Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 906105 (CVE-2023-31566, CVE-2023-31567) - <app-text/podofo-0.10.1: multiple vulnerabilities
Summary: <app-text/podofo-0.10.1: multiple vulnerabilities
Alias: CVE-2023-31566, CVE-2023-31567
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
Whiteboard: A2 [glsa+]
Depends on:
Reported: 2023-05-11 04:15 UTC by John Helmert III
Modified: 2024-05-12 05:27 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-05-11 04:15:14 UTC
CVE-2023-31567 (

Podofo v0.10.0 was discovered to contain a heap buffer overflow via the component PoDoFo::PdfEncryptAESV3::PdfEncryptAESV3.

CVE-2023-31566 (

Podofo v0.10.0 was discovered to contain a heap-use-after-free via the component PoDoFo::PdfEncrypt::IsMetadataEncrypted().

No patches upstream.
Comment 1 Andreas Sturmlechner gentoo-dev 2023-05-27 09:34:10 UTC
app-text/podofo-0.10 is a "complete rewrite" so it is possible <0.10 is unaffected.
Comment 3 Larry the Git Cow gentoo-dev 2024-05-12 05:26:31 UTC
The bug has been referenced in the following commit(s):

commit 7ec9123210ab90f66e0a193a5064f3f36a58faac
Author:     GLSAMaker <>
AuthorDate: 2024-05-12 05:25:34 +0000
Commit:     Hans de Graaff <>
CommitDate: 2024-05-12 05:26:27 +0000

    [ GLSA 202405-33 ] PoDoFo: Multiple Vulnerabilities
    Signed-off-by: GLSAMaker <>
    Signed-off-by: Hans de Graaff <>

 glsa-202405-33.xml | 43 +++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 43 insertions(+)