Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 717792 (CVE-2019-9199, CVE-2019-9687)

Summary: <app-text/podofo-0.9.6_p20190928: Multiple vulnerabilities (CVE-2019-{9199,9687})
Product: Gentoo Security Reporter: GLSAMaker/CVETool Bot <glsamaker>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: ajak, zmedico
Priority: Normal Flags: nattka: sanity-check+
Version: unspecified   
Hardware: All   
OS: Linux   
See Also: https://bugs.gentoo.org/show_bug.cgi?id=614038
Whiteboard: B3 [noglsa cve]
Package list:
=app-text/podofo-0.9.6_p20190928
 Runtime testing required: ---
Bug Depends on: 728090    
Bug Blocks:    

Description GLSAMaker/CVETool Bot gentoo-dev 2020-04-17 04:29:38 UTC 
CVE-2019-9199 (https://nvd.nist.gov/vuln/detail/CVE-2019-9199):
  PoDoFo::Impose::PdfTranslator::setSource() in pdftranslator.cpp in PoDoFo
  0.9.6 has a NULL pointer dereference that can (for example) be triggered by
  sending a crafted PDF file to the podofoimpose binary. It allows an attacker
  to cause Denial of Service (Segmentation fault) or possibly have unspecified
  other impact.
Comment 1 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2020-06-09 02:38:47 UTC 
Both of these issues appear to have been fixed upstream:

CVE-2019-9199: https://sourceforge.net/p/podofo/code/1971/
CVE-2019-9687: https://sourceforge.net/p/podofo/code/1969/

Maintainer, please bump to a version with these commits (the latest of which published on 2019-03-09).
Comment 2 Larry the Git Cow gentoo-dev 2020-06-10 06:31:43 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1c44915514fc5b80618b0b048979d230a4668e7d

commit 1c44915514fc5b80618b0b048979d230a4668e7d
Author:     Zac Medico <zmedico@gentoo.org>
AuthorDate: 2020-06-10 06:11:38 +0000
Commit:     Zac Medico <zmedico@gentoo.org>
CommitDate: 2020-06-10 06:31:35 +0000

    app-text/podofo: Bump to version 0.9.6_p20200526 (bug 717792)
    
    Bug: https://bugs.gentoo.org/717792
    Package-Manager: Portage-2.3.100, Repoman-2.3.22
    Signed-off-by: Zac Medico <zmedico@gentoo.org>

 app-text/podofo/Manifest                      |   1 +
 app-text/podofo/podofo-0.9.6_p20200526.ebuild | 141 ++++++++++++++++++++++++++
 2 files changed, 142 insertions(+)
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2020-06-10 15:34:20 UTC 
Maintainer, let us know when ready for stabilization.
Comment 4 Andreas Sturmlechner gentoo-dev 2020-06-17 11:58:41 UTC 
(In reply to Larry the Git Cow from comment #2)
>     app-text/podofo: Bump to version 0.9.6_p20200526 (bug 717792)

Zac, please consider packaging a version before r2000 which I suspect is the one breaking scribus in bug 728090. Unless the latter can be easily solved of course.
Comment 5 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-06-29 00:20:08 UTC 
(In reply to Andreas Sturmlechner from comment #4)
> (In reply to Larry the Git Cow from comment #2)
> >     app-text/podofo: Bump to version 0.9.6_p20200526 (bug 717792)
> 
> Zac, please consider packaging a version before r2000 which I suspect is the
> one breaking scribus in bug 728090. Unless the latter can be easily solved
> of course.

ping
Comment 6 Larry the Git Cow gentoo-dev 2020-06-29 04:38:18 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b74b2edcf1da679d241113cebbbcb1ba6ac7c0bb

commit b74b2edcf1da679d241113cebbbcb1ba6ac7c0bb
Author:     Zac Medico <zmedico@gentoo.org>
AuthorDate: 2020-06-29 04:20:18 +0000
Commit:     Zac Medico <zmedico@gentoo.org>
CommitDate: 2020-06-29 04:38:11 +0000

    app-text/podofo: Bump to version 0.9.6_p20190928 (bug 717792)
    
    Bug: https://bugs.gentoo.org/717792
    Package-Manager: Portage-2.3.103, Repoman-2.3.23
    Signed-off-by: Zac Medico <zmedico@gentoo.org>

 app-text/podofo/Manifest                      |   1 +
 app-text/podofo/podofo-0.9.6_p20190928.ebuild | 146 ++++++++++++++++++++++++++
 2 files changed, 147 insertions(+)
Comment 7 Larry the Git Cow gentoo-dev 2020-06-29 04:41:14 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=bb5d2536ee9fe7736ec040306021ff09a347cc4f

commit bb5d2536ee9fe7736ec040306021ff09a347cc4f
Author:     Zac Medico <zmedico@gentoo.org>
AuthorDate: 2020-06-29 04:39:20 +0000
Commit:     Zac Medico <zmedico@gentoo.org>
CommitDate: 2020-06-29 04:39:46 +0000

    app-text/podofo: Remove 0.9.6_p20200526
    
    This version broke scribus builds as reported in bug 728090.
    
    Bug: https://bugs.gentoo.org/717792
    Bug: https://bugs.gentoo.org/728090
    Package-Manager: Portage-2.3.103, Repoman-2.3.23
    Signed-off-by: Zac Medico <zmedico@gentoo.org>

 app-text/podofo/Manifest                      |   1 -
 app-text/podofo/podofo-0.9.6_p20200526.ebuild | 141 --------------------------
 2 files changed, 142 deletions(-)
Comment 8 NATTkA bot gentoo-dev 2020-06-29 04:45:15 UTC 
Unable to check for sanity:

> no match for package: =app-text/podofo-0.9.6_p20200526
Comment 9 NATTkA bot gentoo-dev 2020-06-29 04:48:58 UTC 
Unable to check for sanity:

> disallowed package spec (only = allowed): =app-text/podofo-0.9.6_p20190928*
Comment 10 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-07-14 17:09:50 UTC 
Let's stabilise it if no objections.
Comment 11 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-07-17 10:27:53 UTC 
ppc stable
Comment 12 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-07-17 12:10:00 UTC 
ppc64 stable
Comment 13 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-07-17 23:31:30 UTC 
x86 stable
Comment 14 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-07-18 00:30:06 UTC 
amd64 stable
Comment 15 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-07-27 18:45:52 UTC 
hppa: ping
Comment 16 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-07-27 22:57:51 UTC 
GLSA vote: no
Comment 17 Rolf Eike Beer archtester 2020-07-28 21:54:38 UTC 
dropped to ~hppa
Comment 18 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-07-28 21:55:32 UTC 
Please cleanup.
Comment 19 Larry the Git Cow gentoo-dev 2020-07-28 22:05:03 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c2e032b980c8875c8956bd2223eeeba7d4fb190c

commit c2e032b980c8875c8956bd2223eeeba7d4fb190c
Author:     Zac Medico <zmedico@gentoo.org>
AuthorDate: 2020-07-28 22:02:49 +0000
Commit:     Zac Medico <zmedico@gentoo.org>
CommitDate: 2020-07-28 22:04:57 +0000

    app-text/podofo: Remove vulnerable <0.9.6_p20190928
    
    Bug: https://bugs.gentoo.org/717792
    Package-Manager: Portage-3.0.1, Repoman-2.3.23
    Signed-off-by: Zac Medico <zmedico@gentoo.org>

 app-text/podofo/Manifest                      |   1 -
 app-text/podofo/podofo-0.9.6_p20180715.ebuild | 146 --------------------------
 2 files changed, 147 deletions(-)
Comment 20 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-07-28 22:07:04 UTC 
Thanks! All done, closing.