Summary: | <app-text/podofo-0.9.6_p20180715: Multiple vulnerabilities (CVE-2017-{7378,7379,7380,7381,7382,7383,7994,8053,8054,8787}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | GLSAMaker/CVETool Bot <glsamaker> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | zmedico |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | C3 [noglsa cve] | ||
Package list: | Runtime testing required: | --- |
Description
GLSAMaker/CVETool Bot
2017-05-01 17:40:49 UTC
CVE ID: CVE-2017-8787 Summary: The PoDoFo::PdfXRefStreamParserObject::ReadXRefStreamEntry function in base/PdfXRefStreamParserObject.cpp:224 in PoDoFo 0.9.5 allows remote attackers to cause a denial of service (heap-based buffer over-read) or possibly have unspecified other impact via a crafted PDF file. Published: 2017-05-05T07:29:01.000Z These ones are already fixed in podofo-0.9.6_pre20170508-r1: r1849 | aja_ | 2017-05-08 10:00:13 -0700 (Mon, 08 May 2017) | 2 lines Fix CVE-2017-7994: NULL dereference in TextExtractor::ExtractText() https://sourceforge.net/p/podofo/code/1849/tree/podofo/trunk/tools/podofotxtextract/TextExtractor.cpp?diff=50f1cef7e88f3d7cbdd252d0:1848 r1848 | aja_ | 2017-05-08 07:21:17 -0700 (Mon, 08 May 2017) | 2 lines Fix CVE-2017-7380: NULL dereference in PdfPage::GetFromResources() https://sourceforge.net/p/podofo/code/1848/tree/podofo/trunk/src/doc/PdfPage.cpp?diff=50f1cef7e88f3d7cbdd252d0:1847 r1847 | aja_ | 2017-05-08 07:15:41 -0700 (Mon, 08 May 2017) | 2 lines Fix CVE-2017-7378: Out of bounds read in PdfPainter::ExpandTabs() https://sourceforge.net/p/podofo/code/1847/tree/podofo/trunk/src/doc/PdfPainter.cpp?diff=50f1cef7e88f3d7cbdd252d0:1846 r1842 | aja_ | 2017-04-28 09:49:01 -0700 (Fri, 28 Apr 2017) | 2 lines Patch by Mark Rogers: Fix CVE-2017-7379: encoding array too short to encode/decode code point 0xffff https://sourceforge.net/p/podofo/code/1842/tree/podofo/trunk/src/base/PdfEncoding.cpp?diff=50f1cef7e88f3d7cbdd252d0:1841 There's a fix for CVE-2017-8787 upstream now: r1851 | aja_ | 2017-06-04 05:15:23 -0700 (Sun, 04 Jun 2017) | 2 lines Fix for CVE-2017-8787 - Read out of buffer size in PdfXRefStreamParserObject::ReadXRefStreamEntry() https://sourceforge.net/p/podofo/code/1851/tree//podofo/trunk/src/base/PdfXRefStreamParserObject.cpp?diff=50f1cef7e88f3d7cbdd252d0:1850 CVE-2017-8053: https://sourceforge.net/p/podofo/tickets/7/ https://sourceforge.net/p/podofo/mailman/message/29548894/ (progressive) Other CVEs not mention of fixed or referenced do not appear to be known to upstream or are confidential bugs not yet disclosed other than here: https://blogs.gentoo.org/ago/2017/03/31/podofo-four-null-pointer-dereference/ CVE-2017-7381 seems to be fixed by 0.9.6_p20180715. Closing because of the age. Thanks ajak. |