Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 906105 (CVE-2023-31566, CVE-2023-31567) - app-text/podofo: multiple vulnerabilities
Summary: app-text/podofo: multiple vulnerabilities
Status: CONFIRMED
Alias: CVE-2023-31566, CVE-2023-31567
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
URL:
Whiteboard: A2 [ebuild]
Keywords:
Depends on:
Blocks:
 
Reported: 2023-05-11 04:15 UTC by John Helmert III
Modified: 2023-06-29 03:49 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-05-11 04:15:14 UTC
CVE-2023-31567 (https://github.com/podofo/podofo/issues/71):

Podofo v0.10.0 was discovered to contain a heap buffer overflow via the component PoDoFo::PdfEncryptAESV3::PdfEncryptAESV3.

CVE-2023-31566 (https://github.com/podofo/podofo/issues/70):

Podofo v0.10.0 was discovered to contain a heap-use-after-free via the component PoDoFo::PdfEncrypt::IsMetadataEncrypted().

No patches upstream.
Comment 1 Andreas Sturmlechner gentoo-dev 2023-05-27 09:34:10 UTC
app-text/podofo-0.10 is a "complete rewrite" so it is possible <0.10 is unaffected.

https://github.com/podofo/podofo/releases/tag/0.10.0