CVE-2023-31567 (https://github.com/podofo/podofo/issues/71): Podofo v0.10.0 was discovered to contain a heap buffer overflow via the component PoDoFo::PdfEncryptAESV3::PdfEncryptAESV3. CVE-2023-31566 (https://github.com/podofo/podofo/issues/70): Podofo v0.10.0 was discovered to contain a heap-use-after-free via the component PoDoFo::PdfEncrypt::IsMetadataEncrypted(). No patches upstream.
app-text/podofo-0.10 is a "complete rewrite" so it is possible <0.10 is unaffected. https://github.com/podofo/podofo/releases/tag/0.10.0
CVE-2023-31566 has a fix at https://github.com/podofo/podofo/commit/00d2735a9c5bcb438d6f922b5f2445d28389c2d1 And -31567: https://github.com/podofo/podofo/commit/8f514d69b4ac3c9aa9f725fa93486fe4b7876642
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=7ec9123210ab90f66e0a193a5064f3f36a58faac commit 7ec9123210ab90f66e0a193a5064f3f36a58faac Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2024-05-12 05:25:34 +0000 Commit: Hans de Graaff <graaff@gentoo.org> CommitDate: 2024-05-12 05:26:27 +0000 [ GLSA 202405-33 ] PoDoFo: Multiple Vulnerabilities Bug: https://bugs.gentoo.org/906105 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: Hans de Graaff <graaff@gentoo.org> glsa-202405-33.xml | 43 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 43 insertions(+)
