https://blogs.gentoo.org/ago/2017/02/01/podofo-null-pointer-dereference-in-podofopdfparserreadxrefsubsection-pdfparser-cpp https://blogs.gentoo.org/ago/2017/02/01/podofo-null-pointer-dereference-in-pdfoutputstream-cpp https://blogs.gentoo.org/ago/2017/02/01/podofo-signed-integer-overflow-in-pdfparser-cpp https://blogs.gentoo.org/ago/2017/02/01/podofo-infinite-loop-in-podofopdfpagegetinheritedkeyfromobject-pdfpage-cpp https://blogs.gentoo.org/ago/2017/02/03/podofo-heap-based-buffer-overflow-in-podofopdftokenizergetnexttoken-pdftokenizer-cpp https://blogs.gentoo.org/ago/2017/03/02/podofo-invalid-memory-read-in-colorchangergetcolorfromstack-colorchanger-cpp https://blogs.gentoo.org/ago/2017/03/02/podofo-null-pointer-dereference-in-graphicsstacktgraphicsstackelementtgraphicsstackelement-graphicsstack-h https://blogs.gentoo.org/ago/2017/03/02/podofo-null-pointer-dereference-in-colorchangergetcolorfromstack-colorchanger-cpp https://blogs.gentoo.org/ago/2017/03/02/podofo-heap-based-buffer-overflow-in-podofopdfvariantdelayedload-pdfvariant-h https://blogs.gentoo.org/ago/2017/03/02/podofo-global-buffer-overflow-in-podofopdfparserreadxrefsubsection-pdfparser-cpp https://blogs.gentoo.org/ago/2017/03/02/podofo-null-pointer-dereference-in-podofopdfcoloroperator-pdfcolor-cpp https://blogs.gentoo.org/ago/2017/03/02/podofo-null-pointer-dereference-in-graphicsstacktgraphicsstackelementsetnonstrokingcolorspace-graphicsstack-h https://blogs.gentoo.org/ago/2017/03/02/podofo-null-pointer-dereference-in-podofopdfvariantdelayedload-pdfvariant-h https://blogs.gentoo.org/ago/2017/03/02/podofo-null-pointer-dereference-in-podofopdfxobjectpdfxobject-pdfxobject-cpp https://blogs.gentoo.org/ago/2017/03/02/podofo-null-pointer-dereference-in-podofopdfcolorgraypdfcolorgray-pdfcolor-cpp
It looks like there might be some fixes in svn, but no release yet: https://sourceforge.net/p/podofo/code/commit_browser
CVE ID: CVE-2017-5852 Summary: The PoDoFo::PdfPage::GetInheritedKeyFromObject function in base/PdfVariant.cpp in PoDoFo 0.9.4 allows remote attackers to cause a denial of service (infinite loop) via a crafted file. Published: 2017-03-01T15:59:00.000Z ______________________________ CVE ID: CVE-2017-5853 Summary: Integer overflow in base/PdfParser.cpp in PoDoFo 0.9.4 allows remote attackers to have unspecified impact via a crafted file. Published: 2017-03-01T15:59:00.000Z ______________________________ CVE ID: CVE-2017-5854 Summary: base/PdfOutputStream.cpp in PoDoFo 0.9.4 allows remote attackers to cause a denial of service (NULL pointer dereference and crash) via a crafted file. Published: 2017-03-01T15:59:01.000Z ______________________________ CVE ID: CVE-2017-5855 Summary: The PoDoFo::PdfParser::ReadXRefSubsection function in PdfParser.cpp in PoDoFo 0.9.4 allows remote attackers to cause a denial of service (NULL pointer dereference) via a crafted file. Published: 2017-03-01T15:59:01.000Z ______________________________ CVE ID: CVE-2017-5886 Summary: Heap-based buffer overflow in the PoDoFo::PdfTokenizer::GetNextToken function in PdfTokenizer.cpp in PoDoFo 0.9.4 allows remote attackers to have unspecified impact via a crafted file. Published: 2017-03-01T15:59:01.000Z ______________________________ CVE ID: CVE-2017-6840 Summary: The ColorChanger::GetColorFromStack function in colorchanger.cpp in PoDoFo 0.9.5 allows remote attackers to cause a denial of service (invalid read) via a crafted file. Published: 2017-03-15T14:59:01.000Z ______________________________ CVE ID: CVE-2017-6841 Summary: The GraphicsStack::TGraphicsStackElement::~TGraphicsStackElement function in graphicsstack.h in PoDoFo 0.9.5 allows remote attackers to cause a denial of service (NULL pointer dereference) via a crafted file. Published: 2017-03-15T14:59:01.000Z ______________________________ CVE ID: CVE-2017-6842 Summary: The ColorChanger::GetColorFromStack function in colorchanger.cpp in PoDoFo 0.9.5 allows remote attackers to cause a denial of service (NULL pointer dereference) via a crafted file. Published: 2017-03-15T14:59:01.000Z ______________________________ CVE ID: CVE-2017-6843 Summary: Heap-based buffer overflow in the PoDoFo::PdfVariant::DelayedLoad function in PdfVariant.h in PoDoFo 0.9.4 allows remote attackers to have unspecified impact via a crafted file. Published: 2017-03-15T14:59:01.000Z ______________________________ CVE ID: CVE-2017-6844 Summary: Buffer overflow in the PoDoFo::PdfParser::ReadXRefSubsection function in PdfParser.cpp in PoDoFo 0.9.4 allows remote attackers to have unspecified impact via a crafted file. Published: 2017-03-15T14:59:01.000Z ______________________________ CVE ID: CVE-2017-6845 Summary: The PoDoFo::PdfColor::operator function in PdfColor.cpp in PoDoFo 0.9.4 allows remote attackers to cause a denial of service (NULL pointer dereference) via a crafted file. Published: 2017-03-15T14:59:01.000Z ______________________________ CVE ID: CVE-2017-6846 Summary: The GraphicsStack::TGraphicsStackElement::SetNonStrokingColorSpace function in graphicsstack.h in PoDoFo 0.9.4 allows remote attackers to cause a denial of service (NULL pointer dereference) via a crafted file. Published: 2017-03-15T14:59:01.000Z ______________________________ CVE ID: CVE-2017-6847 Summary: The PoDoFo::PdfVariant::DelayedLoad function in PdfVariant.h in PoDoFo 0.9.4 allows remote attackers to cause a denial of service (NULL pointer dereference) via a crafted file. Published: 2017-03-15T14:59:01.000Z ______________________________ CVE ID: CVE-2017-6848 Summary: The PoDoFo::PdfXObject::PdfXObject function in PdfXObject.cpp in PoDoFo 0.9.5 allows remote attackers to cause a denial of service (NULL pointer dereference) via a crafted file. Published: 2017-03-15T14:59:01.000Z ______________________________ CVE ID: CVE-2017-6849 Summary: The PoDoFo::PdfColorGray::~PdfColorGray function in PdfColor.cpp in PoDoFo 0.9.4 allows remote attackers to cause a denial of service (NULL pointer dereference) via a crafted file. Published: 2017-03-15T14:59:01.000Z ______________________________
I'll have to go through this list of vulnerabilities to see if they are all fixed in or before r1842, which corresponds to the podofo-0.9.6_pre20170428 snapshot that I have added to gentoo for bug 617204.
Ping. I see that we are already in 20170508-r1 in tree. Can we close this report? Thank you, Gentoo Security Padawan ChrisADR
These are explicitly referenced in the commit log for 20170508-r1: > CVE ID: CVE-2017-5852 > Summary: The PoDoFo::PdfPage::GetInheritedKeyFromObject function in > base/PdfVariant.cpp in PoDoFo 0.9.4 allows remote attackers to cause a > denial of service (infinite loop) via a crafted file. > Published: 2017-03-01T15:59:00.000Z > ______________________________ ------------------------------------------------------------------------ r1835 | aja_ | 2017-04-07 10:22:53 -0700 (Fri, 07 Apr 2017) | 2 lines Fix for CVE-2017-5852 with added error code > CVE ID: CVE-2017-5853 > Summary: Integer overflow in base/PdfParser.cpp in PoDoFo 0.9.4 allows > remote attackers to have unspecified impact via a crafted file. > Published: 2017-03-01T15:59:00.000Z > > ______________________________ ------------------------------------------------------------------------ r1840 | aja_ | 2017-04-28 08:19:14 -0700 (Fri, 28 Apr 2017) | 2 lines Patch by Matthias Brinke: Fix CVE-2017-5853 (signed integer overflow) and CVE-2017-6844 (buffer overflow) > CVE ID: CVE-2017-5854 > Summary: base/PdfOutputStream.cpp in PoDoFo 0.9.4 allows remote attackers > to cause a denial of service (NULL pointer dereference and crash) via a > crafted file. > Published: 2017-03-01T15:59:01.000Z > ______________________________ ------------------------------------------------------------------------ r1836 | aja_ | 2017-04-07 10:36:12 -0700 (Fri, 07 Apr 2017) | 2 lines Fix for CVE-2017-5854 > CVE ID: CVE-2017-5855 > Summary: The PoDoFo::PdfParser::ReadXRefSubsection function in > PdfParser.cpp in PoDoFo 0.9.4 allows remote attackers to cause a denial of > service (NULL pointer dereference) via a crafted file. > Published: 2017-03-01T15:59:01.000Z > ______________________________ ------------------------------------------------------------------------ r1843 | aja_ | 2017-05-08 06:05:38 -0700 (Mon, 08 May 2017) | 5 lines Fix CVE-2017-5855: NULL pointer dereference in PoDoFo::PdfParser::ReadXRefSubsection Throw PoDoFo's Out of memory exception when resize of std::vector fails when reading XRef content. > CVE ID: CVE-2017-5886 > Summary: Heap-based buffer overflow in the > PoDoFo::PdfTokenizer::GetNextToken function in PdfTokenizer.cpp in PoDoFo > 0.9.4 allows remote attackers to have unspecified impact via a crafted file. > Published: 2017-03-01T15:59:01.000Z > ______________________________ ------------------------------------------------------------------------ r1837 | aja_ | 2017-04-07 11:01:44 -0700 (Fri, 07 Apr 2017) | 2 lines Fix for CVE-2017-5886 > CVE ID: CVE-2017-6840 > Summary: The ColorChanger::GetColorFromStack function in colorchanger.cpp > in PoDoFo 0.9.5 allows remote attackers to cause a denial of service > (invalid read) via a crafted file. > Published: 2017-03-15T14:59:01.000Z > > ______________________________ ------------------------------------------------------------------------ r1844 | aja_ | 2017-05-08 06:23:49 -0700 (Mon, 08 May 2017) | 2 lines Fix CVE-2017-6840: Out of bounds read in ColorChanger::GetColorFromStack() ------------------------------------------------------------------------ r1845 | aja_ | 2017-05-08 06:33:17 -0700 (Mon, 08 May 2017) | 2 lines Correct fix for CVE-2017-6840: Too strict check for given arguments. > > CVE ID: CVE-2017-6844 > Summary: Buffer overflow in the PoDoFo::PdfParser::ReadXRefSubsection > function in PdfParser.cpp in PoDoFo 0.9.4 allows remote attackers to have > unspecified impact via a crafted file. > Published: 2017-03-15T14:59:01.000Z > > ______________________________ ------------------------------------------------------------------------ r1840 | aja_ | 2017-04-28 08:19:14 -0700 (Fri, 28 Apr 2017) | 2 lines Patch by Matthias Brinke: Fix CVE-2017-5853 (signed integer overflow) and CVE-2017-6844 (buffer overflow) > CVE ID: CVE-2017-6847 > Summary: The PoDoFo::PdfVariant::DelayedLoad function in PdfVariant.h in > PoDoFo 0.9.4 allows remote attackers to cause a denial of service (NULL > pointer dereference) via a crafted file. > Published: 2017-03-15T14:59:01.000Z > ______________________________ ------------------------------------------------------------------------ r1846 | aja_ | 2017-05-08 06:54:34 -0700 (Mon, 08 May 2017) | 2 lines Fix CVE-2017-6847: NULL pointer dereference when reading XObject without BBox
These are *not* referenced in the commit log: > CVE ID: CVE-2017-6848 > Summary: The PoDoFo::PdfXObject::PdfXObject function in PdfXObject.cpp in > PoDoFo 0.9.5 allows remote attackers to cause a denial of service (NULL > pointer dereference) via a crafted file. > Published: 2017-03-15T14:59:01.000Z > ______________________________ > > CVE ID: CVE-2017-6849 > Summary: The PoDoFo::PdfColorGray::~PdfColorGray function in PdfColor.cpp > in PoDoFo 0.9.4 allows remote attackers to cause a denial of service (NULL > pointer dereference) via a crafted file. > Published: 2017-03-15T14:59:01.000Z > ______________________________ > > CVE ID: CVE-2017-6841 > Summary: The GraphicsStack::TGraphicsStackElement::~TGraphicsStackElement > function in graphicsstack.h in PoDoFo 0.9.5 allows remote attackers to cause > a denial of service (NULL pointer dereference) via a crafted file. > Published: 2017-03-15T14:59:01.000Z > ______________________________ > > CVE ID: CVE-2017-6842 > Summary: The ColorChanger::GetColorFromStack function in colorchanger.cpp > in PoDoFo 0.9.5 allows remote attackers to cause a denial of service (NULL > pointer dereference) via a crafted file. > Published: 2017-03-15T14:59:01.000Z > ______________________________ > > CVE ID: CVE-2017-6843 > Summary: Heap-based buffer overflow in the > PoDoFo::PdfVariant::DelayedLoad function in PdfVariant.h in PoDoFo 0.9.4 > allows remote attackers to have unspecified impact via a crafted file. > Published: 2017-03-15T14:59:01.000Z > > ______________________________ > CVE ID: CVE-2017-6845 > Summary: The PoDoFo::PdfColor::operator function in PdfColor.cpp in > PoDoFo 0.9.4 allows remote attackers to cause a denial of service (NULL > pointer dereference) via a crafted file. > Published: 2017-03-15T14:59:01.000Z > > ______________________________ > > CVE ID: CVE-2017-6846 > Summary: The > GraphicsStack::TGraphicsStackElement::SetNonStrokingColorSpace function in > graphicsstack.h in PoDoFo 0.9.4 allows remote attackers to cause a denial of > service (NULL pointer dereference) via a crafted file. > Published: 2017-03-15T14:59:01.000Z > ______________________________
I wasn't able to produce a crash with ago's PoCs on any of the CVEs Zac listed as not being mentioned in the commit log with latest in tree version podofo-0.9.6.
Ok, for more detail (and as long as I didn't screw up anywhere): CVE-2017-{6842,6843,6848} are fixed in 0.9.6_pre20170508-r1, and CVE-2017-{6841,6845,6846,6849} are fixed in 0.9.6_p20180715.
(In reply to John Helmert III from comment #8) > Ok, for more detail (and as long as I didn't screw up anywhere): > CVE-2017-{6842,6843,6848} are fixed in 0.9.6_pre20170508-r1, and > CVE-2017-{6841,6845,6846,6849} are fixed in 0.9.6_p20180715. I'm quite happy to take your word for this. I checked the changelogs before and it seems very likely they just forgot to mention the rest. Especially given the actual POCs don't work in later versions. Thank you!
@maintainer(s), please cleanup (we got there finally!)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8ab82aac91a81f0c8a4798f0554f96473d83d62a commit 8ab82aac91a81f0c8a4798f0554f96473d83d62a Author: Zac Medico <zmedico@gentoo.org> AuthorDate: 2020-06-06 00:23:40 +0000 Commit: Zac Medico <zmedico@gentoo.org> CommitDate: 2020-06-06 00:27:13 +0000 app-text/podofo: Remove vulnerable versions (bug 614038) Bug: https://bugs.gentoo.org/614038 Package-Manager: Portage-2.3.100, Repoman-2.3.22 Signed-off-by: Zac Medico <zmedico@gentoo.org> app-text/podofo/Manifest | 2 - app-text/podofo/podofo-0.9.6_pre20170508-r1.ebuild | 145 -------------------- app-text/podofo/podofo-0.9.6_pre20171027.ebuild | 148 --------------------- 3 files changed, 295 deletions(-)
Thanks Zac.
tree is clean
