| Summary: | podofo new security issues CVE-2015-8981, CVE-2017-585[2-5], CVE-2017-5886, CVE-2017-684[0-9], CVE-2017-737[89], CVE-2017-738[0-3], CVE-2017-8787 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | lewyssmith, mageia, sysadmin-bugs, tarazed25 |
| Version: | 6 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA6-64-OK | ||
| Source RPM: | podofo-0.9.4-1.mga6.src.rpm | CVE: | |
| Status comment: | Patches available from Fedora and Debian | ||
| Bug Depends on: | 20234 | ||
| Bug Blocks: | |||
| Attachments: | Summary of POC tests before update | ||
|
Description
David Walser
2017-08-12 23:38:54 CEST
David Walser
2017-08-13 23:39:37 CEST
Whiteboard:
(none) =>
MGA6TOO, MGA5TOO - CVE-2015-8981 => https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8981 => Is fixed on our rpms CVE-2017-738[1-3] => Is not yet fixed upstream CVE-2017-684[1235689] => Is not yet fixed upstream CC:
(none) =>
mageia Dropping Mageia 5 from this bug for the unfixed issues. Whiteboard:
MGA6TOO, MGA5TOO =>
MGA6TOO
David Walser
2018-02-02 18:16:30 CET
Status comment:
(none) =>
Not fixed upstream as of August 2017 Fedora has fixes for some of these issues and more. Fedora has issued an advisory for this today (June 25): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/2U7MKKI2OP43FRIS44DJXIJYDWTNAWQ6/ Status comment:
Not fixed upstream as of August 2017 =>
Patches available from Fedora and Debian SUSE has issued an advisory on August 22: http://lists.suse.com/pipermail/sle-security-updates/2018-August/004491.html It looks like CVE-2017-8054, CVE-2018-5308, CVE-2018-8001 are new. Fedora has issued an advisory today (December 25): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/QYCCO7ZOZI6KUCLH6IZ5XS5LDANULNR4/ It fixes: CVE-2018-5783, CVE-2018-1125[4-6], CVE-2018-12982, CVE-2018-14320, CVE-2018-19532 openSUSE has issued an advisory on January 18: https://lists.opensuse.org/opensuse-updates/2019-01/msg00066.html It looks like CVE-2017-7994, CVE-2018-529[56], CVE-2018-5309 are new. openSUSE says 0.9.6 fixes: (CVE-2017-5852, boo#1023067, CVE-2017-5853, boo#1023069, CVE-2017-5854, boo#1023070, CVE-2017-5855, boo#1023071, CVE-2017-5886, boo#1023380, CVE-2017-6840, boo#1027787, CVE-2017-6844, boo#1027782, CVE-2017-6845, boo#1027779, CVE-2017-6847, boo#1027778, CVE-2017-7378, boo#1032017, CVE-2017-7379, boo#1032018, CVE-2017-7380, boo#1032019, CVE-2017-7994, boo#1035534, CVE-2017-8054, boo#1035596, CVE-2017-8787, boo#1037739, CVE-2018-5295, boo#1075026, CVE-2018-5296, boo#1075021, CVE-2018-5308, boo#1075772, CVE-2018-5309, boo#1075322, CVE-2018-8001, boo#1084894) I don't know how many of those fixes are in the snapshots (the one in mga6 is older) we had in mga6 and Cauldron. I updated to 0.9.6 final. Fedora added post-0.9.6 patches that fix: CVE-2018-5783, CVE-2018-11254, CVE-2018-11255, CVE-2018-11256, CVE-2018-12982, CVE-2018-14320, CVE-2018-19532 I added those patches as well. Unfortunately, we got two different build errors: http://pkgsubmit.mageia.org/uploads/failure/6/core/updates_testing/20190121020335.luigiwalser.duvel.8543/log/podofo-0.9.6-1.mga6/build.0.20190121020413.log http://pkgsubmit.mageia.org/uploads/failure/cauldron/core/release/20190121020315.luigiwalser.duvel.8434/log/podofo-0.9.6-1.mga7/build.0.20190121020407.log Advisory: ======================== Updated podofo packages fix security vulnerabilities: The podofo package has been updated to fix several security issues. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5295 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5296 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5308 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5309 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5783 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8001 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11254 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11255 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11256 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12982 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14320 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19532 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/2U7MKKI2OP43FRIS44DJXIJYDWTNAWQ6/ http://lists.suse.com/pipermail/sle-security-updates/2018-August/004491.html https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/QYCCO7ZOZI6KUCLH6IZ5XS5LDANULNR4/ https://lists.opensuse.org/opensuse-updates/2019-01/msg00066.html ======================== Updated packages in core/updates_testing: ======================== podofo-0.9.6-1.mga6 libpodofo0.9.6-0.9.6-1.mga6 libpodofo-devel-0.9.6-1.mga6 from podofo-0.9.6-1.mga6.src.rpm Whiteboard:
MGA6TOO =>
(none) Working through the CVEs currently. Testing the PoC files before updating podofo. Shall attach the report because it is likely to be quite lengthy. CC:
(none) =>
tarazed25 Created attachment 10684 [details]
Summary of POC tests before update
Before updating successfully merged two PDFs into a third PDF the sum of whose pages was the same as the sum of the two initial PDFs. That was determined by running podofopdfinfo. *After updates* ------------------------------------------------------------------------------ CVE-2018-5295 The output matched that produced before the update. Good result in the sense that the file was diagnosed as faulty and handled accordingly. ------------------------------------------------------------------------------ CVE-2018-5296 $ podofoimgextract podofo_0-9-5_podofoimgextract_uncontrolled-memory-allocation_PdfParser-ReadXRefSubsection.pdf . There are more objects (0 + 9560000000000 seemingly) in this XRef table than supported by standard PDF, or it's inconsistent. <</Info 2 0 R/Root 1 0 R/Size 95>> Error: An error 16 ocurred during processing the pdf file. [...] This is similar to the earlier output but expands the details. Good result. ------------------------------------------------------------------------------ CVE-2018-5308 $ podofoimgextract podofo_0-9-5_podofoimgextract_undefined-behavior_PdfMemoryOutputStream-Write.pdf . Error: An error 2 ocurred during processing the pdf file. PoDoFo encountered an error. Error: 2 ePdfError_InvalidHandle Error Description: A NULL handle was passed, but initialized data was expected. A good result also. A different error number is returned and the message implies that the whole file was not read. The earlier test hit EOF unexpectedly. ------------------------------------------------------------------------------ CVE-2018-5309 $ podofoimgextract podofo_0-9-5_podofoimgextract_integer-overflow_PdfObjectStreamParserObject-ReadObjectsFromStream.pdf . Error: An error 10 ocurred during processing the pdf file. PoDoFo encountered an error. Error: 10 ePdfError_BrokenFile Error Description: The file content is broken. This mirrors the comment for CVE-2018-5308. Good. ------------------------------------------------------------------------------ CVE-2018-5783 $ podofoimgextract podofo_0-9-5_podofoimgextract_uncontrolled-memory-allocation_PoDoFo-PdfVecObjects-Reserve.pdf . DEBUG: Call to PdfVecObjects::Reserve with 18446744073709551608 is over allowed limit of 8388607. <</Type/XRef/DecodeParms<</Columns 4/Predictor 12>>/Filter/FlateDecode/ID[<4DC91A1875A6D707AEC203BB021C93A0><F6C92B368A8A13408457A1D395A37EB9>]/Index[ 7 21]/Info 6 0 R/Length 52/Prev 7657/Root 8 0 R/Size -8/W[ 1 2 1]>> Error: An error 16 ocurred during processing the pdf file. No abort, so this is good. ------------------------------------------------------------------------------ CVE-2018-8001 $ podofogc podofo-heap-buffer-overread-PdfName-UnescapeName.pdf a.pdf No change in the error return but the faulty file is handled without a crash. Good. ------------------------------------------------------------------------------ CVE-2018-11254 $ podofomerge crash.pdf crash.pdf out.pdf [...] Reference to invalid object: 1 0 R Error 11 occurred! PoDoFo encountered an error. Error: 11 ePdfError_PageNotFound Error Description: The requested page could not be found in the PDF. The segfault was avoided. Good. ------------------------------------------------------------------------------ CVE-2018-11255 $ podofopdfinfo crash1.pdf The output was substantially the same as before so this is good. ------------------------------------------------------------------------------ CVE-2018-11256 $ podofomerge crash1.pdf crash1.pdf out.pdf [...] CRITICAL: Cannot find page 1 or page 1 has no parents. Cannot insert new page. Similar output but no segfault. Good. ------------------------------------------------------------------------------ CVE-2018-12982 $ podofocolor dummy poc1 foo WARNING: There are more objects (71) in this XRef table than specified in the size key of the trailer directory (37)! Similar diagnostics as before but no segfault. Good. ------------------------------------------------------------------------------ These tests confirm that all but the last two issues (not mentioned in this list) were already fixed or trapped by the latest patches. A few utility tests show that the package is still working fine. $ podofomerge pragpub-2009-07.pdf pragpub-2009-08.pdf pragpub.pdf $ podofopdfinfo pragpub.pdf $ podofogc metaprogramming-ruby_p3_0.pdf c.pdf Parsing metaprogramming-ruby_p3_0.pdf ... (this might take a while) done Writing... done Parsed and wrote successfully podofogc performs garbage collection on a designated PDF file. All output files were readable as PDFs. Giving this a 64-bit OK. Whiteboard:
(none) =>
MGA6-64-OK Advisory from comment 8. Thanks for your habitual exhaustive testing, Len. Keywords:
(none) =>
advisory, validated_update An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2019-0044.html Status:
NEW =>
RESOLVED |