FS#55190 : [podofo] [Security] denial of service (CVE-2017-7994 7383..78 6842..40)

Please read this before reporting a bug:
https://wiki.archlinux.org/title/Bug_reporting_guidelines

Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.

REPEAT: Do NOT report bugs for outdated packages!

FS#55190 - [podofo] [Security] denial of service (CVE-2017-7994 7383..78 6842..40)

Attached to Project: Arch Linux
Opened by Pablo Lezaeta (Jristz) - Friday, 18 August 2017, 05:35 GMT
Last edited by Jelle van der Waa (jelly) - Thursday, 20 September 2018, 19:27 GMT

Task Type	Bug Report
Category	Security
Status	Closed
Assigned To	Jelle van der Waa (jelly) Levente Polyak (anthraxx)
Architecture	All
Severity	High
Priority	Normal
Reported Version
Due in Version	Undecided
Due Date	Undecided
Percent Complete
Votes	1 Pablo Lezaeta (Jristz) (2017-08-18)
Private	No

Details

Summary
=======

The package podofo is vulnerable to denial of service via CVE-2017-7994, CVE-2017-7383, CVE-2017-7382, CVE-2017-7381, CVE-2017-7380, CVE-2017-7379, CVE-2017-7378, CVE-2017-6842, CVE-2017-6841 and CVE-2017-6840.

Guidance
========

ok debian is affected by: CVS-2017-7994, CVE-2017-6841
Debian has fixed since 0.9.0-1.1+deb7u2 (sid have 0.9.4-6 with some patches): CVE-2017-7383 up to CVE-2017-7378 CVE-2017-6842, CVE-2017-6840
for the fixed there are patches backported up to 0.9.0-1.1+deb7u2 so check if someone can be applied, and for the unfixed one need to wait or dig on the github repo.

References
==========

https://security.archlinux.org/AVG-216
https://blogs.gentoo.org/ago/2017/03/02/podofo-invalid-memory-read-in-colorchangergetcolorfromstack-colorchanger-cpp/
https://blogs.gentoo.org/ago/2017/03/02/podofo-null-pointer-dereference-in-graphicsstacktgraphicsstackelementtgraphicsstackelement-graphicsstack-h/
https://blogs.gentoo.org/ago/2017/03/02/podofo-null-pointer-dereference-in-colorchangergetcolorfromstack-colorchanger-cpp/
https://blogs.gentoo.org/ago/2017/03/31/podofo-four-null-pointer-dereference
https://blogs.gentoo.org/ago/2017/03/31/podofo-heap-based-buffer-overflow-in-podofopdfsimpleencodingconverttoencoding-pdfencoding-cpp
https://icepng.github.io/2017/04/21/PoDoFo-1/
https://blogs.gentoo.org/ago/2017/03/31/podofo-heap-based-buffer-overflow-in-podofopdfpainterexpandtabs-pdfpainter-cpp
http://www.securityfocus.com/bid/97296

This task depends upon

Closed by Jelle van der Waa (jelly)
Thursday, 20 September 2018, 19:27 GMT
Reason for closing: Fixed
Additional comments about closing: Updated to 0.9.6-2

Comments (2)
Related Tasks (0/0)

Comment by Antonio Rojas (arojas) - Tuesday, 29 August 2017, 16:57 GMT

orphan package, reassigning to maintainers of reverse dependencies

Comment by Gaetan Bisson (vesath) - Tuesday, 29 August 2017, 22:11 GMT

As far as I'm concerned, I'd rather switch to an upstream SVN snapshot than add half a dozen patches to our PKGBUILD. But would that even be enough to fix all those CVE's?

If not, I'm happy to drop podofo and build scribus without it...

	Tasks related to this task (0)

Duplicate tasks of this task (0)

Arch Linux

Arch Linux

FS#55190 - [podofo] [Security] denial of service (CVE-2017-7994 7383..78 6842..40)

Details

Loading...