FS#55190 - [podofo] [Security] denial of service (CVE-2017-7994 7383..78 6842..40)

Attached to Project: Arch Linux
Opened by Pablo Lezaeta (Jristz) - Friday, 18 August 2017, 05:35 GMT
Last edited by Jelle van der Waa (jelly) - Thursday, 20 September 2018, 19:27 GMT
Task Type Bug Report
Category Security
Status Closed
Assigned To Jelle van der Waa (jelly)
Levente Polyak (anthraxx)
Architecture All
Severity High
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 1
Private No

Details

Summary
=======

The package podofo is vulnerable to denial of service via CVE-2017-7994, CVE-2017-7383, CVE-2017-7382, CVE-2017-7381, CVE-2017-7380, CVE-2017-7379, CVE-2017-7378, CVE-2017-6842, CVE-2017-6841 and CVE-2017-6840.

Guidance
========

ok debian is affected by: CVS-2017-7994, CVE-2017-6841
Debian has fixed since 0.9.0-1.1+deb7u2 (sid have 0.9.4-6 with some patches): CVE-2017-7383 up to CVE-2017-7378 CVE-2017-6842, CVE-2017-6840
for the fixed there are patches backported up to 0.9.0-1.1+deb7u2 so check if someone can be applied, and for the unfixed one need to wait or dig on the github repo.

References
==========

https://security.archlinux.org/AVG-216
https://blogs.gentoo.org/ago/2017/03/02/podofo-invalid-memory-read-in-colorchangergetcolorfromstack-colorchanger-cpp/
https://blogs.gentoo.org/ago/2017/03/02/podofo-null-pointer-dereference-in-graphicsstacktgraphicsstackelementtgraphicsstackelement-graphicsstack-h/
https://blogs.gentoo.org/ago/2017/03/02/podofo-null-pointer-dereference-in-colorchangergetcolorfromstack-colorchanger-cpp/
https://blogs.gentoo.org/ago/2017/03/31/podofo-four-null-pointer-dereference
https://blogs.gentoo.org/ago/2017/03/31/podofo-heap-based-buffer-overflow-in-podofopdfsimpleencodingconverttoencoding-pdfencoding-cpp
https://icepng.github.io/2017/04/21/PoDoFo-1/
https://blogs.gentoo.org/ago/2017/03/31/podofo-heap-based-buffer-overflow-in-podofopdfpainterexpandtabs-pdfpainter-cpp
http://www.securityfocus.com/bid/97296
This task depends upon

Closed by  Jelle van der Waa (jelly)
Thursday, 20 September 2018, 19:27 GMT
Reason for closing:  Fixed
Additional comments about closing:  Updated to 0.9.6-2
Comment by Antonio Rojas (arojas) - Tuesday, 29 August 2017, 16:57 GMT
orphan package, reassigning to maintainers of reverse dependencies
Comment by Gaetan Bisson (vesath) - Tuesday, 29 August 2017, 22:11 GMT
As far as I'm concerned, I'd rather switch to an upstream SVN snapshot than add half a dozen patches to our PKGBUILD. But would that even be enough to fix all those CVE's?

If not, I'm happy to drop podofo and build scribus without it...

Loading...