+++ This bug was initially created as a clone of Bug #20234 +++ CVEs have been assigned for security issues in podofo: http://openwall.com/lists/oss-security/2017/02/02/15 http://openwall.com/lists/oss-security/2017/02/02/10 http://openwall.com/lists/oss-security/2017/02/02/11 http://openwall.com/lists/oss-security/2017/02/02/12 http://openwall.com/lists/oss-security/2017/02/02/13 The first was fixed in 0.9.4 (already in Cauldron). CVE-2017-5886 assigned for one that was missed: http://openwall.com/lists/oss-security/2017/02/05/4 Several more issues in podofo posted today (March 2): http://openwall.com/lists/oss-security/2017/03/02/ CVE assignments were posted today (March 13): http://openwall.com/lists/oss-security/2017/03/13/ CVE-2017-684[0-9] were assigned. CVE-2017-737[89] and CVE-2017-738[0-3]: http://openwall.com/lists/oss-security/2017/04/01/1 http://openwall.com/lists/oss-security/2017/04/01/2 http://openwall.com/lists/oss-security/2017/04/01/3 From Rémi: According to the SVN changelog, as of r1855 the following CVEs are patched: - CVE-2017-5852 - CVE-2017-5853 - CVE-2017-5854 - CVE-2017-5855 - CVE-2017-5886 - CVE-2017-6840 - CVE-2017-6844 - CVE-2017-6847 - CVE-2017-7378 - CVE-2017-7379 - CVE-2017-7380 - CVE-2017-7794 - CVE-2017-8787 I've pushed podofo-0.9.6-0.r1855.1.mga6 which addresses the above list (and taken over maintainership, hope it doesn't turn out like with mupdf :P). So those CVEs would be missing (unless fixed already but undocumented - some of the changes in 0.9.5's changelog appear security relevant, but don't mention any CVE): - CVE-2015-8981 - CVE-2017-684[1235689] - CVE-2017-738[1-3] Cloning the bug for the unfixed issues.
Whiteboard: (none) => MGA6TOO, MGA5TOO
- CVE-2015-8981 => https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8981 => Is fixed on our rpms CVE-2017-738[1-3] => Is not yet fixed upstream CVE-2017-684[1235689] => Is not yet fixed upstream
CC: (none) => mageia
Dropping Mageia 5 from this bug for the unfixed issues.
Whiteboard: MGA6TOO, MGA5TOO => MGA6TOO
Status comment: (none) => Not fixed upstream as of August 2017
Fedora has fixes for some of these issues and more. Fedora has issued an advisory for this today (June 25): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/2U7MKKI2OP43FRIS44DJXIJYDWTNAWQ6/
Status comment: Not fixed upstream as of August 2017 => Patches available from Fedora and Debian
SUSE has issued an advisory on August 22: http://lists.suse.com/pipermail/sle-security-updates/2018-August/004491.html It looks like CVE-2017-8054, CVE-2018-5308, CVE-2018-8001 are new.
Fedora has issued an advisory today (December 25): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/QYCCO7ZOZI6KUCLH6IZ5XS5LDANULNR4/ It fixes: CVE-2018-5783, CVE-2018-1125[4-6], CVE-2018-12982, CVE-2018-14320, CVE-2018-19532
openSUSE has issued an advisory on January 18: https://lists.opensuse.org/opensuse-updates/2019-01/msg00066.html It looks like CVE-2017-7994, CVE-2018-529[56], CVE-2018-5309 are new.
openSUSE says 0.9.6 fixes: (CVE-2017-5852, boo#1023067, CVE-2017-5853, boo#1023069, CVE-2017-5854, boo#1023070, CVE-2017-5855, boo#1023071, CVE-2017-5886, boo#1023380, CVE-2017-6840, boo#1027787, CVE-2017-6844, boo#1027782, CVE-2017-6845, boo#1027779, CVE-2017-6847, boo#1027778, CVE-2017-7378, boo#1032017, CVE-2017-7379, boo#1032018, CVE-2017-7380, boo#1032019, CVE-2017-7994, boo#1035534, CVE-2017-8054, boo#1035596, CVE-2017-8787, boo#1037739, CVE-2018-5295, boo#1075026, CVE-2018-5296, boo#1075021, CVE-2018-5308, boo#1075772, CVE-2018-5309, boo#1075322, CVE-2018-8001, boo#1084894) I don't know how many of those fixes are in the snapshots (the one in mga6 is older) we had in mga6 and Cauldron. I updated to 0.9.6 final. Fedora added post-0.9.6 patches that fix: CVE-2018-5783, CVE-2018-11254, CVE-2018-11255, CVE-2018-11256, CVE-2018-12982, CVE-2018-14320, CVE-2018-19532 I added those patches as well. Unfortunately, we got two different build errors: http://pkgsubmit.mageia.org/uploads/failure/6/core/updates_testing/20190121020335.luigiwalser.duvel.8543/log/podofo-0.9.6-1.mga6/build.0.20190121020413.log http://pkgsubmit.mageia.org/uploads/failure/cauldron/core/release/20190121020315.luigiwalser.duvel.8434/log/podofo-0.9.6-1.mga7/build.0.20190121020407.log
Advisory: ======================== Updated podofo packages fix security vulnerabilities: The podofo package has been updated to fix several security issues. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5295 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5296 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5308 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5309 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5783 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8001 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11254 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11255 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11256 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12982 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14320 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19532 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/2U7MKKI2OP43FRIS44DJXIJYDWTNAWQ6/ http://lists.suse.com/pipermail/sle-security-updates/2018-August/004491.html https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/QYCCO7ZOZI6KUCLH6IZ5XS5LDANULNR4/ https://lists.opensuse.org/opensuse-updates/2019-01/msg00066.html ======================== Updated packages in core/updates_testing: ======================== podofo-0.9.6-1.mga6 libpodofo0.9.6-0.9.6-1.mga6 libpodofo-devel-0.9.6-1.mga6 from podofo-0.9.6-1.mga6.src.rpm
Whiteboard: MGA6TOO => (none)Assignee: rverschelde => qa-bugsVersion: Cauldron => 6
Working through the CVEs currently. Testing the PoC files before updating podofo. Shall attach the report because it is likely to be quite lengthy.
CC: (none) => tarazed25
Created attachment 10684 [details] Summary of POC tests before update
Before updating successfully merged two PDFs into a third PDF the sum of whose pages was the same as the sum of the two initial PDFs. That was determined by running podofopdfinfo. *After updates* ------------------------------------------------------------------------------ CVE-2018-5295 The output matched that produced before the update. Good result in the sense that the file was diagnosed as faulty and handled accordingly. ------------------------------------------------------------------------------ CVE-2018-5296 $ podofoimgextract podofo_0-9-5_podofoimgextract_uncontrolled-memory-allocation_PdfParser-ReadXRefSubsection.pdf . There are more objects (0 + 9560000000000 seemingly) in this XRef table than supported by standard PDF, or it's inconsistent. <</Info 2 0 R/Root 1 0 R/Size 95>> Error: An error 16 ocurred during processing the pdf file. [...] This is similar to the earlier output but expands the details. Good result. ------------------------------------------------------------------------------ CVE-2018-5308 $ podofoimgextract podofo_0-9-5_podofoimgextract_undefined-behavior_PdfMemoryOutputStream-Write.pdf . Error: An error 2 ocurred during processing the pdf file. PoDoFo encountered an error. Error: 2 ePdfError_InvalidHandle Error Description: A NULL handle was passed, but initialized data was expected. A good result also. A different error number is returned and the message implies that the whole file was not read. The earlier test hit EOF unexpectedly. ------------------------------------------------------------------------------ CVE-2018-5309 $ podofoimgextract podofo_0-9-5_podofoimgextract_integer-overflow_PdfObjectStreamParserObject-ReadObjectsFromStream.pdf . Error: An error 10 ocurred during processing the pdf file. PoDoFo encountered an error. Error: 10 ePdfError_BrokenFile Error Description: The file content is broken. This mirrors the comment for CVE-2018-5308. Good. ------------------------------------------------------------------------------ CVE-2018-5783 $ podofoimgextract podofo_0-9-5_podofoimgextract_uncontrolled-memory-allocation_PoDoFo-PdfVecObjects-Reserve.pdf . DEBUG: Call to PdfVecObjects::Reserve with 18446744073709551608 is over allowed limit of 8388607. <</Type/XRef/DecodeParms<</Columns 4/Predictor 12>>/Filter/FlateDecode/ID[<4DC91A1875A6D707AEC203BB021C93A0><F6C92B368A8A13408457A1D395A37EB9>]/Index[ 7 21]/Info 6 0 R/Length 52/Prev 7657/Root 8 0 R/Size -8/W[ 1 2 1]>> Error: An error 16 ocurred during processing the pdf file. No abort, so this is good. ------------------------------------------------------------------------------ CVE-2018-8001 $ podofogc podofo-heap-buffer-overread-PdfName-UnescapeName.pdf a.pdf No change in the error return but the faulty file is handled without a crash. Good. ------------------------------------------------------------------------------ CVE-2018-11254 $ podofomerge crash.pdf crash.pdf out.pdf [...] Reference to invalid object: 1 0 R Error 11 occurred! PoDoFo encountered an error. Error: 11 ePdfError_PageNotFound Error Description: The requested page could not be found in the PDF. The segfault was avoided. Good. ------------------------------------------------------------------------------ CVE-2018-11255 $ podofopdfinfo crash1.pdf The output was substantially the same as before so this is good. ------------------------------------------------------------------------------ CVE-2018-11256 $ podofomerge crash1.pdf crash1.pdf out.pdf [...] CRITICAL: Cannot find page 1 or page 1 has no parents. Cannot insert new page. Similar output but no segfault. Good. ------------------------------------------------------------------------------ CVE-2018-12982 $ podofocolor dummy poc1 foo WARNING: There are more objects (71) in this XRef table than specified in the size key of the trailer directory (37)! Similar diagnostics as before but no segfault. Good. ------------------------------------------------------------------------------ These tests confirm that all but the last two issues (not mentioned in this list) were already fixed or trapped by the latest patches. A few utility tests show that the package is still working fine. $ podofomerge pragpub-2009-07.pdf pragpub-2009-08.pdf pragpub.pdf $ podofopdfinfo pragpub.pdf $ podofogc metaprogramming-ruby_p3_0.pdf c.pdf Parsing metaprogramming-ruby_p3_0.pdf ... (this might take a while) done Writing... done Parsed and wrote successfully podofogc performs garbage collection on a designated PDF file. All output files were readable as PDFs. Giving this a 64-bit OK.
Whiteboard: (none) => MGA6-64-OK
Advisory from comment 8. Thanks for your habitual exhaustive testing, Len.
Keywords: (none) => advisory, validated_updateCC: (none) => lewyssmith, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2019-0044.html
Status: NEW => RESOLVEDResolution: (none) => FIXED