CVEs have been assigned for security issues in podofo: http://openwall.com/lists/oss-security/2017/02/02/15 http://openwall.com/lists/oss-security/2017/02/02/10 http://openwall.com/lists/oss-security/2017/02/02/11 http://openwall.com/lists/oss-security/2017/02/02/12 http://openwall.com/lists/oss-security/2017/02/02/13 The first was fixed in 0.9.4 (already in Cauldron). The rest have no fixes available yet. Mageia 5 is also affected.
Whiteboard: (none) => MGA5TOO
Assigning to all packagers collectively, since there is no registered maintainer for this package.
Assignee: bugsquad => pkg-bugsCC: (none) => marja11
CVE-2017-5886 assigned for one that was missed: http://openwall.com/lists/oss-security/2017/02/05/4
Summary: podofo new security issues CVE-2015-8981 and CVE-2017-585[2-5] => podofo new security issues CVE-2015-8981, CVE-2017-585[2-5], and CVE-2017-5886
Several more issues in podofo posted today (March 2): http://openwall.com/lists/oss-security/2017/03/02/
(In reply to David Walser from comment #3) > Several more issues in podofo posted today (March 2): > http://openwall.com/lists/oss-security/2017/03/02/ CVE assignments were posted today (March 13): http://openwall.com/lists/oss-security/2017/03/13/ CVE-2017-684[0-9] were assigned.
Summary: podofo new security issues CVE-2015-8981, CVE-2017-585[2-5], and CVE-2017-5886 => podofo new security issues CVE-2015-8981, CVE-2017-585[2-5], CVE-2017-5886, and CVE-2017-684[0-9]
CVE-2017-737[89] and CVE-2017-738[0-3]: http://openwall.com/lists/oss-security/2017/04/01/1 http://openwall.com/lists/oss-security/2017/04/01/2 http://openwall.com/lists/oss-security/2017/04/01/3
Summary: podofo new security issues CVE-2015-8981, CVE-2017-585[2-5], CVE-2017-5886, and CVE-2017-684[0-9] => podofo new security issues CVE-2015-8981, CVE-2017-585[2-5], CVE-2017-5886, CVE-2017-684[0-9], CVE-2017-737[89], CVE-2017-738[0-3]
For the reference, reverse deps check: $ urpmf --synthesis /tmp/synthesis.hdlist.cz --requires :.*podofo scribus:podofo-devel calibre:podofo-devel krename:podofo-devel But we likely don't need to drop it, apparently many of the CVEs are fixed in the current SVN trunk (future 0.9.6): https://sourceforge.net/p/podofo/code/commit_browser I'll try packaging the current trunk and list the actual fixed CVEs.
Assignee: pkg-bugs => rverschelde
According to the SVN changelog, as of r1855 the following CVEs are patched: - CVE-2017-5852 - CVE-2017-5853 - CVE-2017-5854 - CVE-2017-5855 - CVE-2017-5886 - CVE-2017-6840 - CVE-2017-6844 - CVE-2017-6847 - CVE-2017-7378 - CVE-2017-7379 - CVE-2017-7380 - CVE-2017-7794 - CVE-2017-8787 I've pushed podofo-0.9.6-0.r1855.1.mga6 which addresses the above list (and taken over maintainership, hope it doesn't turn out like with mupdf :P). So those CVEs would be missing (unless fixed already but undocumented - some of the changes in 0.9.5's changelog appear security relevant, but don't mention any CVE): - CVE-2015-8981 - CVE-2017-684[1235689] - CVE-2017-738[1-3]
Summary: podofo new security issues CVE-2015-8981, CVE-2017-585[2-5], CVE-2017-5886, CVE-2017-684[0-9], CVE-2017-737[89], CVE-2017-738[0-3] => podofo new security issues CVE-2015-8981, CVE-2017-585[2-5], CVE-2017-5886, CVE-2017-684[0-9], CVE-2017-737[89], CVE-2017-738[0-3], CVE-2017-8787
Thanks for all of your work here. I just wish those applications would switch to poppler instead of the less consistently maintained podofo.
Whiteboard: MGA5TOO => MGA6TOO, MGA5TOO
maybe we can validate the CVE fixed and open a new bugreport for the one still not fixed ?
CC: (none) => mageia
Sure.
pushing to validation for the fixed CVE
Assignee: rverschelde => qa-bugs
Blocks: (none) => 21511
Do we have a build for Mageia 5? What issues are we fixing? What's the package list?
Whiteboard: MGA6TOO, MGA5TOO => MGA5TOOCC: (none) => rverscheldeVersion: Cauldron => 6
(In reply to David Walser from comment #12) > Do we have a build for Mageia 5? Nope.
CC: rverschelde => qa-bugsAssignee: qa-bugs => rverschelde
I see Nicolas is working on a Mageia 5 update. Make sure you rebuild all of the packages linked to the podofo library before assigning this back to QA (library major changed).
podofo-0.9.6-0.r1855.1.mga5 libpodofo0.9.6-0.9.6-0.r1855.1.mga5 libpodofo-devel-0.9.6-0.r1855.1.mga5 from podofo-0.9.6-0.r1855.1.mga5.src.rpm is the package list for podofo itself. I just checked Mageia 6 updates_testing and I actually don't see podofo there...
done now for mageia 5. Rebuilded: src.rpm: rename-4.0.9-6.1.mga5 calibre-2.78.0-1.1.mga5
because seems this have been updated in mageia 6 before the release 6/SRPMS/core/release/podofo-0.9.6-0.r1855.1.mga6.src.rpm
Ahh thanks. Now we just need to know what we're fixing and to make some sort of advisory. podofo-0.9.6-0.r1855.1.mga5 libpodofo0.9.6-0.9.6-0.r1855.1.mga5 libpodofo-devel-0.9.6-0.r1855.1.mga5 krename-4.0.9-6.1.mga5 calibre-2.78.0-1.1.mga5 from SRPMS: podofo-0.9.6-0.r1855.1.mga5.src.rpm krename-4.0.9-6.1.mga5.src.rpm calibre-2.78.0-1.1.mga5.src.rpm
Whiteboard: MGA5TOO => (none)Version: 6 => 5Assignee: qa-bugs => rverschelde
Advisory: ======================== Updated podofo packages fix security vulnerabilities: The podofo package has been updated to fix several security issues. The krename and calibre packages have been rebuilt against the updated podofo. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5852 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5853 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5854 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5855 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5886 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6840 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6844 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6847 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7378 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7379 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7380 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7794 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8787 http://openwall.com/lists/oss-security/2017/02/02/10 http://openwall.com/lists/oss-security/2017/02/02/11 http://openwall.com/lists/oss-security/2017/02/02/12 http://openwall.com/lists/oss-security/2017/02/02/13 http://openwall.com/lists/oss-security/2017/02/05/4 http://openwall.com/lists/oss-security/2017/03/13/10 http://openwall.com/lists/oss-security/2017/03/13/14 http://openwall.com/lists/oss-security/2017/03/13/17 http://openwall.com/lists/oss-security/2017/04/01/1 http://openwall.com/lists/oss-security/2017/04/01/2 http://openwall.com/lists/oss-security/2017/04/01/3 ======================== Updated packages in core/updates_testing: ======================== podofo-0.9.6-0.r1855.1.mga5 libpodofo0.9.6-0.9.6-0.r1855.1.mga5 libpodofo-devel-0.9.6-0.r1855.1.mga5 krename-4.0.9-6.1.mga5 calibre-2.78.0-1.1.mga5 from SRPMS: podofo-0.9.6-0.r1855.1.mga5.src.rpm krename-4.0.9-6.1.mga5.src.rpm calibre-2.78.0-1.1.mga5.src.rpm
CC: qa-bugs => rverscheldeAssignee: rverschelde => qa-bugs
CC: (none) => davidwhodginsKeywords: (none) => advisory
Looking at this later in the day. Tools in /bin: podofobox podofocolor podofocountpages podofocrop podofoencrypt podofogc podofoimg2pdf podofoimgextract podofoimpose podofoincrementalupdates podofomerge podofopages podofopdfinfo podofotxt2pdf podofotxtextract podofouncompress podofoxmp
CC: (none) => tarazed25
Mageia 5 :: x86_64 There are POCs for the CVEs but they are not much use without the fuzzing environment UBSan which exposed the issues in the first place. When run with podofopdfinfo they detect the files as "not a PDF". That observation is based on a sample of three. The library tools need a bit of research to be useful so we should skip some of these. Usage examples. podofobox The podofobox tool can set the media,crop,bleed,trim and art box on pages of a PDF file. $ podofocolor Usage: podofocolor [converter] [inputfile] [outpufile] [converter] can be one of: dummy|grayscale|lua [planfile] podofocolor is a tool to change all colors in a PDF file based on a predefined or Lua description. $ podofocrop Usage: podofocrop input.pdf output.pdf This tool will crop all pages. It requires ghostscript to be in your PATH $ podofocrop MasteringPython.pdf qa.pdf $ ll qa.pdf MasteringPython.pdf -rw-r--r-- 1 lcl lcl 35267933 Aug 12 2016 MasteringPython.pdf -rw-r--r-- 1 lcl lcl 34649552 Jan 2 10:53 qa.pdf Installed the updates and used some of the tools. $ podofocrop MasteringPython.pdf qa.pdf Cropping file: MasteringPython.pdf Writing to : qa.pdf ...................... $ ll qa.pdf MasteringPython.pdf -rw-r--r-- 1 lcl lcl 35267933 Aug 12 2016 MasteringPython.pdf -rw-r--r-- 1 lcl lcl 34649552 Jan 2 11:04 qa.pdf Used calibre to compare the two files. The output file pages had been cropped to enclose just the content of each page. The original wide margins were gone. So that works. Processed the original PDF in calibre - converted it to EPUB format, splitting at 260 KB per page. Went hunting for the result but could not find it. However, it was actually stored in the Virtual Library and could be viewed from there. The page splitting was very obvious - over 700 pages in total. $ podofocountpages MasteringPython.pdf 486 Found later that the virtual library is actually ~user/'Calibre Library' and everything is still there. $ podofoimg2pdf Usage: podofoimg2pdf [output.pdf] [-useimgsize] [image1 image2 image3 ...] $ podofoimg2pdf asteroids.pdf /data/images/asteroids/*.jpg This listed all the JPEG files and then faulted with error 45 - ePdfError_UnsupportedImageFormat - which is odd because there are no more images in the directory. Need to check that this is not a regression. $ podofoimgextract MasteringPython.pdf qa <output images listed as PPM or JPEG files> Extracted 88 images sucessfully from the PDF file. The images in directory ./qa all looked OK. Tested krename on the new qa image directory. Successfully selected 10 .ppm files and renamed them as *.PPM. This update should probably deserve an OK but I need to check for a possible regression.
Discovered using eom that there was a corrupt .jpg file in the asteroids directory. Removed that and ran the test again. $ podofoimg2pdf asteroids.pdf asteroids/*.jpg ....................... Wrote PDF successfully: asteroids.pdf. asteroids.pdf is a valid PDF file viewable in calibre. $ calibre asteroids.pdf No regression on the basis of that test.
URL: (none) => MGA5-64-OK
URL: MGA5-64-OK => (none)Whiteboard: (none) => MGA5-64-OK
Thank you yet again Len for probing testing. This looka a really useful toolset if only one knows about it. Validating.
Keywords: (none) => validated_updateCC: (none) => lewyssmith, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0026.html
Status: NEW => RESOLVEDResolution: (none) => FIXED