Fedora has issued an advisory today (February 18): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/Y6ZKYPW55PN6XV5XW6KZDIJLWRXON74N/ Mageia 6 is also affected.
Assigning to the registered maintainer.
CC: (none) => marja11Assignee: bugsquad => rverschelde
Status comment: (none) => Patch available from Fedora
Fedora has issued an advisory today (March 29): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/5Z7UF3AC76HHLSAHVBUQWMYXHR33DR34/ It fixes two additional issues.
Whiteboard: (none) => MGA6TOOStatus comment: Patch available from Fedora => Patches available from FedoraSummary: podofo new security issue CVE-2018-20751 => podofo new security issues CVE-2018-20751, CVE-2019-9199, CVE-2019-9687
Whiteboard: MGA6TOO => MGA7TOO, MGA6TOO
Fedora has issued an advisory on January 27: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/4K6FST3UH3WNUNCIAEEGZJJASCP5ZXUF/ It fixes an additional issue.
Whiteboard: MGA7TOO, MGA6TOO => MGA7TOOSummary: podofo new security issues CVE-2018-20751, CVE-2019-9199, CVE-2019-9687 => podofo new security issues CVE-2018-20751, CVE-2019-9199, CVE-2019-9687, CVE-2019-20093
Fedora has issued an advisory on July 11: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/SSB4HRLHF7H3DPNTFPTXUE6EGXXZ5JSZ/ It fixes an additional issue.
Summary: podofo new security issues CVE-2018-20751, CVE-2019-9199, CVE-2019-9687, CVE-2019-20093 => podofo new security issues CVE-2018-12983, CVE-2018-20751, CVE-2019-9199, CVE-2019-9687, CVE-2019-20093
Fedora has issued an advisory on July 15: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/WR6XY3TOLJPLXOGHYPCB42JW3SWRZNY4/ It adds another patch that we should probably add if we ever update this.
Suggested advisory: ======================== The updated packages fix security vulnerabilities: A stack-based buffer over-read in the PdfEncryptMD5Base::ComputeEncryptionKey() function in PdfEncrypt.cpp in PoDoFo 0.9.6-rc1 could be leveraged by remote attackers to cause a denial-of-service via a crafted pdf file. (CVE-2018-12983) An issue was discovered in crop_page in PoDoFo 0.9.6. For a crafted PDF document, pPage->GetObject()->GetDictionary().AddKey(PdfName("MediaBox"),var) can be problematic due to the function GetObject() being called for the pPage NULL pointer object. The value of pPage at this point is 0x0, which causes a NULL pointer dereference. (CVE-2018-20751) PoDoFo::Impose::PdfTranslator::setSource() in pdftranslator.cpp in PoDoFo 0.9.6 has a NULL pointer dereference that can (for example) be triggered by sending a crafted PDF file to the podofoimpose binary. It allows an attacker to cause Denial of Service (Segmentation fault) or possibly have unspecified other impact. (CVE-2019-9199) PoDoFo 0.9.6 has a heap-based buffer overflow in PdfString::ConvertUTF16toUTF8 in base/PdfString.cpp. (CVE-2019-9687) The PoDoFo::PdfVariant::DelayedLoad function in PdfVariant.h in PoDoFo 0.9.6 allows remote attackers to cause a denial of service (NULL pointer dereference) via a crafted file, because of ImageExtractor.cpp. (CVE-2019-20093) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12983 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20751 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9199 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9687 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20093 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/Y6ZKYPW55PN6XV5XW6KZDIJLWRXON74N/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/5Z7UF3AC76HHLSAHVBUQWMYXHR33DR34/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/4K6FST3UH3WNUNCIAEEGZJJASCP5ZXUF/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/SSB4HRLHF7H3DPNTFPTXUE6EGXXZ5JSZ/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/WR6XY3TOLJPLXOGHYPCB42JW3SWRZNY4/ ======================== Updated packages in core/updates_testing: ======================== podofo-0.9.6-1.1.mga7 lib(64)podofo0.9.6-0.9.6-1.1.mga7 lib(64)podofo-devel-0.9.6-1.1.mga7 from SRPMS: podofo-0.9.6-1.1.mga7.src.rpm
Whiteboard: MGA7TOO => (none)Status comment: Patches available from Fedora => (none)Assignee: rverschelde => qa-bugsStatus: NEW => ASSIGNEDCC: (none) => nicolas.salgueroVersion: Cauldron => 7
mga7, x86_64 CVE-2018-12983 https://bugzilla.redhat.com/show_bug.cgi?id=1595693 $ podofocolor dummy poc2 foo WARNING: There are more objects (71) in this XRef table than specified in the size key of the trailer directory (37)! Segmentation fault (core dumped) CVE-2018-20751 https://sourceforge.net/p/podofo/tickets/33/ $ podofocrop POC test.pdf Cropping file: POC Writing to : test.pdf Using bounding box: [ 57.000000 554.000000 330.000000 189.000000 ] Using bounding box: [ 57.000000 637.000000 330.000000 106.000000 ] CRITICAL: Requesting page index 0. Invalid datatype referenced in kids array: Dictionary Reference to invalid object: 4 0 R Segmentation fault (core dumped) CVE-2019-9199 https://sourceforge.net/p/podofo/tickets/40/ $ podofoimpose POC3 output native Source : POC3 Target : output Plan : native PdfTranslator::PdfTranslator 1 2 <</ID[<F1E31733B53ABA0E59DD993978156860><F1E31733B53ABA0E59DD993978156860>]/Info 3 0 R/Root 2 0 R/Size 73>> CRITICAL: Requesting page index 0. Invalid datatype referenced in kids array: Dictionary Reference to invalid object: 1 0 R Segmentation fault (core dumped) CVE-2019-9687 Could not find the PoC test file. It is in any case aimed at podofo compiled with asan and a fuzz target so not relevant for us. CVE-2019-20093 https://sourceforge.net/p/podofo/tickets/75/ $ podofoimgextract 123-compressed_1507.pdf-signalb-0x96 out <</Type/XRef/Filter/FlateDecode/ID[<334A7E79C9FCCBC7E87D7C325FA995C4><334A7E79C9FCCBC7E87D7C325FA995C4>]/Index[ 0 256]/Info 2 0 R/Length 451/Root 1 0 R/Size 256/W[ 1 2 1]>> Error: An error 2 ocurred during processing the pdf file. PoDoFo encountered an error. Error: 2 ePdfError_InvalidHandle Error Description: A NULL handle was passed, but initialized data was expected. Callstack: #0 Error Source: /home/iurt/rpmbuild/BUILD/podofo-0.9.6/tools/podofoimgextract/ImageExtractor.cpp:105 A segfault was the expected outcome before update so this message might repeat afterwards. Posting this and updating later. $ rpm -q podofo podofo-0.9.6-1.mga7
CC: (none) => tarazed25
Continuing from comment 7. Updated the packages. $ rpm -qa | grep podofo podofo-0.9.6-1.1.mga7 lib64podofo0.9.6-0.9.6-1.1.mga7 lib64podofo-devel-0.9.6-1.1.mga7 CVE-2018-12983 $ podofocolor dummy poc2 foo WARNING: There are more objects (71) in this XRef table than specified in the size key of the trailer directory (37)! Error: An error 7 occurred during processing the pdf file PoDoFo encountered an error. Error: 7 ePdfError_ValueOutOfRange Error Description: The passed value is out of range. Callstack: #0 Error Source: /home/iurt/rpmbuild/BUILD/podofo-0.9.6/src/base/PdfParser.cpp:272 Information: Unable to load objects from file. #1 Error Source: /home/iurt/rpmbuild/BUILD/podofo-0.9.6/src/base/PdfParser.cpp:1070 Information: Error while loading object 38 0 #2 Error Source: /home/iurt/rpmbuild/BUILD/podofo-0.9.6/src/base/PdfEncrypt.cpp:614 Information: Given key length too large for MD5. Good result. CVE-2018-20751 $ podofocrop POC test.pdf Cropping file: POC Writing to : test.pdf Using bounding box: [ 57.000000 554.000000 330.000000 189.000000 ] Using bounding box: [ 57.000000 637.000000 330.000000 106.000000 ] CRITICAL: Requesting page index 0. Invalid datatype referenced in kids array: Dictionary Reference to invalid object: 4 0 R Error: An error 2 occurred during croppping pages in the pdf file. PoDoFo encountered an error. Error: 2 ePdfError_InvalidHandle Error Description: A NULL handle was passed, but initialized data was expected. Callstack: #0 Error Source: /home/iurt/rpmbuild/BUILD/podofo-0.9.6/tools/podofocrop/podofocrop.cpp:67 Information: crop_page: No page pointer given Good result. CVE-2019-9199 $ podofoimpose POC3 output native Source : POC3 Target : output Plan : native PdfTranslator::PdfTranslator 1 2 <</ID[<F1E31733B53ABA0E59DD993978156860><F1E31733B53ABA0E59DD993978156860>]/Info 3 0 R/Root 2 0 R/Size 73>> CRITICAL: Requesting page index 0. Invalid datatype referenced in kids array: Dictionary Reference to invalid object: 1 0 R PoDoFo encountered an error. Error: 11 ePdfError_PageNotFound Error Description: The requested page could not be found in the PDF. Callstack: #0 Error Source: /home/iurt/rpmbuild/BUILD/podofo-0.9.6/tools/podofoimpose/pdftranslator.cpp:154 Information: First page (0) of source document not found Error contained - good result. CVE-2019-20093 $ podofoimgextract 123-compressed_1507.pdf-signalb-0x96 out <As expected - same message> Good result - already fixed. Tests based on bug #21511. There are 18 utilities in /bin. $ ls /bin/podofo* /bin/podofobox* /bin/podofoimg2pdf* /bin/podofopdfinfo* /bin/podofocolor* /bin/podofoimgextract* /bin/podofosign* /bin/podofocountpages* /bin/podofoimpose* /bin/podofotxt2pdf* /bin/podofocrop* /bin/podofoincrementalupdates* /bin/podofotxtextract* /bin/podofoencrypt* /bin/podofomerge* /bin/podofouncompress* /bin/podofogc* /bin/podofopages* /bin/podofoxmp* $ podofomerge TUX_Issue14_June2006.pdf TUX_Issue15_July2006.pdf tux.pdf The resulting PDF combines one with the other. In xpdf the outline (contents) show entries for the first item beginning with 'cover' then 'cover' for the second item but no more. However, the rest of the second item is available, another 47 pages. -rw-r--r-- 1 lcl lcl 4783453 Dec 3 2006 TUX_Issue13_May2006.pdf -rw-r--r-- 1 lcl lcl 3408414 Dec 3 2006 TUX_Issue14_June2006.pdf -rw-r--r-- 1 lcl lcl 6659867 Jul 17 17:34 tux.pdf $ podofopdfinfo metaprogramming-ruby_p3_0.pdf Document Info ------------- File: metaprogramming-ruby_p3_0.pdf PDF Version: 1.3 Page Count: 282 Page Size: 540 x 648 pts <and a whole lot more> $ podofogc metaprogramming-ruby_p3_0.pdf c.pdf Parsing metaprogramming-ruby_p3_0.pdf ... (this might take a while) done Writing... done Parsed and wrote successfully c.pdf looks like a copy of the original in okular. /bin/podofobox* /bin/podofoimg2pdf* /bin/podofopdfinfo* /bin/podofocolor* /bin/podofoimgextract* /bin/podofosign* /bin/podofocountpages* /bin/podofoimpose* /bin/podofotxt2pdf* /bin/podofocrop* /bin/podofoincrementalupdates* /bin/podofotxtextract* /bin/podofoencrypt* /bin/podofomerge* /bin/podofouncompress* /bin/podofogc* /bin/podofopages* /bin/podofoxmp* $ podofomerge TUX_Issue14_June2006.pdf TUX_Issue15_July2006.pdf tux.pdf The resulting PDF combines one with the other. In xpdf the outline (contents) show entries for the first item beginning with 'cover' then 'cover' for the second item but no more. However, the rest of the second item is available, another 47 pages. -rw-r--r-- 1 lcl lcl 4783453 Dec 3 2006 TUX_Issue13_May2006.pdf -rw-r--r-- 1 lcl lcl 3408414 Dec 3 2006 TUX_Issue14_June2006.pdf -rw-r--r-- 1 lcl lcl 6659867 Jul 17 17:34 tux.pdf $ podofopdfinfo metaprogramming-ruby_p3_0.pdf Document Info ------------- File: metaprogramming-ruby_p3_0.pdf PDF Version: 1.3 Page Count: 282 Page Size: 540 x 648 pts <and a whole lot more> $ podofogc metaprogramming-ruby_p3_0.pdf c.pdf Parsing metaprogramming-ruby_p3_0.pdf ... (this might take a while) done Writing... done Parsed and wrote successfully c.pdf looks like a copy of the original in okular. $ podofoimgextract LJ_TBF4.pdf images <</Type/XRef/DecodeParms<</Columns 5/Predictor 12>>/Filter/FlateDecode/ID[<72EBC67B35474385BC8F3EDD53DEDBFC><72297CC98FD641A8937E10F42D71EDE3>]/Info 6989 0 R/Length 4235/Root 6991 0 R/Size 7688/W[ 1 3 1]>> -> Writing image object 4 0 R to the file: images/pdfimage_0000.jpg -> Writing image object 7 0 R to the file: images/pdfimage_0001.jpg -> Writing image object 28 0 R to the file: images/pdfimage_0002.ppm Error: An error 35 ocurred during processing the pdf file. PoDoFo encountered an error. Error: 35 ePdfError_UnsupportedFilter Callstack: #0 Error Source: /home/iurt/rpmbuild/BUILD/podofo-0.9.6/src/base/PdfFilter.cpp:166 The first image looked OK in eom but the other two were obviously corrupt. Tried the extraction utility on c.pdf (garbage-collected file produced earlier) and that worked fine. -> Writing image object 3817 0 R to the file: images/pdfimage_0033.jpg Extracted 32 images successfully from the PDF file. Checked a few of those - they all looked perfect. $ podofocolor dummy FSM_issue_012 outfile <</ID[<D63012425C2D5C14DF95C76966A691D2><D63012425C2D5C14DF95C76966A691D2>]/Info 835 0 R/Root 834 0 R/Size 836>> Processing page 1... [...] Processing page 78... Processing XObject 8 0 Processing XObject 623 0 $ file outfile outfile: PDF document, version 1.4 The outfile is a copy of the original with some alterations to the colour. dummy is a converter which triggers a spurious colour transformation. $ podofocolor grayscale FSM_issue_012 outfile applies grayscaling to coloured text and to coloured panels but leaves images untouched. $ podofoimg2pdf jessica.pdf JessicaAlba.jpg JessicaAlba.tif jessica_big.png Output filename: jessica.pdf Adding image: JessicaAlba.jpg Adding image: JessicaAlba.tif Adding image: jessica_big.png Wrote PDF successfully: jessica.pdf. The PDF file contains three pages, identical images scaled in the X axis to A4 size and anchored to the bottom of the pages (Postscript coordinates). These tests are just a sample and all seem to work as expected so this is good for 64-bits.
Whiteboard: (none) => MGA7-64-OK
Wow. A lot of work, Len, and much appreciated. Validating. Advisory in Comment 6.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => advisoryCC: (none) => mageia
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0294.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED