in PdfName.cpp. Remote attackers could
| leverage this vulnerability to cause a denial-of-service or possibly
| unspecified other impact via a crafted pdf file.
CVE-2018-8002[2]:
| In PoDoFo 0.9.5, there exists an infinite loop vulnerability in
| PdfParserObject::ParseFileComplete() in PdfParserObject.cpp which may
| result in stack overflow. Remote attackers could leverage this
| vulnerability to cause a denial-of-service or possibly unspecified
| other impact via a crafted pdf file.
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2018-8000
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8000
[1] https://security-tracker.debian.org/tracker/CVE-2018-8001
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8001
[2] https://security-tracker.debian.org/tracker/CVE-2018-8002
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8002
Please adjust the affected versions in the BTS as needed.
Severity set to 'important' from 'grave'
Request was from Mattia Rizzolo <mattia@debian.org>
to control@bugs.debian.org.
(Sat, 10 Mar 2018 16:15:03 GMT) (full text, mbox, link).
Bug reassigned from package 'libpodofo' to 'src:libpodofo'.
Request was from Mattia Rizzolo <mattia@debian.org>
to control@bugs.debian.org.
(Sat, 10 Mar 2018 16:15:04 GMT) (full text, mbox, link).
Marked as found in versions libpodofo/0.9.5-1.
Request was from Mattia Rizzolo <mattia@debian.org>
to control@bugs.debian.org.
(Sat, 10 Mar 2018 16:15:05 GMT) (full text, mbox, link).
Bug 892520 cloned as bugs 892556, 892557
Request was from Mattia Rizzolo <mattia@debian.org>
to control@bugs.debian.org.
(Sat, 10 Mar 2018 16:15:05 GMT) (full text, mbox, link).
Changed Bug title to 'libpodofo: CVE-2018-8001' from 'libpodofo: CVE-2018-8000 CVE-2018-8001 CVE-2018-8002'.
Request was from Mattia Rizzolo <mattia@debian.org>
to control@bugs.debian.org.
(Sat, 10 Mar 2018 16:15:07 GMT) (full text, mbox, link).
Added tag(s) upstream.
Request was from Mattia Rizzolo <mattia@debian.org>
to control@bugs.debian.org.
(Sat, 10 Mar 2018 16:21:07 GMT) (full text, mbox, link).
Message sent on
to Luciano Bello <luciano@debian.org>:
Bug#892556.
(Sun, 11 Mar 2018 14:39:04 GMT) (full text, mbox, link).
Message #22 received at 892556-submitter@bugs.debian.org (full text, mbox, reply):
Control: tag -1 pending
Hello,
Bug #892556 in libpodofo reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below, and you can check the diff of the fix at:
https://salsa.debian.org/debian/libpodofo/commit/5268ce6fa42c97345a4f867c023f7cd55cf46425
------------------------------------------------------------------------
Add upstream for CVE-2018-8001
Closes: #892556
Signed-off-by: Mattia Rizzolo <mattia@debian.org>
------------------------------------------------------------------------
(this message was generated automatically)
--
Greetings
https://bugs.debian.org/892556
Added tag(s) pending.
Request was from mattia@debian.org
to 892556-submitter@bugs.debian.org.
(Sun, 11 Mar 2018 14:39:04 GMT) (full text, mbox, link).
Added tag(s) fixed-upstream.
Request was from Mattia Rizzolo <mattia@debian.org>
to control@bugs.debian.org.
(Sun, 11 Mar 2018 15:39:07 GMT) (full text, mbox, link).
Reply sent
to Mattia Rizzolo <mattia@debian.org>:
You have taken responsibility.
(Thu, 10 May 2018 18:03:06 GMT) (full text, mbox, link).
Notification sent
to Luciano Bello <luciano@debian.org>:
Bug acknowledged by developer.
(Thu, 10 May 2018 18:03:06 GMT) (full text, mbox, link).
Message #31 received at 892556-close@bugs.debian.org (full text, mbox, reply):
Source: libpodofo
Source-Version: 0.9.6~rc1+dfsg-1
We believe that the bug you reported is fixed in the latest version of
libpodofo, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 892556@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Mattia Rizzolo <mattia@debian.org> (supplier of updated libpodofo package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 10 May 2018 10:49:49 +0200
Source: libpodofo
Binary: libpodofo-dev libpodofo-utils libpodofo0.9.6
Architecture: source amd64
Version: 0.9.6~rc1+dfsg-1
Distribution: experimental
Urgency: medium
Maintainer: Mattia Rizzolo <mattia@debian.org>
Changed-By: Mattia Rizzolo <mattia@debian.org>
Description:
libpodofo-dev - PoDoFo development files
libpodofo-utils - PoDoFo utilities
libpodofo0.9.6 - PoDoFo - library to work with the PDF file format
Closes: 892556
Changes:
libpodofo (0.9.6~rc1+dfsg-1) experimental; urgency=medium
.
* New upstream version 0.9.6~rc1:
+ Repacked to remove a non-free piece of code (see README.source).
+ Fix CVE-2018-5309
+ Fix CVE-2018-8001 Closes: #892556
* d/patches:
+ Remove all patches applied upstream.
+ Add patch to set the SOVERSION to 0.9.6 instead of 0.9.6-rc1.
+ Add a patch fixing a bunch of spelling errors.
+ Add patch from upstream to fix build on 32 bit archs.
* Drop our manpages, now that upstream have moved all (but one) of them out
of debian/, so we can install their copies.
* Rename the binaries after SONAME bump: libpodofo0.9.5 → libpodofo0.9.6.
* d/control:
+ Bump Standards-Version to 4.1.4, no changes needed.
+ Add new Build-Dependency on libunistring-dev.
* d/rules: explicitly enable symbols visibility.
Checksums-Sha1:
653946678882e8124276fff90731ce4117d4dd4c 2201 libpodofo_0.9.6~rc1+dfsg-1.dsc
3bacf3262d6b88af5840b99fc3fc4731ff09a92f 738956 libpodofo_0.9.6~rc1+dfsg.orig.tar.xz
120505732fd6237a844acc1cd4a394ec5bcab681 9604 libpodofo_0.9.6~rc1+dfsg-1.debian.tar.xz
5f151ecc37749ceac825f78079843307088df2b1 161332 libpodofo-dev_0.9.6~rc1+dfsg-1_amd64.deb
dc1b97e0ec4dbde9274f9d18e560fbcf971f84ec 1648564 libpodofo-utils-dbgsym_0.9.6~rc1+dfsg-1_amd64.deb
3228758b26de661e604be1332ac6f12900d7cf44 185536 libpodofo-utils_0.9.6~rc1+dfsg-1_amd64.deb
bff52652149964a04bd781a3ae9e591db69fe50c 4274140 libpodofo0.9.6-dbgsym_0.9.6~rc1+dfsg-1_amd64.deb
655ab6c9bc1a0c577764bdd16b8b1a80976661be 503404 libpodofo0.9.6_0.9.6~rc1+dfsg-1_amd64.deb
7c6509993f64d9b29ee6ab40140e7f793e891dcb 8877 libpodofo_0.9.6~rc1+dfsg-1_amd64.buildinfo
Checksums-Sha256:
0cd1accd879d29873ff220587f9e99d29d920858b8c74431dec6c95bde0f23e2 2201 libpodofo_0.9.6~rc1+dfsg-1.dsc
10bb6ceee8fade989f794ef70adeebc7f8517f20a12b1c9ff01c0db31b14ad2a 738956 libpodofo_0.9.6~rc1+dfsg.orig.tar.xz
58bf3e591450ad049bc95259860b4b0c0ce1465f1b65dc01ca0d52207ea14d81 9604 libpodofo_0.9.6~rc1+dfsg-1.debian.tar.xz
906982140668cd9367a8132a5745f30cc7507fbe57c1e613f7ac66450e3ba2e0 161332 libpodofo-dev_0.9.6~rc1+dfsg-1_amd64.deb
7c3295249b26dde00c05ed3c5af6767e204e38ded7ff808bf009e9bd1d316a74 1648564 libpodofo-utils-dbgsym_0.9.6~rc1+dfsg-1_amd64.deb
22745ca440b608dde0eef31f25f25a734b32a510b6ad093f4fcc4ebf3d502f44 185536 libpodofo-utils_0.9.6~rc1+dfsg-1_amd64.deb
1f23699ccce5fd43b8367e6cecd8bc148f5914ffe0690cd9d821bcda4ea4b49b 4274140 libpodofo0.9.6-dbgsym_0.9.6~rc1+dfsg-1_amd64.deb
e1b22ba555af0d14215ca8d7c031d0ed54d351369388eaf102eb6ce6e011cc0d 503404 libpodofo0.9.6_0.9.6~rc1+dfsg-1_amd64.deb
1d30a0d5bae5b6fc5405f3a734d35347e00da5d09ff7d11b56b78d567a34bf26 8877 libpodofo_0.9.6~rc1+dfsg-1_amd64.buildinfo
Files:
8342463da9b6abb060c7ee8d50ab552a 2201 libdevel optional libpodofo_0.9.6~rc1+dfsg-1.dsc
250c9f43cf23b995c5b06530f22c2125 738956 libdevel optional libpodofo_0.9.6~rc1+dfsg.orig.tar.xz
2faf45f78af7b3b5a2e12fb0c39c885b 9604 libdevel optional libpodofo_0.9.6~rc1+dfsg-1.debian.tar.xz
754acb7e51b2d2587eb5e2a17350eb3e 161332 libdevel optional libpodofo-dev_0.9.6~rc1+dfsg-1_amd64.deb
5030d6c8c038d367e95c0ed1b1228ff3 1648564 debug optional libpodofo-utils-dbgsym_0.9.6~rc1+dfsg-1_amd64.deb
389960a946feba336343681cde39d147 185536 utils optional libpodofo-utils_0.9.6~rc1+dfsg-1_amd64.deb
1863838533985100ff0ad885783170d6 4274140 debug optional libpodofo0.9.6-dbgsym_0.9.6~rc1+dfsg-1_amd64.deb
0ad311c3512799a6f7bf36fc0118b202 503404 libs optional libpodofo0.9.6_0.9.6~rc1+dfsg-1_amd64.deb
aac351999ad538ce5c4ee56c31dbc94a 8877 libdevel optional libpodofo_0.9.6~rc1+dfsg-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEi3hoeGwz5cZMTQpICBa54Yx2K60FAlr0KD4ACgkQCBa54Yx2
K62yrBAAmOKS9o70fWWTIepcW/eqwg4OmOEUUIuFpJ/KmgX7CZBqPRbKe3wbBGiE
IpYVsUV3y5WUBAMEuExHdtyNwqpWZuqgbcrdV2oEEoOZUv8z9EnrwlzZbAsOZ9ff
pr9OajvqO+NGv2xhdl9ZwvR0W3EwilW8P4t4CZh6iR2hXraM/+rvun/nj1jIb/UW
HTYlV5pvYtRnbdvdY9dYya7D3BM/Y+Bj3TNuhq5tcZQe6Ivk5mmOdhhLApAeqWf4
CGkpa1ARPmHcqUPIZtCaUlLXvcRg5T+T9cRPUtULIF/Ex69q9StvYOP+cyGag+yS
kKrIpuz4kGIziF1xpE+DAOmd4pz7UURx0k6VvwBYKRMBzXgVZEaKIaWCE3cWJQNP
VfBQ3ipQl9cMUlsXnn+lUCD3Dl+pK9nQ/xQHGPZVHufsxB+z06vW1iteVigOcD/w
CKmm0So36/bhrCDaRqm0iCFuzi6YAZ+xyhcAA5ZLjxmDtQcuepSvACBeimGU9oew
FT8Bo1C4/blsoc4R+drZAvyTY+BWIH1JlXyn7m1Jt0OjfRvWy4vnLXs0QsAhcKWD
sJ6Cvs4+7vVw8/bYp9foT1Tz8U5J10igVyZFJZEfYAHWMj6wnEoRJpmdLld/vmOy
wvHUPDpyWZZNVpPiA0660vrJNItdBPx0fu3IxTHP7tkK819XI5Q=
=1Rbv
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 21 Oct 2018 07:27:09 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 18:23:54 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon