Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 617212 (CVE-2017-7378, CVE-2017-7379, CVE-2017-7380, CVE-2017-7381, CVE-2017-7382, CVE-2017-7383, CVE-2017-7994, CVE-2017-8053, CVE-2017-8054, CVE-2017-8787)

Summary: <app-text/podofo-0.9.6_p20180715: Multiple vulnerabilities (CVE-2017-{7378,7379,7380,7381,7382,7383,7994,8053,8054,8787})
Product: Gentoo Security Reporter: GLSAMaker/CVETool Bot <glsamaker>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: zmedico
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: C3 [noglsa cve]
Package list:
Runtime testing required: ---

Description GLSAMaker/CVETool Bot gentoo-dev 2017-05-01 17:40:49 UTC
CVE-2017-8054 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-8054):
  The function PdfPagesTree::GetPageNodeFromArray in PdfPageTree.cpp:464 in
  PoDoFo 0.9.5 allows remote attackers to cause a denial of service (infinite
  recursion and application crash) via a crafted PDF document.

CVE-2017-8053 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-8053):
  PoDoFo 0.9.5 allows denial of service (infinite recursion and stack
  consumption) via a crafted PDF file in
  PoDoFo::PdfParser::ReadDocumentStructure (PdfParser.cpp).

CVE-2017-7994 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7994):
  The function TextExtractor::ExtractText in TextExtractor.cpp:77 in PoDoFo
  0.9.5 allows remote attackers to cause a denial of service (NULL pointer
  dereference and application crash) via a crafted PDF document.

CVE-2017-7383 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7383):
  The PdfFontFactory.cpp:195:62 code in PoDoFo 0.9.5 allows remote attackers
  to cause a denial of service (NULL pointer dereference and application
  crash) via a crafted PDF document.

CVE-2017-7382 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7382):
  The PdfFontFactory.cpp:200:88 code in PoDoFo 0.9.5 allows remote attackers
  to cause a denial of service (NULL pointer dereference and application
  crash) via a crafted PDF document.

CVE-2017-7381 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7381):
  The doc/PdfPage.cpp:609:23 code in PoDoFo 0.9.5 allows remote attackers to
  cause a denial of service (NULL pointer dereference and application crash)
  via a crafted PDF document.

CVE-2017-7380 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7380):
  The doc/PdfPage.cpp:614:20 code in PoDoFo 0.9.5 allows remote attackers to
  cause a denial of service (NULL pointer dereference and application crash)
  via a crafted PDF document.

CVE-2017-7379 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7379):
  The PoDoFo::PdfSimpleEncoding::ConvertToEncoding function in PdfEncoding.cpp
  in PoDoFo 0.9.5 allows remote attackers to cause a denial of service
  (heap-based buffer over-read and application crash) via a crafted PDF
  document.

CVE-2017-7378 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7378):
  The PoDoFo::PdfPainter::ExpandTabs function in PdfPainter.cpp in PoDoFo
  0.9.5 allows remote attackers to cause a denial of service (heap-based
  buffer over-read and application crash) via a crafted PDF document.
Comment 1 Yury German Gentoo Infrastructure gentoo-dev 2017-05-09 07:41:23 UTC
CVE ID: CVE-2017-8787
   Summary: The PoDoFo::PdfXRefStreamParserObject::ReadXRefStreamEntry function in base/PdfXRefStreamParserObject.cpp:224 in PoDoFo 0.9.5 allows remote attackers to cause a denial of service (heap-based buffer over-read) or possibly have unspecified other impact via a crafted PDF file.
 Published: 2017-05-05T07:29:01.000Z
Comment 2 Zac Medico gentoo-dev 2017-06-10 18:12:12 UTC
These ones are already fixed in podofo-0.9.6_pre20170508-r1:

r1849 | aja_ | 2017-05-08 10:00:13 -0700 (Mon, 08 May 2017) | 2 lines

Fix CVE-2017-7994: NULL dereference in TextExtractor::ExtractText()

https://sourceforge.net/p/podofo/code/1849/tree/podofo/trunk/tools/podofotxtextract/TextExtractor.cpp?diff=50f1cef7e88f3d7cbdd252d0:1848

r1848 | aja_ | 2017-05-08 07:21:17 -0700 (Mon, 08 May 2017) | 2 lines

Fix CVE-2017-7380: NULL dereference in PdfPage::GetFromResources()

https://sourceforge.net/p/podofo/code/1848/tree/podofo/trunk/src/doc/PdfPage.cpp?diff=50f1cef7e88f3d7cbdd252d0:1847

r1847 | aja_ | 2017-05-08 07:15:41 -0700 (Mon, 08 May 2017) | 2 lines

Fix CVE-2017-7378: Out of bounds read in PdfPainter::ExpandTabs()

https://sourceforge.net/p/podofo/code/1847/tree/podofo/trunk/src/doc/PdfPainter.cpp?diff=50f1cef7e88f3d7cbdd252d0:1846

r1842 | aja_ | 2017-04-28 09:49:01 -0700 (Fri, 28 Apr 2017) | 2 lines

Patch by Mark Rogers: Fix CVE-2017-7379: encoding array too short to encode/decode code point 0xffff

https://sourceforge.net/p/podofo/code/1842/tree/podofo/trunk/src/base/PdfEncoding.cpp?diff=50f1cef7e88f3d7cbdd252d0:1841
Comment 3 Zac Medico gentoo-dev 2017-06-10 18:12:43 UTC
There's a fix for CVE-2017-8787 upstream now:

r1851 | aja_ | 2017-06-04 05:15:23 -0700 (Sun, 04 Jun 2017) | 2 lines

Fix for CVE-2017-8787 - Read out of buffer size in PdfXRefStreamParserObject::ReadXRefStreamEntry()

https://sourceforge.net/p/podofo/code/1851/tree//podofo/trunk/src/base/PdfXRefStreamParserObject.cpp?diff=50f1cef7e88f3d7cbdd252d0:1850
Comment 4 D'juan McDonald (domhnall) 2018-07-26 12:10:59 UTC
CVE-2017-8053:
https://sourceforge.net/p/podofo/tickets/7/
https://sourceforge.net/p/podofo/mailman/message/29548894/ (progressive)

Other CVEs not mention of fixed or referenced do not appear to be known to upstream or are confidential bugs not yet disclosed other than here:

https://blogs.gentoo.org/ago/2017/03/31/podofo-four-null-pointer-dereference/
Comment 5 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2020-05-29 05:27:34 UTC
CVE-2017-7381 seems to be fixed by 0.9.6_p20180715.
Comment 6 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-06-08 04:11:42 UTC
Closing because of the age. Thanks ajak.