Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 617204 (CVE-2017-8378) - <app-text/podofo-0.9.6_pre20170508-r1: Denial of Service
Summary: <app-text/podofo-0.9.6_pre20170508-r1: Denial of Service
Status: RESOLVED FIXED
Alias: CVE-2017-8378
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor
Assignee: Gentoo Security
URL:
Whiteboard: C3 [noglsa/cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2017-05-01 15:42 UTC by GLSAMaker/CVETool Bot
Modified: 2017-05-18 06:54 UTC (History)
1 user (show)

See Also:
Package list:
=app-text/podofo-0.9.6_pre20170508-r1 =virtual/podofo-build-0.9.6_pre20170508-r1
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2017-05-01 15:42:47 UTC
CVE-2017-8378 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-8378):
  Heap-based buffer overflow in the PdfParser::ReadObjects function in
  base/PdfParser.cpp in PoDoFo 0.9.5 allows remote attackers to cause a denial
  of service (application crash) or possibly have unspecified other impact via
  vectors related to m_offsets.size.
Comment 1 Yury German Gentoo Infrastructure gentoo-dev 2017-05-01 15:44:14 UTC
Maintainer(s) please advise if this affects any version prior to 0.9.5.
Comment 2 Zac Medico gentoo-dev 2017-05-01 16:50:43 UTC
(In reply to Yury German from comment #1)
> Maintainer(s) please advise if this affects any version prior to 0.9.5.

The vulnerable "m_offsets[i].bParsed = false;" code in the PdfParser::ReadObjects method appears to be present in all versions going back to the oldest one in the tree, 0.9.2. There's a fix r1833, but no tag yet:

https://sourceforge.net/p/podofo/code/1833/tree//podofo/trunk/src/base/PdfParser.cpp?diff=50f1cef7e88f3d7cbdd252d0:1832

I'll go ahead and create a snapshot from trunk.
Comment 3 Zac Medico gentoo-dev 2017-05-01 17:12:37 UTC
Added podofo-0.9.6_pre20170428 ebuild to gentoo:

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5685a989182a75db3a35172af432e43468cf42bc
Comment 4 Yury German Gentoo Infrastructure gentoo-dev 2017-05-01 17:17:29 UTC
Would this fix also apply to Bug 614038?
https://bugs.gentoo.org/show_bug.cgi?id=614038
Comment 5 Agostino Sarubbo gentoo-dev 2017-05-01 20:27:50 UTC
(In reply to Yury German from comment #4)
> Would this fix also apply to Bug 614038?
> https://bugs.gentoo.org/show_bug.cgi?id=614038

It doesn't. I stopped the fuzz research on podof because there was ~30 bugs and no upstream reaction. From svn I see that ~4/5 bugs were fixed.
Comment 6 Zac Medico gentoo-dev 2017-05-10 20:38:19 UTC
Bumped to 0.9.6_pre20170508:

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=213746d55265ff9167fbf4aa616b840775c4258d

Fixes since 0.9.6_pre20170428:

------------------------------------------------------------------------
r1849 | aja_ | 2017-05-08 10:00:13 -0700 (Mon, 08 May 2017) | 2 lines

Fix CVE-2017-7994: NULL dereference in TextExtractor::ExtractText()

------------------------------------------------------------------------
r1848 | aja_ | 2017-05-08 07:21:17 -0700 (Mon, 08 May 2017) | 2 lines

Fix CVE-2017-7380: NULL dereference in PdfPage::GetFromResources()

------------------------------------------------------------------------
r1847 | aja_ | 2017-05-08 07:15:41 -0700 (Mon, 08 May 2017) | 2 lines

Fix CVE-2017-7378: Out of bounds read in PdfPainter::ExpandTabs()

------------------------------------------------------------------------
r1846 | aja_ | 2017-05-08 06:54:34 -0700 (Mon, 08 May 2017) | 2 lines

Fix CVE-2017-6847: NULL pointer dereference when reading XObject without BBox

------------------------------------------------------------------------
r1845 | aja_ | 2017-05-08 06:33:17 -0700 (Mon, 08 May 2017) | 2 lines

Correct fix for CVE-2017-6840: Too strict check for given arguments.

------------------------------------------------------------------------
r1844 | aja_ | 2017-05-08 06:23:49 -0700 (Mon, 08 May 2017) | 2 lines

Fix CVE-2017-6840: Out of bounds read in ColorChanger::GetColorFromStack()

------------------------------------------------------------------------
r1843 | aja_ | 2017-05-08 06:05:38 -0700 (Mon, 08 May 2017) | 5 lines

Fix CVE-2017-5855: NULL pointer dereference in PoDoFo::PdfParser::ReadXRefSubsection

Throw PoDoFo's Out of memory exception when resize of std::vector fails
when reading XRef content.

------------------------------------------------------------------------
Comment 7 Yury German Gentoo Infrastructure gentoo-dev 2017-05-11 05:25:17 UTC
Maintainer(s), please advise if you are ready for stabilization or call for stabilization yourself.
Comment 8 Zac Medico gentoo-dev 2017-05-12 10:30:54 UTC
I've revbumped it to podofo-0.9.6_pre20170508-r1 with a customized libpodofo.so.0.9.6_pre20170508 soname, since the libpodofo.so.0.9.6 ABI is not necessarily stable yet.

We should let this get tested for a couple of days before we call for stabilization.
Comment 9 Zac Medico gentoo-dev 2017-05-15 08:43:20 UTC
Please stabilize.
Comment 10 Agostino Sarubbo gentoo-dev 2017-05-15 14:18:05 UTC
amd64 stable
Comment 11 Jeroen Roovers (RETIRED) gentoo-dev 2017-05-16 05:00:00 UTC
Stable for HPPA.
Comment 12 Agostino Sarubbo gentoo-dev 2017-05-16 08:01:28 UTC
x86 stable
Comment 13 Agostino Sarubbo gentoo-dev 2017-05-16 13:06:52 UTC
ppc64 stable
Comment 14 Michael Weber (RETIRED) gentoo-dev 2017-05-18 05:01:12 UTC
ppc stable, all arches done.
Comment 15 Yury German Gentoo Infrastructure gentoo-dev 2017-05-18 05:09:15 UTC
Arches and Maintainer(s), Thank you for your work.
GLSA Vote: No

Maintainer(s), please drop the vulnerable version(s).
Comment 17 Yury German Gentoo Infrastructure gentoo-dev 2017-05-18 06:54:05 UTC
Arches and Maintainer(s), Thank you for your work.
Closing noglsa.