CVE-2017-8054 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-8054): The function PdfPagesTree::GetPageNodeFromArray in PdfPageTree.cpp:464 in PoDoFo 0.9.5 allows remote attackers to cause a denial of service (infinite recursion and application crash) via a crafted PDF document. CVE-2017-8053 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-8053): PoDoFo 0.9.5 allows denial of service (infinite recursion and stack consumption) via a crafted PDF file in PoDoFo::PdfParser::ReadDocumentStructure (PdfParser.cpp). CVE-2017-7994 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7994): The function TextExtractor::ExtractText in TextExtractor.cpp:77 in PoDoFo 0.9.5 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted PDF document. CVE-2017-7383 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7383): The PdfFontFactory.cpp:195:62 code in PoDoFo 0.9.5 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted PDF document. CVE-2017-7382 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7382): The PdfFontFactory.cpp:200:88 code in PoDoFo 0.9.5 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted PDF document. CVE-2017-7381 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7381): The doc/PdfPage.cpp:609:23 code in PoDoFo 0.9.5 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted PDF document. CVE-2017-7380 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7380): The doc/PdfPage.cpp:614:20 code in PoDoFo 0.9.5 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted PDF document. CVE-2017-7379 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7379): The PoDoFo::PdfSimpleEncoding::ConvertToEncoding function in PdfEncoding.cpp in PoDoFo 0.9.5 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted PDF document. CVE-2017-7378 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7378): The PoDoFo::PdfPainter::ExpandTabs function in PdfPainter.cpp in PoDoFo 0.9.5 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted PDF document.
CVE ID: CVE-2017-8787 Summary: The PoDoFo::PdfXRefStreamParserObject::ReadXRefStreamEntry function in base/PdfXRefStreamParserObject.cpp:224 in PoDoFo 0.9.5 allows remote attackers to cause a denial of service (heap-based buffer over-read) or possibly have unspecified other impact via a crafted PDF file. Published: 2017-05-05T07:29:01.000Z
These ones are already fixed in podofo-0.9.6_pre20170508-r1: r1849 | aja_ | 2017-05-08 10:00:13 -0700 (Mon, 08 May 2017) | 2 lines Fix CVE-2017-7994: NULL dereference in TextExtractor::ExtractText() https://sourceforge.net/p/podofo/code/1849/tree/podofo/trunk/tools/podofotxtextract/TextExtractor.cpp?diff=50f1cef7e88f3d7cbdd252d0:1848 r1848 | aja_ | 2017-05-08 07:21:17 -0700 (Mon, 08 May 2017) | 2 lines Fix CVE-2017-7380: NULL dereference in PdfPage::GetFromResources() https://sourceforge.net/p/podofo/code/1848/tree/podofo/trunk/src/doc/PdfPage.cpp?diff=50f1cef7e88f3d7cbdd252d0:1847 r1847 | aja_ | 2017-05-08 07:15:41 -0700 (Mon, 08 May 2017) | 2 lines Fix CVE-2017-7378: Out of bounds read in PdfPainter::ExpandTabs() https://sourceforge.net/p/podofo/code/1847/tree/podofo/trunk/src/doc/PdfPainter.cpp?diff=50f1cef7e88f3d7cbdd252d0:1846 r1842 | aja_ | 2017-04-28 09:49:01 -0700 (Fri, 28 Apr 2017) | 2 lines Patch by Mark Rogers: Fix CVE-2017-7379: encoding array too short to encode/decode code point 0xffff https://sourceforge.net/p/podofo/code/1842/tree/podofo/trunk/src/base/PdfEncoding.cpp?diff=50f1cef7e88f3d7cbdd252d0:1841
There's a fix for CVE-2017-8787 upstream now: r1851 | aja_ | 2017-06-04 05:15:23 -0700 (Sun, 04 Jun 2017) | 2 lines Fix for CVE-2017-8787 - Read out of buffer size in PdfXRefStreamParserObject::ReadXRefStreamEntry() https://sourceforge.net/p/podofo/code/1851/tree//podofo/trunk/src/base/PdfXRefStreamParserObject.cpp?diff=50f1cef7e88f3d7cbdd252d0:1850
CVE-2017-8053: https://sourceforge.net/p/podofo/tickets/7/ https://sourceforge.net/p/podofo/mailman/message/29548894/ (progressive) Other CVEs not mention of fixed or referenced do not appear to be known to upstream or are confidential bugs not yet disclosed other than here: https://blogs.gentoo.org/ago/2017/03/31/podofo-four-null-pointer-dereference/
CVE-2017-7381 seems to be fixed by 0.9.6_p20180715.
Closing because of the age. Thanks ajak.
