Bug 21511 - podofo new security issues CVE-2015-8981, CVE-2017-585[2-5], CVE-2017-5886, CVE-2017-684[0-9], CVE-2017-737[89], CVE-2017-738[0-3], CVE-2017-8787
Summary: podofo new security issues CVE-2015-8981, CVE-2017-585[2-5], CVE-2017-5886, C...
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA6-64-OK
Keywords: advisory, validated_update
Depends on: 20234
Blocks:
  Show dependency treegraph
 
Reported: 2017-08-12 23:38 CEST by David Walser
Modified: 2019-01-23 16:51 CET (History)
4 users (show)

See Also:
Source RPM: podofo-0.9.4-1.mga6.src.rpm
CVE:
Status comment: Patches available from Fedora and Debian


Attachments
Summary of POC tests before update (4.75 KB, text/plain)
2019-01-21 21:30 CET, Len Lawrence
Details

Description David Walser 2017-08-12 23:38:54 CEST
+++ This bug was initially created as a clone of Bug #20234 +++

CVEs have been assigned for security issues in podofo:
http://openwall.com/lists/oss-security/2017/02/02/15
http://openwall.com/lists/oss-security/2017/02/02/10
http://openwall.com/lists/oss-security/2017/02/02/11
http://openwall.com/lists/oss-security/2017/02/02/12
http://openwall.com/lists/oss-security/2017/02/02/13

The first was fixed in 0.9.4 (already in Cauldron).

CVE-2017-5886 assigned for one that was missed:
http://openwall.com/lists/oss-security/2017/02/05/4

Several more issues in podofo posted today (March 2):
http://openwall.com/lists/oss-security/2017/03/02/

CVE assignments were posted today (March 13):
http://openwall.com/lists/oss-security/2017/03/13/

CVE-2017-684[0-9] were assigned.

CVE-2017-737[89] and CVE-2017-738[0-3]:
http://openwall.com/lists/oss-security/2017/04/01/1
http://openwall.com/lists/oss-security/2017/04/01/2
http://openwall.com/lists/oss-security/2017/04/01/3

From Rémi:
According to the SVN changelog, as of r1855 the following CVEs are patched:
- CVE-2017-5852
- CVE-2017-5853
- CVE-2017-5854
- CVE-2017-5855
- CVE-2017-5886
- CVE-2017-6840
- CVE-2017-6844
- CVE-2017-6847
- CVE-2017-7378
- CVE-2017-7379
- CVE-2017-7380
- CVE-2017-7794
- CVE-2017-8787

I've pushed podofo-0.9.6-0.r1855.1.mga6 which addresses the above list (and taken over maintainership, hope it doesn't turn out like with mupdf :P).

So those CVEs would be missing (unless fixed already but undocumented - some of the changes in 0.9.5's changelog appear security relevant, but don't mention any CVE):
- CVE-2015-8981
- CVE-2017-684[1235689]
- CVE-2017-738[1-3]

Cloning the bug for the unfixed issues.
David Walser 2017-08-13 23:39:37 CEST

Whiteboard: (none) => MGA6TOO, MGA5TOO

Comment 1 Nicolas Lécureuil 2017-08-14 00:34:00 CEST
- CVE-2015-8981   => https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8981  => Is fixed on our rpms


CVE-2017-738[1-3] => Is not yet fixed upstream
CVE-2017-684[1235689] => Is not yet fixed upstream

CC: (none) => mageia

Comment 2 David Walser 2017-12-29 02:34:04 CET
Dropping Mageia 5 from this bug for the unfixed issues.

Whiteboard: MGA6TOO, MGA5TOO => MGA6TOO

David Walser 2018-02-02 18:16:30 CET

Status comment: (none) => Not fixed upstream as of August 2017

Comment 3 David Walser 2018-06-25 23:12:23 CEST
Fedora has fixes for some of these issues and more.

Fedora has issued an advisory for this today (June 25):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/2U7MKKI2OP43FRIS44DJXIJYDWTNAWQ6/

Status comment: Not fixed upstream as of August 2017 => Patches available from Fedora and Debian

Comment 4 David Walser 2018-08-28 23:09:57 CEST
SUSE has issued an advisory on August 22:
http://lists.suse.com/pipermail/sle-security-updates/2018-August/004491.html

It looks like CVE-2017-8054, CVE-2018-5308, CVE-2018-8001 are new.
Comment 5 David Walser 2018-12-25 21:58:25 CET
Fedora has issued an advisory today (December 25):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/QYCCO7ZOZI6KUCLH6IZ5XS5LDANULNR4/

It fixes:
CVE-2018-5783, CVE-2018-1125[4-6], CVE-2018-12982, CVE-2018-14320, CVE-2018-19532
Comment 6 David Walser 2019-01-19 17:43:07 CET
openSUSE has issued an advisory on January 18:
https://lists.opensuse.org/opensuse-updates/2019-01/msg00066.html

It looks like CVE-2017-7994, CVE-2018-529[56], CVE-2018-5309 are new.
Comment 7 David Walser 2019-01-21 03:10:01 CET
openSUSE says 0.9.6 fixes:
  (CVE-2017-5852, boo#1023067, CVE-2017-5853, boo#1023069,
   CVE-2017-5854, boo#1023070, CVE-2017-5855, boo#1023071,
   CVE-2017-5886, boo#1023380, CVE-2017-6840, boo#1027787,
   CVE-2017-6844, boo#1027782, CVE-2017-6845, boo#1027779,
   CVE-2017-6847, boo#1027778, CVE-2017-7378, boo#1032017,
   CVE-2017-7379, boo#1032018, CVE-2017-7380, boo#1032019,
   CVE-2017-7994, boo#1035534, CVE-2017-8054, boo#1035596,
   CVE-2017-8787, boo#1037739, CVE-2018-5295, boo#1075026,
   CVE-2018-5296, boo#1075021, CVE-2018-5308, boo#1075772,
   CVE-2018-5309, boo#1075322, CVE-2018-8001, boo#1084894)

I don't know how many of those fixes are in the snapshots (the one in mga6 is older) we had in mga6 and Cauldron.  I updated to 0.9.6 final.

Fedora added post-0.9.6 patches that fix:
   CVE-2018-5783, CVE-2018-11254, CVE-2018-11255, CVE-2018-11256,
   CVE-2018-12982, CVE-2018-14320, CVE-2018-19532

I added those patches as well.

Unfortunately, we got two different build errors:
http://pkgsubmit.mageia.org/uploads/failure/6/core/updates_testing/20190121020335.luigiwalser.duvel.8543/log/podofo-0.9.6-1.mga6/build.0.20190121020413.log
http://pkgsubmit.mageia.org/uploads/failure/cauldron/core/release/20190121020315.luigiwalser.duvel.8434/log/podofo-0.9.6-1.mga7/build.0.20190121020407.log
Comment 8 David Walser 2019-01-21 18:46:30 CET
Advisory:
========================

Updated podofo packages fix security vulnerabilities:

The podofo package has been updated to fix several security issues.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5295
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5296
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5308
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5309
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5783
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8001
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11254
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11255
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11256
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12982
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14320
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19532
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/2U7MKKI2OP43FRIS44DJXIJYDWTNAWQ6/
http://lists.suse.com/pipermail/sle-security-updates/2018-August/004491.html
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/QYCCO7ZOZI6KUCLH6IZ5XS5LDANULNR4/
https://lists.opensuse.org/opensuse-updates/2019-01/msg00066.html
========================

Updated packages in core/updates_testing:
========================
podofo-0.9.6-1.mga6
libpodofo0.9.6-0.9.6-1.mga6
libpodofo-devel-0.9.6-1.mga6

from podofo-0.9.6-1.mga6.src.rpm

Whiteboard: MGA6TOO => (none)
Assignee: rverschelde => qa-bugs
Version: Cauldron => 6

Comment 9 Len Lawrence 2019-01-21 20:42:00 CET
Working through the CVEs currently.  Testing the PoC files before updating podofo.  Shall attach the report because it is likely to be quite lengthy.

CC: (none) => tarazed25

Comment 10 Len Lawrence 2019-01-21 21:30:06 CET
Created attachment 10684 [details]
Summary of POC tests before update
Comment 11 Len Lawrence 2019-01-22 00:54:07 CET
Before updating successfully merged two PDFs into a third PDF the sum of whose pages was the same as the sum of the two initial PDFs.  That was determined by running podofopdfinfo.


*After updates*

------------------------------------------------------------------------------
CVE-2018-5295
The output matched that produced before the update.
Good result in the sense that the file was diagnosed as faulty and handled accordingly.
------------------------------------------------------------------------------
CVE-2018-5296
$ podofoimgextract podofo_0-9-5_podofoimgextract_uncontrolled-memory-allocation_PdfParser-ReadXRefSubsection.pdf .
There are more objects (0 + 9560000000000 seemingly) in this XRef table than supported by standard PDF, or it's inconsistent.
<</Info 2 0 R/Root 1 0 R/Size 95>>
Error: An error 16 ocurred during processing the pdf file.
[...]

This is similar to the earlier output but expands the details.
Good result.
------------------------------------------------------------------------------
CVE-2018-5308
$ podofoimgextract podofo_0-9-5_podofoimgextract_undefined-behavior_PdfMemoryOutputStream-Write.pdf .
Error: An error 2 ocurred during processing the pdf file.
PoDoFo encountered an error. Error: 2 ePdfError_InvalidHandle
	Error Description: A NULL handle was passed, but initialized data was expected.

A good result also.  A different error number is returned and the message implies that the whole file was not read.  The earlier test hit EOF unexpectedly.
------------------------------------------------------------------------------
CVE-2018-5309
$ podofoimgextract podofo_0-9-5_podofoimgextract_integer-overflow_PdfObjectStreamParserObject-ReadObjectsFromStream.pdf .
Error: An error 10 ocurred during processing the pdf file.
PoDoFo encountered an error. Error: 10 ePdfError_BrokenFile
	Error Description: The file content is broken.

This mirrors the comment for CVE-2018-5308.  Good.
------------------------------------------------------------------------------
CVE-2018-5783
$ podofoimgextract podofo_0-9-5_podofoimgextract_uncontrolled-memory-allocation_PoDoFo-PdfVecObjects-Reserve.pdf .

DEBUG: Call to PdfVecObjects::Reserve with 18446744073709551608 is over allowed limit of 8388607.
<</Type/XRef/DecodeParms<</Columns 4/Predictor 12>>/Filter/FlateDecode/ID[<4DC91A1875A6D707AEC203BB021C93A0><F6C92B368A8A13408457A1D395A37EB9>]/Index[ 7 21]/Info 6 0 R/Length 52/Prev 7657/Root 8 0 R/Size -8/W[ 1 2 1]>>
Error: An error 16 ocurred during processing the pdf file.

No abort, so this is good.
------------------------------------------------------------------------------
CVE-2018-8001
$ podofogc podofo-heap-buffer-overread-PdfName-UnescapeName.pdf a.pdf

No change in the error return but the faulty file is handled without a crash.
Good.
------------------------------------------------------------------------------
CVE-2018-11254
$ podofomerge crash.pdf crash.pdf out.pdf
[...]
Reference to invalid object: 1 0 R
Error 11 occurred!
PoDoFo encountered an error. Error: 11 ePdfError_PageNotFound
	Error Description: The requested page could not be found in the PDF.

The segfault was avoided.
Good.
------------------------------------------------------------------------------
CVE-2018-11255
$ podofopdfinfo crash1.pdf

The output was substantially the same as before so this is good.
------------------------------------------------------------------------------
CVE-2018-11256
$ podofomerge crash1.pdf crash1.pdf out.pdf
[...]
CRITICAL: Cannot find page 1 or page 1 has no parents. Cannot insert new page.

Similar output but no segfault.  Good.
------------------------------------------------------------------------------
CVE-2018-12982
$ podofocolor dummy poc1 foo
WARNING: There are more objects (71) in this XRef table than specified in the size key of the trailer directory (37)!

Similar diagnostics as before but no segfault.  Good.
------------------------------------------------------------------------------

These tests confirm that all but the last two issues (not mentioned in this list) were already fixed or trapped by the latest patches.

A few utility tests show that the package is still working fine.
$ podofomerge pragpub-2009-07.pdf pragpub-2009-08.pdf pragpub.pdf
$ podofopdfinfo pragpub.pdf
$ podofogc metaprogramming-ruby_p3_0.pdf c.pdf
Parsing  metaprogramming-ruby_p3_0.pdf ... (this might take a while) done
Writing... done
Parsed and wrote successfully

podofogc performs garbage collection on a designated PDF file.
All output files were readable as PDFs.

Giving this a 64-bit OK.

Whiteboard: (none) => MGA6-64-OK

Comment 12 Lewis Smith 2019-01-22 20:56:41 CET
Advisory from comment 8.
Thanks for your habitual exhaustive testing, Len.

Keywords: (none) => advisory, validated_update
CC: (none) => lewyssmith, sysadmin-bugs

Comment 13 Mageia Robot 2019-01-23 16:51:39 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0044.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.