Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 904939 (CVE-2023-2241, CVE-2023-31555, CVE-2023-31556, CVE-2023-31568) - app-text/podofo: heap buffer overread
Summary: app-text/podofo: heap buffer overread
Status: CONFIRMED
Alias: CVE-2023-2241, CVE-2023-31555, CVE-2023-31556, CVE-2023-31568
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://github.com/podofo/podofo/issu...
Whiteboard: B4 [upstream/ebuild]
Keywords:
Depends on:
Blocks:
 
Reported: 2023-04-24 00:41 UTC by John Helmert III
Modified: 2023-05-11 04:13 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-04-24 00:41:50 UTC 
CVE-2023-2241:

A vulnerability, which was classified as critical, was found in PoDoFo 0.10.0. Affected is the function readXRefStreamEntry of the file PdfXRefStreamParserObject.cpp. The manipulation leads to heap-based buffer overflow. An attack has to be approached locally. The exploit has been disclosed to the public and may be used. The name of the patch is 535a786f124b739e3c857529cecc29e4eeb79778. It is recommended to apply a patch to fix this issue. VDB-227226 is the identifier assigned to this vulnerability.

Unreleased patch: https://github.com/podofo/podofo/commit/535a786f124b739e3c857529cecc29e4eeb79778
Comment 1 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-05-11 04:12:00 UTC 
CVE-2023-31555 (https://github.com/podofo/podofo/issues/67):

podofoinfo 0.10.0 was discovered to contain a segmentation violation via the function PoDoFo::PdfObject::DelayedLoad.

Patch: https://github.com/podofo/podofo/commit/3759eb6aae7c01f2d8670f16ac46f5e116c7f468

CVE-2023-31556 (https://github.com/podofo/podofo/issues/66):

podofoinfo 0.10.0 was discovered to contain a segmentation violation via the function PoDoFo::PdfDictionary::findKeyParent.

Patch: https://github.com/podofo/podofo/commit/8d3e9104ea10f8b53a0b5a2a806e6388acd41a40
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-05-11 04:13:59 UTC 
CVE-2023-31568 (https://github.com/podofo/podofo/issues/72):

Podofo v0.10.0 was discovered to contain a heap buffer overflow via the component PoDoFo::PdfEncryptRC4::PdfEncryptRC4.