717792 – (CVE-2019-9199, CVE-2019-9687) <app-text/podofo-0.9.6_p20190928: Multiple vulnerabilities (CVE-2019-{9199,9687})

Bug 717792 (CVE-2019-9199, CVE-2019-9687) - <app-text/podofo-0.9.6_p20190928: Multiple vulnerabilities (CVE-2019-{9199,9687})

Summary: <app-text/podofo-0.9.6_p20190928: Multiple vulnerabilities (CVE-2019-{9199,96...

Status:	RESOLVED FIXED

Alias:	CVE-2019-9199, CVE-2019-9687

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor
Assignee:	Gentoo Security

URL:
Whiteboard:	B3 [noglsa cve]
Keywords:

Depends on:	728090
Blocks:
	Show dependency tree

Reported:	2020-04-17 04:29 UTC by GLSAMaker/CVETool Bot
Modified:	2020-07-28 22:07 UTC (History)
CC List:	2 users (show)

See Also:	CVE-2017-5852, CVE-2017-5853, CVE-2017-5854, CVE-2017-5855, CVE-2017-5886, CVE-2017-6840, CVE-2017-6841, CVE-2017-6842, CVE-2017-6843, CVE-2017-6844, CVE-2017-6845, CVE-2017-6846, CVE-2017-6847, CVE-2017-6848, CVE-2017-6849
Package list:	=app-text/podofo-0.9.6_p20190928
Runtime testing required:	---

Flags:	nattka: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description GLSAMaker/CVETool Bot gentoo-dev

2020-04-17 04:29:38 UTC

CVE-2019-9199 (https://nvd.nist.gov/vuln/detail/CVE-2019-9199):
  PoDoFo::Impose::PdfTranslator::setSource() in pdftranslator.cpp in PoDoFo
  0.9.6 has a NULL pointer dereference that can (for example) be triggered by
  sending a crafted PDF file to the podofoimpose binary. It allows an attacker
  to cause Denial of Service (Segmentation fault) or possibly have unspecified
  other impact.

Comment 1 John Helmert III archtester

2020-06-09 02:38:47 UTC

Both of these issues appear to have been fixed upstream:

CVE-2019-9199: https://sourceforge.net/p/podofo/code/1971/
CVE-2019-9687: https://sourceforge.net/p/podofo/code/1969/

Maintainer, please bump to a version with these commits (the latest of which published on 2019-03-09).

Comment 2 Larry the Git Cow gentoo-dev

2020-06-10 06:31:43 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1c44915514fc5b80618b0b048979d230a4668e7d

commit 1c44915514fc5b80618b0b048979d230a4668e7d
Author:     Zac Medico <zmedico@gentoo.org>
AuthorDate: 2020-06-10 06:11:38 +0000
Commit:     Zac Medico <zmedico@gentoo.org>
CommitDate: 2020-06-10 06:31:35 +0000

    app-text/podofo: Bump to version 0.9.6_p20200526 (bug 717792)
    
    Bug: https://bugs.gentoo.org/717792
    Package-Manager: Portage-2.3.100, Repoman-2.3.22
    Signed-off-by: Zac Medico <zmedico@gentoo.org>

 app-text/podofo/Manifest                      |   1 +
 app-text/podofo/podofo-0.9.6_p20200526.ebuild | 141 ++++++++++++++++++++++++++
 2 files changed, 142 insertions(+)

Comment 3 John Helmert III archtester

2020-06-10 15:34:20 UTC

Maintainer, let us know when ready for stabilization.

Comment 4 Andreas Sturmlechner gentoo-dev

2020-06-17 11:58:41 UTC

(In reply to Larry the Git Cow from comment #2)
>     app-text/podofo: Bump to version 0.9.6_p20200526 (bug 717792)

Zac, please consider packaging a version before r2000 which I suspect is the one breaking scribus in bug 728090. Unless the latter can be easily solved of course.

Comment 5 Sam James archtester

2020-06-29 00:20:08 UTC

(In reply to Andreas Sturmlechner from comment #4)
> (In reply to Larry the Git Cow from comment #2)
> >     app-text/podofo: Bump to version 0.9.6_p20200526 (bug 717792)
> 
> Zac, please consider packaging a version before r2000 which I suspect is the
> one breaking scribus in bug 728090. Unless the latter can be easily solved
> of course.

ping

Comment 6 Larry the Git Cow gentoo-dev

2020-06-29 04:38:18 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b74b2edcf1da679d241113cebbbcb1ba6ac7c0bb

commit b74b2edcf1da679d241113cebbbcb1ba6ac7c0bb
Author:     Zac Medico <zmedico@gentoo.org>
AuthorDate: 2020-06-29 04:20:18 +0000
Commit:     Zac Medico <zmedico@gentoo.org>
CommitDate: 2020-06-29 04:38:11 +0000

    app-text/podofo: Bump to version 0.9.6_p20190928 (bug 717792)
    
    Bug: https://bugs.gentoo.org/717792
    Package-Manager: Portage-2.3.103, Repoman-2.3.23
    Signed-off-by: Zac Medico <zmedico@gentoo.org>

 app-text/podofo/Manifest                      |   1 +
 app-text/podofo/podofo-0.9.6_p20190928.ebuild | 146 ++++++++++++++++++++++++++
 2 files changed, 147 insertions(+)

Comment 7 Larry the Git Cow gentoo-dev

2020-06-29 04:41:14 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=bb5d2536ee9fe7736ec040306021ff09a347cc4f

commit bb5d2536ee9fe7736ec040306021ff09a347cc4f
Author:     Zac Medico <zmedico@gentoo.org>
AuthorDate: 2020-06-29 04:39:20 +0000
Commit:     Zac Medico <zmedico@gentoo.org>
CommitDate: 2020-06-29 04:39:46 +0000

    app-text/podofo: Remove 0.9.6_p20200526
    
    This version broke scribus builds as reported in bug 728090.
    
    Bug: https://bugs.gentoo.org/717792
    Bug: https://bugs.gentoo.org/728090
    Package-Manager: Portage-2.3.103, Repoman-2.3.23
    Signed-off-by: Zac Medico <zmedico@gentoo.org>

 app-text/podofo/Manifest                      |   1 -
 app-text/podofo/podofo-0.9.6_p20200526.ebuild | 141 --------------------------
 2 files changed, 142 deletions(-)

Comment 8 NATTkA bot gentoo-dev

2020-06-29 04:45:15 UTC

Unable to check for sanity:

> no match for package: =app-text/podofo-0.9.6_p20200526

Comment 9 NATTkA bot gentoo-dev

2020-06-29 04:48:58 UTC

Unable to check for sanity:

> disallowed package spec (only = allowed): =app-text/podofo-0.9.6_p20190928*

Comment 10 Sam James archtester

2020-07-14 17:09:50 UTC

Let's stabilise it if no objections.

Comment 11 Sam James archtester

2020-07-17 10:27:53 UTC

ppc stable

Comment 12 Sam James archtester

2020-07-17 12:10:00 UTC

ppc64 stable

Comment 13 Sam James archtester

2020-07-17 23:31:30 UTC

x86 stable

Comment 14 Sam James archtester

2020-07-18 00:30:06 UTC

amd64 stable

Comment 15 Sam James archtester

2020-07-27 18:45:52 UTC

hppa: ping

Comment 16 Sam James archtester

2020-07-27 22:57:51 UTC

GLSA vote: no

Comment 17 Rolf Eike Beer archtester

2020-07-28 21:54:38 UTC

dropped to ~hppa

Comment 18 Sam James archtester

2020-07-28 21:55:32 UTC

Please cleanup.

Comment 19 Larry the Git Cow gentoo-dev

2020-07-28 22:05:03 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c2e032b980c8875c8956bd2223eeeba7d4fb190c

commit c2e032b980c8875c8956bd2223eeeba7d4fb190c
Author:     Zac Medico <zmedico@gentoo.org>
AuthorDate: 2020-07-28 22:02:49 +0000
Commit:     Zac Medico <zmedico@gentoo.org>
CommitDate: 2020-07-28 22:04:57 +0000

    app-text/podofo: Remove vulnerable <0.9.6_p20190928
    
    Bug: https://bugs.gentoo.org/717792
    Package-Manager: Portage-3.0.1, Repoman-2.3.23
    Signed-off-by: Zac Medico <zmedico@gentoo.org>

 app-text/podofo/Manifest                      |   1 -
 app-text/podofo/podofo-0.9.6_p20180715.ebuild | 146 --------------------------
 2 files changed, 147 deletions(-)

Comment 20 Sam James archtester

2020-07-28 22:07:04 UTC

Thanks! All done, closing.