| Summary: | <app-text/podofo-0.9.6_p20180715: Multiple vulnerabilities (CVE-2017-{5852,5853,5854,5855,5886,6840,6841,6842,6843,6844,6845,6846,6847,6848,6849}) | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | minor | CC: | zmedico |
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| See Also: | https://bugs.gentoo.org/show_bug.cgi?id=717792 | ||
| Whiteboard: | C3 [noglsa cve] | ||
| Package list: | Runtime testing required: | --- | |
|
Description
Agostino Sarubbo
2017-03-27 09:32:07 UTC
It looks like there might be some fixes in svn, but no release yet: https://sourceforge.net/p/podofo/code/commit_browser CVE ID: CVE-2017-5852
Summary: The PoDoFo::PdfPage::GetInheritedKeyFromObject function in base/PdfVariant.cpp in PoDoFo 0.9.4 allows remote attackers to cause a denial of service (infinite loop) via a crafted file.
Published: 2017-03-01T15:59:00.000Z
______________________________
CVE ID: CVE-2017-5853
Summary: Integer overflow in base/PdfParser.cpp in PoDoFo 0.9.4 allows remote attackers to have unspecified impact via a crafted file.
Published: 2017-03-01T15:59:00.000Z
______________________________
CVE ID: CVE-2017-5854
Summary: base/PdfOutputStream.cpp in PoDoFo 0.9.4 allows remote attackers to cause a denial of service (NULL pointer dereference and crash) via a crafted file.
Published: 2017-03-01T15:59:01.000Z
______________________________
CVE ID: CVE-2017-5855
Summary: The PoDoFo::PdfParser::ReadXRefSubsection function in PdfParser.cpp in PoDoFo 0.9.4 allows remote attackers to cause a denial of service (NULL pointer dereference) via a crafted file.
Published: 2017-03-01T15:59:01.000Z
______________________________
CVE ID: CVE-2017-5886
Summary: Heap-based buffer overflow in the PoDoFo::PdfTokenizer::GetNextToken function in PdfTokenizer.cpp in PoDoFo 0.9.4 allows remote attackers to have unspecified impact via a crafted file.
Published: 2017-03-01T15:59:01.000Z
______________________________
CVE ID: CVE-2017-6840
Summary: The ColorChanger::GetColorFromStack function in colorchanger.cpp in PoDoFo 0.9.5 allows remote attackers to cause a denial of service (invalid read) via a crafted file.
Published: 2017-03-15T14:59:01.000Z
______________________________
CVE ID: CVE-2017-6841
Summary: The GraphicsStack::TGraphicsStackElement::~TGraphicsStackElement function in graphicsstack.h in PoDoFo 0.9.5 allows remote attackers to cause a denial of service (NULL pointer dereference) via a crafted file.
Published: 2017-03-15T14:59:01.000Z
______________________________
CVE ID: CVE-2017-6842
Summary: The ColorChanger::GetColorFromStack function in colorchanger.cpp in PoDoFo 0.9.5 allows remote attackers to cause a denial of service (NULL pointer dereference) via a crafted file.
Published: 2017-03-15T14:59:01.000Z
______________________________
CVE ID: CVE-2017-6843
Summary: Heap-based buffer overflow in the PoDoFo::PdfVariant::DelayedLoad function in PdfVariant.h in PoDoFo 0.9.4 allows remote attackers to have unspecified impact via a crafted file.
Published: 2017-03-15T14:59:01.000Z
______________________________
CVE ID: CVE-2017-6844
Summary: Buffer overflow in the PoDoFo::PdfParser::ReadXRefSubsection function in PdfParser.cpp in PoDoFo 0.9.4 allows remote attackers to have unspecified impact via a crafted file.
Published: 2017-03-15T14:59:01.000Z
______________________________
CVE ID: CVE-2017-6845
Summary: The PoDoFo::PdfColor::operator function in PdfColor.cpp in PoDoFo 0.9.4 allows remote attackers to cause a denial of service (NULL pointer dereference) via a crafted file.
Published: 2017-03-15T14:59:01.000Z
______________________________
CVE ID: CVE-2017-6846
Summary: The GraphicsStack::TGraphicsStackElement::SetNonStrokingColorSpace function in graphicsstack.h in PoDoFo 0.9.4 allows remote attackers to cause a denial of service (NULL pointer dereference) via a crafted file.
Published: 2017-03-15T14:59:01.000Z
______________________________
CVE ID: CVE-2017-6847
Summary: The PoDoFo::PdfVariant::DelayedLoad function in PdfVariant.h in PoDoFo 0.9.4 allows remote attackers to cause a denial of service (NULL pointer dereference) via a crafted file.
Published: 2017-03-15T14:59:01.000Z
______________________________
CVE ID: CVE-2017-6848
Summary: The PoDoFo::PdfXObject::PdfXObject function in PdfXObject.cpp in PoDoFo 0.9.5 allows remote attackers to cause a denial of service (NULL pointer dereference) via a crafted file.
Published: 2017-03-15T14:59:01.000Z
______________________________
CVE ID: CVE-2017-6849
Summary: The PoDoFo::PdfColorGray::~PdfColorGray function in PdfColor.cpp in PoDoFo 0.9.4 allows remote attackers to cause a denial of service (NULL pointer dereference) via a crafted file.
Published: 2017-03-15T14:59:01.000Z
______________________________
I'll have to go through this list of vulnerabilities to see if they are all fixed in or before r1842, which corresponds to the podofo-0.9.6_pre20170428 snapshot that I have added to gentoo for bug 617204. Ping. I see that we are already in 20170508-r1 in tree. Can we close this report? Thank you, Gentoo Security Padawan ChrisADR These are explicitly referenced in the commit log for 20170508-r1: > CVE ID: CVE-2017-5852 > Summary: The PoDoFo::PdfPage::GetInheritedKeyFromObject function in > base/PdfVariant.cpp in PoDoFo 0.9.4 allows remote attackers to cause a > denial of service (infinite loop) via a crafted file. > Published: 2017-03-01T15:59:00.000Z > ______________________________ ------------------------------------------------------------------------ r1835 | aja_ | 2017-04-07 10:22:53 -0700 (Fri, 07 Apr 2017) | 2 lines Fix for CVE-2017-5852 with added error code > CVE ID: CVE-2017-5853 > Summary: Integer overflow in base/PdfParser.cpp in PoDoFo 0.9.4 allows > remote attackers to have unspecified impact via a crafted file. > Published: 2017-03-01T15:59:00.000Z > > ______________________________ ------------------------------------------------------------------------ r1840 | aja_ | 2017-04-28 08:19:14 -0700 (Fri, 28 Apr 2017) | 2 lines Patch by Matthias Brinke: Fix CVE-2017-5853 (signed integer overflow) and CVE-2017-6844 (buffer overflow) > CVE ID: CVE-2017-5854 > Summary: base/PdfOutputStream.cpp in PoDoFo 0.9.4 allows remote attackers > to cause a denial of service (NULL pointer dereference and crash) via a > crafted file. > Published: 2017-03-01T15:59:01.000Z > ______________________________ ------------------------------------------------------------------------ r1836 | aja_ | 2017-04-07 10:36:12 -0700 (Fri, 07 Apr 2017) | 2 lines Fix for CVE-2017-5854 > CVE ID: CVE-2017-5855 > Summary: The PoDoFo::PdfParser::ReadXRefSubsection function in > PdfParser.cpp in PoDoFo 0.9.4 allows remote attackers to cause a denial of > service (NULL pointer dereference) via a crafted file. > Published: 2017-03-01T15:59:01.000Z > ______________________________ ------------------------------------------------------------------------ r1843 | aja_ | 2017-05-08 06:05:38 -0700 (Mon, 08 May 2017) | 5 lines Fix CVE-2017-5855: NULL pointer dereference in PoDoFo::PdfParser::ReadXRefSubsection Throw PoDoFo's Out of memory exception when resize of std::vector fails when reading XRef content. > CVE ID: CVE-2017-5886 > Summary: Heap-based buffer overflow in the > PoDoFo::PdfTokenizer::GetNextToken function in PdfTokenizer.cpp in PoDoFo > 0.9.4 allows remote attackers to have unspecified impact via a crafted file. > Published: 2017-03-01T15:59:01.000Z > ______________________________ ------------------------------------------------------------------------ r1837 | aja_ | 2017-04-07 11:01:44 -0700 (Fri, 07 Apr 2017) | 2 lines Fix for CVE-2017-5886 > CVE ID: CVE-2017-6840 > Summary: The ColorChanger::GetColorFromStack function in colorchanger.cpp > in PoDoFo 0.9.5 allows remote attackers to cause a denial of service > (invalid read) via a crafted file. > Published: 2017-03-15T14:59:01.000Z > > ______________________________ ------------------------------------------------------------------------ r1844 | aja_ | 2017-05-08 06:23:49 -0700 (Mon, 08 May 2017) | 2 lines Fix CVE-2017-6840: Out of bounds read in ColorChanger::GetColorFromStack() ------------------------------------------------------------------------ r1845 | aja_ | 2017-05-08 06:33:17 -0700 (Mon, 08 May 2017) | 2 lines Correct fix for CVE-2017-6840: Too strict check for given arguments. > > CVE ID: CVE-2017-6844 > Summary: Buffer overflow in the PoDoFo::PdfParser::ReadXRefSubsection > function in PdfParser.cpp in PoDoFo 0.9.4 allows remote attackers to have > unspecified impact via a crafted file. > Published: 2017-03-15T14:59:01.000Z > > ______________________________ ------------------------------------------------------------------------ r1840 | aja_ | 2017-04-28 08:19:14 -0700 (Fri, 28 Apr 2017) | 2 lines Patch by Matthias Brinke: Fix CVE-2017-5853 (signed integer overflow) and CVE-2017-6844 (buffer overflow) > CVE ID: CVE-2017-6847 > Summary: The PoDoFo::PdfVariant::DelayedLoad function in PdfVariant.h in > PoDoFo 0.9.4 allows remote attackers to cause a denial of service (NULL > pointer dereference) via a crafted file. > Published: 2017-03-15T14:59:01.000Z > ______________________________ ------------------------------------------------------------------------ r1846 | aja_ | 2017-05-08 06:54:34 -0700 (Mon, 08 May 2017) | 2 lines Fix CVE-2017-6847: NULL pointer dereference when reading XObject without BBox These are *not* referenced in the commit log: > CVE ID: CVE-2017-6848 > Summary: The PoDoFo::PdfXObject::PdfXObject function in PdfXObject.cpp in > PoDoFo 0.9.5 allows remote attackers to cause a denial of service (NULL > pointer dereference) via a crafted file. > Published: 2017-03-15T14:59:01.000Z > ______________________________ > > CVE ID: CVE-2017-6849 > Summary: The PoDoFo::PdfColorGray::~PdfColorGray function in PdfColor.cpp > in PoDoFo 0.9.4 allows remote attackers to cause a denial of service (NULL > pointer dereference) via a crafted file. > Published: 2017-03-15T14:59:01.000Z > ______________________________ > > CVE ID: CVE-2017-6841 > Summary: The GraphicsStack::TGraphicsStackElement::~TGraphicsStackElement > function in graphicsstack.h in PoDoFo 0.9.5 allows remote attackers to cause > a denial of service (NULL pointer dereference) via a crafted file. > Published: 2017-03-15T14:59:01.000Z > ______________________________ > > CVE ID: CVE-2017-6842 > Summary: The ColorChanger::GetColorFromStack function in colorchanger.cpp > in PoDoFo 0.9.5 allows remote attackers to cause a denial of service (NULL > pointer dereference) via a crafted file. > Published: 2017-03-15T14:59:01.000Z > ______________________________ > > CVE ID: CVE-2017-6843 > Summary: Heap-based buffer overflow in the > PoDoFo::PdfVariant::DelayedLoad function in PdfVariant.h in PoDoFo 0.9.4 > allows remote attackers to have unspecified impact via a crafted file. > Published: 2017-03-15T14:59:01.000Z > > ______________________________ > CVE ID: CVE-2017-6845 > Summary: The PoDoFo::PdfColor::operator function in PdfColor.cpp in > PoDoFo 0.9.4 allows remote attackers to cause a denial of service (NULL > pointer dereference) via a crafted file. > Published: 2017-03-15T14:59:01.000Z > > ______________________________ > > CVE ID: CVE-2017-6846 > Summary: The > GraphicsStack::TGraphicsStackElement::SetNonStrokingColorSpace function in > graphicsstack.h in PoDoFo 0.9.4 allows remote attackers to cause a denial of > service (NULL pointer dereference) via a crafted file. > Published: 2017-03-15T14:59:01.000Z > ______________________________ I wasn't able to produce a crash with ago's PoCs on any of the CVEs Zac listed as not being mentioned in the commit log with latest in tree version podofo-0.9.6. Ok, for more detail (and as long as I didn't screw up anywhere): CVE-2017-{6842,6843,6848} are fixed in 0.9.6_pre20170508-r1, and CVE-2017-{6841,6845,6846,6849} are fixed in 0.9.6_p20180715.
(In reply to John Helmert III from comment #8) > Ok, for more detail (and as long as I didn't screw up anywhere): > CVE-2017-{6842,6843,6848} are fixed in 0.9.6_pre20170508-r1, and > CVE-2017-{6841,6845,6846,6849} are fixed in 0.9.6_p20180715. I'm quite happy to take your word for this. I checked the changelogs before and it seems very likely they just forgot to mention the rest. Especially given the actual POCs don't work in later versions. Thank you! @maintainer(s), please cleanup (we got there finally!) The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8ab82aac91a81f0c8a4798f0554f96473d83d62a commit 8ab82aac91a81f0c8a4798f0554f96473d83d62a Author: Zac Medico <zmedico@gentoo.org> AuthorDate: 2020-06-06 00:23:40 +0000 Commit: Zac Medico <zmedico@gentoo.org> CommitDate: 2020-06-06 00:27:13 +0000 app-text/podofo: Remove vulnerable versions (bug 614038) Bug: https://bugs.gentoo.org/614038 Package-Manager: Portage-2.3.100, Repoman-2.3.22 Signed-off-by: Zac Medico <zmedico@gentoo.org> app-text/podofo/Manifest | 2 - app-text/podofo/podofo-0.9.6_pre20170508-r1.ebuild | 145 -------------------- app-text/podofo/podofo-0.9.6_pre20171027.ebuild | 148 --------------------- 3 files changed, 295 deletions(-) Thanks Zac. tree is clean |
