Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 614038 (CVE-2017-5852, CVE-2017-5853, CVE-2017-5854, CVE-2017-5855, CVE-2017-5886, CVE-2017-6840, CVE-2017-6841, CVE-2017-6842, CVE-2017-6843, CVE-2017-6844, CVE-2017-6845, CVE-2017-6846, CVE-2017-6847, CVE-2017-6848, CVE-2017-6849) - <app-text/podofo-0.9.6_p20180715: Multiple vulnerabilities (CVE-2017-{5852,5853,5854,5855,5886,6840,6841,6842,6843,6844,6845,6846,6847,6848,6849})
Summary: <app-text/podofo-0.9.6_p20180715: Multiple vulnerabilities (CVE-2017-{5852,58...
Status: RESOLVED FIXED
Alias: CVE-2017-5852, CVE-2017-5853, CVE-2017-5854, CVE-2017-5855, CVE-2017-5886, CVE-2017-6840, CVE-2017-6841, CVE-2017-6842, CVE-2017-6843, CVE-2017-6844, CVE-2017-6845, CVE-2017-6846, CVE-2017-6847, CVE-2017-6848, CVE-2017-6849
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: C3 [noglsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2017-03-27 09:32 UTC by Agostino Sarubbo
Modified: 2020-06-18 02:38 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2017-03-27 09:32:07 UTC
https://blogs.gentoo.org/ago/2017/02/01/podofo-null-pointer-dereference-in-podofopdfparserreadxrefsubsection-pdfparser-cpp
https://blogs.gentoo.org/ago/2017/02/01/podofo-null-pointer-dereference-in-pdfoutputstream-cpp
https://blogs.gentoo.org/ago/2017/02/01/podofo-signed-integer-overflow-in-pdfparser-cpp
https://blogs.gentoo.org/ago/2017/02/01/podofo-infinite-loop-in-podofopdfpagegetinheritedkeyfromobject-pdfpage-cpp
https://blogs.gentoo.org/ago/2017/02/03/podofo-heap-based-buffer-overflow-in-podofopdftokenizergetnexttoken-pdftokenizer-cpp
https://blogs.gentoo.org/ago/2017/03/02/podofo-invalid-memory-read-in-colorchangergetcolorfromstack-colorchanger-cpp
https://blogs.gentoo.org/ago/2017/03/02/podofo-null-pointer-dereference-in-graphicsstacktgraphicsstackelementtgraphicsstackelement-graphicsstack-h
https://blogs.gentoo.org/ago/2017/03/02/podofo-null-pointer-dereference-in-colorchangergetcolorfromstack-colorchanger-cpp
https://blogs.gentoo.org/ago/2017/03/02/podofo-heap-based-buffer-overflow-in-podofopdfvariantdelayedload-pdfvariant-h
https://blogs.gentoo.org/ago/2017/03/02/podofo-global-buffer-overflow-in-podofopdfparserreadxrefsubsection-pdfparser-cpp
https://blogs.gentoo.org/ago/2017/03/02/podofo-null-pointer-dereference-in-podofopdfcoloroperator-pdfcolor-cpp
https://blogs.gentoo.org/ago/2017/03/02/podofo-null-pointer-dereference-in-graphicsstacktgraphicsstackelementsetnonstrokingcolorspace-graphicsstack-h
https://blogs.gentoo.org/ago/2017/03/02/podofo-null-pointer-dereference-in-podofopdfvariantdelayedload-pdfvariant-h
https://blogs.gentoo.org/ago/2017/03/02/podofo-null-pointer-dereference-in-podofopdfxobjectpdfxobject-pdfxobject-cpp
https://blogs.gentoo.org/ago/2017/03/02/podofo-null-pointer-dereference-in-podofopdfcolorgraypdfcolorgray-pdfcolor-cpp
Comment 1 Zac Medico gentoo-dev 2017-03-27 17:05:01 UTC
It looks like there might be some fixes in svn, but no release yet:

https://sourceforge.net/p/podofo/code/commit_browser
Comment 2 Yury German Gentoo Infrastructure gentoo-dev Security 2017-05-01 17:15:24 UTC
CVE ID: CVE-2017-5852
   Summary: The PoDoFo::PdfPage::GetInheritedKeyFromObject function in base/PdfVariant.cpp in PoDoFo 0.9.4 allows remote attackers to cause a denial of service (infinite loop) via a crafted file.
 Published: 2017-03-01T15:59:00.000Z
______________________________    

CVE ID: CVE-2017-5853
   Summary: Integer overflow in base/PdfParser.cpp in PoDoFo 0.9.4 allows remote attackers to have unspecified impact via a crafted file.
 Published: 2017-03-01T15:59:00.000Z

______________________________

    CVE ID: CVE-2017-5854
   Summary: base/PdfOutputStream.cpp in PoDoFo 0.9.4 allows remote attackers to cause a denial of service (NULL pointer dereference and crash) via a crafted file.
 Published: 2017-03-01T15:59:01.000Z
______________________________

    CVE ID: CVE-2017-5855
   Summary: The PoDoFo::PdfParser::ReadXRefSubsection function in PdfParser.cpp in PoDoFo 0.9.4 allows remote attackers to cause a denial of service (NULL pointer dereference) via a crafted file.
 Published: 2017-03-01T15:59:01.000Z
______________________________

CVE ID: CVE-2017-5886
   Summary: Heap-based buffer overflow in the PoDoFo::PdfTokenizer::GetNextToken function in PdfTokenizer.cpp in PoDoFo 0.9.4 allows remote attackers to have unspecified impact via a crafted file.
 Published: 2017-03-01T15:59:01.000Z
______________________________

CVE ID: CVE-2017-6840
   Summary: The ColorChanger::GetColorFromStack function in colorchanger.cpp in PoDoFo 0.9.5 allows remote attackers to cause a denial of service (invalid read) via a crafted file.
 Published: 2017-03-15T14:59:01.000Z

______________________________

CVE ID: CVE-2017-6841
   Summary: The GraphicsStack::TGraphicsStackElement::~TGraphicsStackElement function in graphicsstack.h in PoDoFo 0.9.5 allows remote attackers to cause a denial of service (NULL pointer dereference) via a crafted file.
 Published: 2017-03-15T14:59:01.000Z
______________________________

CVE ID: CVE-2017-6842
   Summary: The ColorChanger::GetColorFromStack function in colorchanger.cpp in PoDoFo 0.9.5 allows remote attackers to cause a denial of service (NULL pointer dereference) via a crafted file.
 Published: 2017-03-15T14:59:01.000Z
______________________________

CVE ID: CVE-2017-6843
   Summary: Heap-based buffer overflow in the PoDoFo::PdfVariant::DelayedLoad function in PdfVariant.h in PoDoFo 0.9.4 allows remote attackers to have unspecified impact via a crafted file.
 Published: 2017-03-15T14:59:01.000Z

______________________________

CVE ID: CVE-2017-6844
   Summary: Buffer overflow in the PoDoFo::PdfParser::ReadXRefSubsection function in PdfParser.cpp in PoDoFo 0.9.4 allows remote attackers to have unspecified impact via a crafted file.
 Published: 2017-03-15T14:59:01.000Z

______________________________

CVE ID: CVE-2017-6845
   Summary: The PoDoFo::PdfColor::operator function in PdfColor.cpp in PoDoFo 0.9.4 allows remote attackers to cause a denial of service (NULL pointer dereference) via a crafted file.
 Published: 2017-03-15T14:59:01.000Z

______________________________

CVE ID: CVE-2017-6846
   Summary: The GraphicsStack::TGraphicsStackElement::SetNonStrokingColorSpace function in graphicsstack.h in PoDoFo 0.9.4 allows remote attackers to cause a denial of service (NULL pointer dereference) via a crafted file.
 Published: 2017-03-15T14:59:01.000Z
______________________________

CVE ID: CVE-2017-6847
   Summary: The PoDoFo::PdfVariant::DelayedLoad function in PdfVariant.h in PoDoFo 0.9.4 allows remote attackers to cause a denial of service (NULL pointer dereference) via a crafted file.
 Published: 2017-03-15T14:59:01.000Z
______________________________

CVE ID: CVE-2017-6848
   Summary: The PoDoFo::PdfXObject::PdfXObject function in PdfXObject.cpp in PoDoFo 0.9.5 allows remote attackers to cause a denial of service (NULL pointer dereference) via a crafted file.
 Published: 2017-03-15T14:59:01.000Z
______________________________

CVE ID: CVE-2017-6849
   Summary: The PoDoFo::PdfColorGray::~PdfColorGray function in PdfColor.cpp in PoDoFo 0.9.4 allows remote attackers to cause a denial of service (NULL pointer dereference) via a crafted file.
 Published: 2017-03-15T14:59:01.000Z

______________________________
Comment 3 Zac Medico gentoo-dev 2017-05-01 17:20:52 UTC
I'll have to go through this list of vulnerabilities to see if they are all fixed in or before r1842, which corresponds to the podofo-0.9.6_pre20170428 snapshot that I have added to gentoo for bug 617204.
Comment 4 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-10-08 03:18:23 UTC
Ping.

I see that we are already in 20170508-r1 in tree. Can we close this report?

Thank you,

Gentoo Security Padawan
ChrisADR
Comment 5 Zac Medico gentoo-dev 2017-10-08 04:26:44 UTC
These are explicitly referenced in the commit log for 20170508-r1:

> CVE ID: CVE-2017-5852
>    Summary: The PoDoFo::PdfPage::GetInheritedKeyFromObject function in
> base/PdfVariant.cpp in PoDoFo 0.9.4 allows remote attackers to cause a
> denial of service (infinite loop) via a crafted file.
>  Published: 2017-03-01T15:59:00.000Z
> ______________________________    

------------------------------------------------------------------------
r1835 | aja_ | 2017-04-07 10:22:53 -0700 (Fri, 07 Apr 2017) | 2 lines

Fix for CVE-2017-5852 with added error code

> CVE ID: CVE-2017-5853
>    Summary: Integer overflow in base/PdfParser.cpp in PoDoFo 0.9.4 allows
> remote attackers to have unspecified impact via a crafted file.
>  Published: 2017-03-01T15:59:00.000Z
> 
> ______________________________

------------------------------------------------------------------------
r1840 | aja_ | 2017-04-28 08:19:14 -0700 (Fri, 28 Apr 2017) | 2 lines

Patch by Matthias Brinke: Fix CVE-2017-5853 (signed integer overflow) and CVE-2017-6844 (buffer overflow)

>     CVE ID: CVE-2017-5854
>    Summary: base/PdfOutputStream.cpp in PoDoFo 0.9.4 allows remote attackers
> to cause a denial of service (NULL pointer dereference and crash) via a
> crafted file.
>  Published: 2017-03-01T15:59:01.000Z
> ______________________________

------------------------------------------------------------------------
r1836 | aja_ | 2017-04-07 10:36:12 -0700 (Fri, 07 Apr 2017) | 2 lines

Fix for CVE-2017-5854

 
>     CVE ID: CVE-2017-5855
>    Summary: The PoDoFo::PdfParser::ReadXRefSubsection function in
> PdfParser.cpp in PoDoFo 0.9.4 allows remote attackers to cause a denial of
> service (NULL pointer dereference) via a crafted file.
>  Published: 2017-03-01T15:59:01.000Z
> ______________________________

------------------------------------------------------------------------
r1843 | aja_ | 2017-05-08 06:05:38 -0700 (Mon, 08 May 2017) | 5 lines

Fix CVE-2017-5855: NULL pointer dereference in PoDoFo::PdfParser::ReadXRefSubsection

Throw PoDoFo's Out of memory exception when resize of std::vector fails
when reading XRef content.

> CVE ID: CVE-2017-5886
>    Summary: Heap-based buffer overflow in the
> PoDoFo::PdfTokenizer::GetNextToken function in PdfTokenizer.cpp in PoDoFo
> 0.9.4 allows remote attackers to have unspecified impact via a crafted file.
>  Published: 2017-03-01T15:59:01.000Z
> ______________________________

------------------------------------------------------------------------
r1837 | aja_ | 2017-04-07 11:01:44 -0700 (Fri, 07 Apr 2017) | 2 lines

Fix for CVE-2017-5886

> CVE ID: CVE-2017-6840
>    Summary: The ColorChanger::GetColorFromStack function in colorchanger.cpp
> in PoDoFo 0.9.5 allows remote attackers to cause a denial of service
> (invalid read) via a crafted file.
>  Published: 2017-03-15T14:59:01.000Z
> 
> ______________________________

------------------------------------------------------------------------
r1844 | aja_ | 2017-05-08 06:23:49 -0700 (Mon, 08 May 2017) | 2 lines

Fix CVE-2017-6840: Out of bounds read in ColorChanger::GetColorFromStack()

------------------------------------------------------------------------
r1845 | aja_ | 2017-05-08 06:33:17 -0700 (Mon, 08 May 2017) | 2 lines

Correct fix for CVE-2017-6840: Too strict check for given arguments.

> 
> CVE ID: CVE-2017-6844
>    Summary: Buffer overflow in the PoDoFo::PdfParser::ReadXRefSubsection
> function in PdfParser.cpp in PoDoFo 0.9.4 allows remote attackers to have
> unspecified impact via a crafted file.
>  Published: 2017-03-15T14:59:01.000Z
> 
> ______________________________

------------------------------------------------------------------------
r1840 | aja_ | 2017-04-28 08:19:14 -0700 (Fri, 28 Apr 2017) | 2 lines

Patch by Matthias Brinke: Fix CVE-2017-5853 (signed integer overflow) and CVE-2017-6844 (buffer overflow)
 
> CVE ID: CVE-2017-6847
>    Summary: The PoDoFo::PdfVariant::DelayedLoad function in PdfVariant.h in
> PoDoFo 0.9.4 allows remote attackers to cause a denial of service (NULL
> pointer dereference) via a crafted file.
>  Published: 2017-03-15T14:59:01.000Z
> ______________________________

------------------------------------------------------------------------
r1846 | aja_ | 2017-05-08 06:54:34 -0700 (Mon, 08 May 2017) | 2 lines

Fix CVE-2017-6847: NULL pointer dereference when reading XObject without BBox
Comment 6 Zac Medico gentoo-dev 2017-10-08 04:29:03 UTC
These are *not* referenced in the commit log:

> CVE ID: CVE-2017-6848
>    Summary: The PoDoFo::PdfXObject::PdfXObject function in PdfXObject.cpp in
> PoDoFo 0.9.5 allows remote attackers to cause a denial of service (NULL
> pointer dereference) via a crafted file.
>  Published: 2017-03-15T14:59:01.000Z
> ______________________________
> 
> CVE ID: CVE-2017-6849
>    Summary: The PoDoFo::PdfColorGray::~PdfColorGray function in PdfColor.cpp
> in PoDoFo 0.9.4 allows remote attackers to cause a denial of service (NULL
> pointer dereference) via a crafted file.
>  Published: 2017-03-15T14:59:01.000Z
> ______________________________
>
> CVE ID: CVE-2017-6841
>    Summary: The GraphicsStack::TGraphicsStackElement::~TGraphicsStackElement
> function in graphicsstack.h in PoDoFo 0.9.5 allows remote attackers to cause
> a denial of service (NULL pointer dereference) via a crafted file.
>  Published: 2017-03-15T14:59:01.000Z
> ______________________________
> 
> CVE ID: CVE-2017-6842
>    Summary: The ColorChanger::GetColorFromStack function in colorchanger.cpp
> in PoDoFo 0.9.5 allows remote attackers to cause a denial of service (NULL
> pointer dereference) via a crafted file.
>  Published: 2017-03-15T14:59:01.000Z
> ______________________________
> 
> CVE ID: CVE-2017-6843
>    Summary: Heap-based buffer overflow in the
> PoDoFo::PdfVariant::DelayedLoad function in PdfVariant.h in PoDoFo 0.9.4
> allows remote attackers to have unspecified impact via a crafted file.
>  Published: 2017-03-15T14:59:01.000Z
> 
> ______________________________
> CVE ID: CVE-2017-6845
>    Summary: The PoDoFo::PdfColor::operator function in PdfColor.cpp in
> PoDoFo 0.9.4 allows remote attackers to cause a denial of service (NULL
> pointer dereference) via a crafted file.
>  Published: 2017-03-15T14:59:01.000Z
> 
> ______________________________
> 
> CVE ID: CVE-2017-6846
>    Summary: The
> GraphicsStack::TGraphicsStackElement::SetNonStrokingColorSpace function in
> graphicsstack.h in PoDoFo 0.9.4 allows remote attackers to cause a denial of
> service (NULL pointer dereference) via a crafted file.
>  Published: 2017-03-15T14:59:01.000Z
> ______________________________
Comment 7 John Helmert III (ajak) 2020-05-26 01:05:45 UTC
I wasn't able to produce a crash with ago's PoCs on any of the CVEs Zac listed as not being mentioned in the commit log with latest in tree version podofo-0.9.6.
Comment 8 John Helmert III (ajak) 2020-05-29 18:09:15 UTC
Ok, for more detail (and as long as I didn't screw up anywhere): CVE-2017-{6842,6843,6848} are fixed in 0.9.6_pre20170508-r1, and CVE-2017-{6841,6845,6846,6849} are fixed in 0.9.6_p20180715.
Comment 9 Sam James gentoo-dev Security 2020-06-05 23:36:10 UTC
(In reply to John Helmert III from comment #8)
> Ok, for more detail (and as long as I didn't screw up anywhere):
> CVE-2017-{6842,6843,6848} are fixed in 0.9.6_pre20170508-r1, and
> CVE-2017-{6841,6845,6846,6849} are fixed in 0.9.6_p20180715.

I'm quite happy to take your word for this. I checked the changelogs before and it seems very likely they just forgot to mention the rest.

Especially given the actual POCs don't work in later versions. Thank you!
Comment 10 Sam James gentoo-dev Security 2020-06-05 23:36:41 UTC
@maintainer(s), please cleanup (we got there finally!)
Comment 11 Larry the Git Cow gentoo-dev 2020-06-06 00:27:22 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8ab82aac91a81f0c8a4798f0554f96473d83d62a

commit 8ab82aac91a81f0c8a4798f0554f96473d83d62a
Author:     Zac Medico <zmedico@gentoo.org>
AuthorDate: 2020-06-06 00:23:40 +0000
Commit:     Zac Medico <zmedico@gentoo.org>
CommitDate: 2020-06-06 00:27:13 +0000

    app-text/podofo: Remove vulnerable versions (bug 614038)
    
    Bug: https://bugs.gentoo.org/614038
    Package-Manager: Portage-2.3.100, Repoman-2.3.22
    Signed-off-by: Zac Medico <zmedico@gentoo.org>

 app-text/podofo/Manifest                           |   2 -
 app-text/podofo/podofo-0.9.6_pre20170508-r1.ebuild | 145 --------------------
 app-text/podofo/podofo-0.9.6_pre20171027.ebuild    | 148 ---------------------
 3 files changed, 295 deletions(-)
Comment 12 Sam James gentoo-dev Security 2020-06-06 00:41:07 UTC
Thanks Zac.
Comment 13 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2020-06-18 02:38:01 UTC
tree is clean