Debian Bug report logs -
#860930
libpodofo: CVE-2017-7994: denial of service (NULL pointer dereference and application crash) via a crafted PDF document (TextExtractor::ExtractText in TextExtractor.cpp:77)
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Sat, 22 Apr 2017 06:03:01 UTC
Severity: important
Tags: security, upstream
Found in version libpodofo/0.9.0-1.2
Fixed in version libpodofo/0.9.5-7
Done: Mattia Rizzolo <mattia@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Mattia Rizzolo <mattia@debian.org>:
Bug#860930; Package src:libpodofo.
(Sat, 22 Apr 2017 06:03:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Mattia Rizzolo <mattia@debian.org>.
(Sat, 22 Apr 2017 06:03:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: libpodofo
Version: 0.9.0-1.2
Severity: important
Tags: upstream security
Hi,
the following vulnerability was published for libpodofo.
CVE-2017-7994[0]:
| The function TextExtractor::ExtractText in TextExtractor.cpp:77 in
| PoDoFo 0.9.5 allows remote attackers to cause a denial of service (NULL
| pointer dereference and application crash) via a crafted PDF document.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-7994
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7994
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Changed Bug title to 'libpodofo: CVE-2017-7994: denial of service (NULL pointer dereference and application crash) via a crafted PDF document (TextExtractor::ExtractText in TextExtractor.cpp:77)' from 'libpodofo: CVE-2017-7994: denial of service (NULL pointer dereference and application crash) via a crafted PDF document(TextExtractor::ExtractText in TextExtractor.cpp:77)'.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sat, 22 Apr 2017 06:15:03 GMT) (full text, mbox, link).
Message sent on
to Salvatore Bonaccorso <carnil@debian.org>:
Bug#860930.
(Sun, 12 Nov 2017 15:03:11 GMT) (full text, mbox, link).
Message #10 received at 860930-submitter@bugs.debian.org (full text, mbox, reply):
Control: tag 860930 pending
Hello,
Bug #860930 in libpodofo reported by you has been fixed in the Git repository. You can
see the commit message below, and you can check the diff of the fix at:
https://anonscm.debian.org/git/collab-maint/libpodofo.git/commit/?id=8e87a6c
(this message was generated automatically based on the git commit message)
---
commit 8e87a6cac2dbaa355a602cc7acf04c817908c240
Author: Mattia Rizzolo <mattia@debian.org>
Date: Sun Nov 12 15:44:06 2017 +0100
Add upstream patch for CVE-2017-7994
Closes: #860930
Signed-off-by: Mattia Rizzolo <mattia@debian.org>
Added tag(s) pending.
Request was from Mattia Rizzolo <mattia@debian.org>
to 860930-submitter@bugs.debian.org.
(Sun, 12 Nov 2017 15:03:12 GMT) (full text, mbox, link).
Reply sent
to Mattia Rizzolo <mattia@debian.org>:
You have taken responsibility.
(Sun, 12 Nov 2017 15:24:06 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Sun, 12 Nov 2017 15:24:07 GMT) (full text, mbox, link).
Message #17 received at 860930-close@bugs.debian.org (full text, mbox, reply):
Source: libpodofo
Source-Version: 0.9.5-7
We believe that the bug you reported is fixed in the latest version of
libpodofo, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 860930@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Mattia Rizzolo <mattia@debian.org> (supplier of updated libpodofo package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 12 Nov 2017 15:36:06 +0100
Source: libpodofo
Binary: libpodofo-dev libpodofo-utils libpodofo0.9.5
Architecture: source
Version: 0.9.5-7
Distribution: unstable
Urgency: medium
Maintainer: Mattia Rizzolo <mattia@debian.org>
Changed-By: Mattia Rizzolo <mattia@debian.org>
Description:
libpodofo-dev - PoDoFo development files
libpodofo-utils - PoDoFo utilities
libpodofo0.9.5 - PoDoFo - library to work with the PDF file format
Closes: 854600 860930 861738
Changes:
libpodofo (0.9.5-7) unstable; urgency=medium
.
* Add upstream patches for security issues:
+ CVE-2017-5852 Closes: #854600
+ CVE-2017-7994 Closes: #860930
+ CVE-2017-8787 Closes: #861738
* debian/control:
+ Bump Standards-Version to 4.1.1:
- Move from priority extra (deprecated) to optional.
+ Declare that libpodofo can be built without root: R³:no.
Checksums-Sha1:
583cea79dc889f439569e0c5b580afef4a2a3e03 2158 libpodofo_0.9.5-7.dsc
ecfbf316c83bc70b2a6de8b5a2b9c3c0fed828a8 17076 libpodofo_0.9.5-7.debian.tar.xz
7ed86d8d0650640844bafbbe9fcb4beebd13f981 8380 libpodofo_0.9.5-7_amd64.buildinfo
Checksums-Sha256:
689ae5801f0c7b82ec21a59fdc325e8a13d940c614bd8dba54712a21887049db 2158 libpodofo_0.9.5-7.dsc
1dde26ea68feeed2e69cda73ba3800d9a40f83b49a00fcff50ffca3f773cd96c 17076 libpodofo_0.9.5-7.debian.tar.xz
68dd7097b2153a8ebd55866d2ce4fea18965e9957bd7e9fd6fdad1c6fc4f7f35 8380 libpodofo_0.9.5-7_amd64.buildinfo
Files:
f3fdfe4f86a218e800533f533def1408 2158 libdevel optional libpodofo_0.9.5-7.dsc
963699ed102d44b6d543eba193f619bf 17076 libdevel optional libpodofo_0.9.5-7.debian.tar.xz
fa884094c9a4f5614675a1e25977abc0 8380 libdevel optional libpodofo_0.9.5-7_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEi3hoeGwz5cZMTQpICBa54Yx2K60FAloIYXoACgkQCBa54Yx2
K604Qg//c2NDfAuE+OkbipkrgWNKyodI1BPkcrrrt2JnUXGaVK4MVNWZU7xUliED
SLAxRjz15JWLL4d59ZMWWuqWygLk2dNHsBgnuNmTQSA+pUkZTKSRgieBbC/NdFzU
DgjXp1gX75za7h9JzvtvMsbpmMpnqpgrBbIIrCyKB4lM1plr/67TQ1IG2TyilnuJ
rHEcfp0ePWvY5xAgtu+c2c9Nn6WiqZsJbb2zgeD/ZvmMymLfVZelC8q2cZEWSnAi
vnkM9KrWlM8a1t4PFhQqzp86MKAebpGsrp5pqDnJ8U+7zKYP6ZqVR/Lr7f4HlqhC
P7kC7lBUiIrIOhJIVPWKWseejBNKIvV2k+y1vWR7hanZiRICsAaXgSM+TkiTa6B0
LZndIxAk1zLqytmshNt4t3djxfhX375ACUjfz5/vf3HRf0BXFNC3yhrdWoklxY+B
eRKructXQnWnFDO2xKQIUWodORnemBSZTci9eOrpoZvb8iMci+SMC2xPAKwbn/pJ
FnzgLcf0q1aBo4ZpSlBG5JZPeC1ItAFQF6Xz4nuK73WcLrLQVFnJAqBDXwksOCiZ
fGN/9UpXJkknDkNiUjppid0ARjYCwM9/q+5JIbfaJ4rvkHuA+BlYDX1Z5qS8qKvk
YD2gChCmuhwsEyZLC0A7isjt4T9orEQpeRX0X/25SnsdnJHuc3c=
=XbaS
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sat, 16 Dec 2017 07:26:38 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 17:56:39 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon