Your message dated Thu, 10 May 2018 18:00:19 +0000
with message-id <[email protected]>
and subject line Bug#892556: fixed in libpodofo 0.9.6~rc1+dfsg-1
has caused the Debian Bug report #892556,
regarding libpodofo: CVE-2018-8001
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
892556: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=892556
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: libpodofo
X-Debbugs-CC: [email protected]
Severity: grave
Tags: security
Hi,
the following vulnerabilities were published for libpodofo.
CVE-2018-8000[0]:
| In PoDoFo 0.9.5, there exists a heap-based buffer overflow
| vulnerability in PoDoFo::PdfTokenizer::GetNextToken() in
| PdfTokenizer.cpp, a related issue to CVE-2017-5886. Remote attackers
| could leverage this vulnerability to cause a denial-of-service or
| potentially execute arbitrary code via a crafted pdf file.
CVE-2018-8001[1]:
| In PoDoFo 0.9.5, there exists a heap-based buffer over-read
| vulnerability in UnescapeName() in PdfName.cpp. Remote attackers could
| leverage this vulnerability to cause a denial-of-service or possibly
| unspecified other impact via a crafted pdf file.
CVE-2018-8002[2]:
| In PoDoFo 0.9.5, there exists an infinite loop vulnerability in
| PdfParserObject::ParseFileComplete() in PdfParserObject.cpp which may
| result in stack overflow. Remote attackers could leverage this
| vulnerability to cause a denial-of-service or possibly unspecified
| other impact via a crafted pdf file.
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2018-8000
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8000
[1] https://security-tracker.debian.org/tracker/CVE-2018-8001
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8001
[2] https://security-tracker.debian.org/tracker/CVE-2018-8002
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8002
Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
Source: libpodofo
Source-Version: 0.9.6~rc1+dfsg-1
We believe that the bug you reported is fixed in the latest version of
libpodofo, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Mattia Rizzolo <[email protected]> (supplier of updated libpodofo package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 10 May 2018 10:49:49 +0200
Source: libpodofo
Binary: libpodofo-dev libpodofo-utils libpodofo0.9.6
Architecture: source amd64
Version: 0.9.6~rc1+dfsg-1
Distribution: experimental
Urgency: medium
Maintainer: Mattia Rizzolo <[email protected]>
Changed-By: Mattia Rizzolo <[email protected]>
Description:
libpodofo-dev - PoDoFo development files
libpodofo-utils - PoDoFo utilities
libpodofo0.9.6 - PoDoFo - library to work with the PDF file format
Closes: 892556
Changes:
libpodofo (0.9.6~rc1+dfsg-1) experimental; urgency=medium
.
* New upstream version 0.9.6~rc1:
+ Repacked to remove a non-free piece of code (see README.source).
+ Fix CVE-2018-5309
+ Fix CVE-2018-8001 Closes: #892556
* d/patches:
+ Remove all patches applied upstream.
+ Add patch to set the SOVERSION to 0.9.6 instead of 0.9.6-rc1.
+ Add a patch fixing a bunch of spelling errors.
+ Add patch from upstream to fix build on 32 bit archs.
* Drop our manpages, now that upstream have moved all (but one) of them out
of debian/, so we can install their copies.
* Rename the binaries after SONAME bump: libpodofo0.9.5 → libpodofo0.9.6.
* d/control:
+ Bump Standards-Version to 4.1.4, no changes needed.
+ Add new Build-Dependency on libunistring-dev.
* d/rules: explicitly enable symbols visibility.
Checksums-Sha1:
653946678882e8124276fff90731ce4117d4dd4c 2201 libpodofo_0.9.6~rc1+dfsg-1.dsc
3bacf3262d6b88af5840b99fc3fc4731ff09a92f 738956
libpodofo_0.9.6~rc1+dfsg.orig.tar.xz
120505732fd6237a844acc1cd4a394ec5bcab681 9604
libpodofo_0.9.6~rc1+dfsg-1.debian.tar.xz
5f151ecc37749ceac825f78079843307088df2b1 161332
libpodofo-dev_0.9.6~rc1+dfsg-1_amd64.deb
dc1b97e0ec4dbde9274f9d18e560fbcf971f84ec 1648564
libpodofo-utils-dbgsym_0.9.6~rc1+dfsg-1_amd64.deb
3228758b26de661e604be1332ac6f12900d7cf44 185536
libpodofo-utils_0.9.6~rc1+dfsg-1_amd64.deb
bff52652149964a04bd781a3ae9e591db69fe50c 4274140
libpodofo0.9.6-dbgsym_0.9.6~rc1+dfsg-1_amd64.deb
655ab6c9bc1a0c577764bdd16b8b1a80976661be 503404
libpodofo0.9.6_0.9.6~rc1+dfsg-1_amd64.deb
7c6509993f64d9b29ee6ab40140e7f793e891dcb 8877
libpodofo_0.9.6~rc1+dfsg-1_amd64.buildinfo
Checksums-Sha256:
0cd1accd879d29873ff220587f9e99d29d920858b8c74431dec6c95bde0f23e2 2201
libpodofo_0.9.6~rc1+dfsg-1.dsc
10bb6ceee8fade989f794ef70adeebc7f8517f20a12b1c9ff01c0db31b14ad2a 738956
libpodofo_0.9.6~rc1+dfsg.orig.tar.xz
58bf3e591450ad049bc95259860b4b0c0ce1465f1b65dc01ca0d52207ea14d81 9604
libpodofo_0.9.6~rc1+dfsg-1.debian.tar.xz
906982140668cd9367a8132a5745f30cc7507fbe57c1e613f7ac66450e3ba2e0 161332
libpodofo-dev_0.9.6~rc1+dfsg-1_amd64.deb
7c3295249b26dde00c05ed3c5af6767e204e38ded7ff808bf009e9bd1d316a74 1648564
libpodofo-utils-dbgsym_0.9.6~rc1+dfsg-1_amd64.deb
22745ca440b608dde0eef31f25f25a734b32a510b6ad093f4fcc4ebf3d502f44 185536
libpodofo-utils_0.9.6~rc1+dfsg-1_amd64.deb
1f23699ccce5fd43b8367e6cecd8bc148f5914ffe0690cd9d821bcda4ea4b49b 4274140
libpodofo0.9.6-dbgsym_0.9.6~rc1+dfsg-1_amd64.deb
e1b22ba555af0d14215ca8d7c031d0ed54d351369388eaf102eb6ce6e011cc0d 503404
libpodofo0.9.6_0.9.6~rc1+dfsg-1_amd64.deb
1d30a0d5bae5b6fc5405f3a734d35347e00da5d09ff7d11b56b78d567a34bf26 8877
libpodofo_0.9.6~rc1+dfsg-1_amd64.buildinfo
Files:
8342463da9b6abb060c7ee8d50ab552a 2201 libdevel optional
libpodofo_0.9.6~rc1+dfsg-1.dsc
250c9f43cf23b995c5b06530f22c2125 738956 libdevel optional
libpodofo_0.9.6~rc1+dfsg.orig.tar.xz
2faf45f78af7b3b5a2e12fb0c39c885b 9604 libdevel optional
libpodofo_0.9.6~rc1+dfsg-1.debian.tar.xz
754acb7e51b2d2587eb5e2a17350eb3e 161332 libdevel optional
libpodofo-dev_0.9.6~rc1+dfsg-1_amd64.deb
5030d6c8c038d367e95c0ed1b1228ff3 1648564 debug optional
libpodofo-utils-dbgsym_0.9.6~rc1+dfsg-1_amd64.deb
389960a946feba336343681cde39d147 185536 utils optional
libpodofo-utils_0.9.6~rc1+dfsg-1_amd64.deb
1863838533985100ff0ad885783170d6 4274140 debug optional
libpodofo0.9.6-dbgsym_0.9.6~rc1+dfsg-1_amd64.deb
0ad311c3512799a6f7bf36fc0118b202 503404 libs optional
libpodofo0.9.6_0.9.6~rc1+dfsg-1_amd64.deb
aac351999ad538ce5c4ee56c31dbc94a 8877 libdevel optional
libpodofo_0.9.6~rc1+dfsg-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEi3hoeGwz5cZMTQpICBa54Yx2K60FAlr0KD4ACgkQCBa54Yx2
K62yrBAAmOKS9o70fWWTIepcW/eqwg4OmOEUUIuFpJ/KmgX7CZBqPRbKe3wbBGiE
IpYVsUV3y5WUBAMEuExHdtyNwqpWZuqgbcrdV2oEEoOZUv8z9EnrwlzZbAsOZ9ff
pr9OajvqO+NGv2xhdl9ZwvR0W3EwilW8P4t4CZh6iR2hXraM/+rvun/nj1jIb/UW
HTYlV5pvYtRnbdvdY9dYya7D3BM/Y+Bj3TNuhq5tcZQe6Ivk5mmOdhhLApAeqWf4
CGkpa1ARPmHcqUPIZtCaUlLXvcRg5T+T9cRPUtULIF/Ex69q9StvYOP+cyGag+yS
kKrIpuz4kGIziF1xpE+DAOmd4pz7UURx0k6VvwBYKRMBzXgVZEaKIaWCE3cWJQNP
VfBQ3ipQl9cMUlsXnn+lUCD3Dl+pK9nQ/xQHGPZVHufsxB+z06vW1iteVigOcD/w
CKmm0So36/bhrCDaRqm0iCFuzi6YAZ+xyhcAA5ZLjxmDtQcuepSvACBeimGU9oew
FT8Bo1C4/blsoc4R+drZAvyTY+BWIH1JlXyn7m1Jt0OjfRvWy4vnLXs0QsAhcKWD
sJ6Cvs4+7vVw8/bYp9foT1Tz8U5J10igVyZFJZEfYAHWMj6wnEoRJpmdLld/vmOy
wvHUPDpyWZZNVpPiA0660vrJNItdBPx0fu3IxTHP7tkK819XI5Q=
=1Rbv
-----END PGP SIGNATURE-----
--- End Message ---
