Hello Mattia, hello all, firstly I apologize (especially in case the delay in reaction on my part is the reason PoDoFo 0.9.6 was released with CVEs unfixed, for some of them see below in the original message) for having been busy with another project and not squeezing this in-between, I also was unsure about you (Mattia) possibly being on vacation. As it seems to me my original e-mail (see below) was missed, I'm sending it again, but this time also to the podofo-users list because I think now that version 0.9.6 has already been released (IMNSHO prematurely, because of the CVEs and non-free code in it) it's high time the project and its users get to know them at last (in the Debian changelog they had been mistakenly declared as fixed, and I didn't dare to send a 2nd e-mail or a bug report: I now fear this was wrong of me, so I apologize). NB: Note that, contrary to what is in the "Original message" below (I left it in so the reasoning for why I didn't send it to the list stays intact), this has the earlier e-mail quotes mostly snipped (as what was in them is now done), for reasons of bandwidth economy, these paragraphs are already long enough ...
Best regards, mabri ---------- Original Message ---------- From: Matthew Brincke <ma...@mailbox.org> To: mat...@mapreri.org Date: 14 June 2018 at 01:37 CEST Subject: Re: [Podofo-users] CVE confusion, also in Debian (was: Re: Next PoDoFo Release 0.9.6) Hello Mattia, I'm full-quoting my previous email because it was rejected by the list server on account of an IP-address ban and I sent it to you as a forward as you probably wouldn't like to get the same email again so I'll avoid sending it to the list, instead you get this, I hope this is OK. I've not pruned down this one because I don't know if you are regularly reading your Debian address these days, which I sent the the forward before (this Tuesday) to. In case of that being a mistake, I'm sorry. For the new info, please see my addition below (bad news). > On 12 June 2018 at 22:21 Matthew Brincke <ma...@mailbox.org> wrote: > > > Hello Mattia, hello all, > > On 12 June 2018 at 16:25 Mattia Rizzolo <mat...@mapreri.org> wrote: > > > > ... snip ... > > Also, what about > > https://security-tracker.debian.org/tracker/DLA-929-1 > > https://security-tracker.debian.org/tracker/DLA-968-1 > > Are they correct or they didn't fix some CVEs (like CVE-2017-5854)? > > The DLA-929-1 did not fix the CVE-2017-5854 either (the patch supposedly > doing that is the same change as in upstream svn r1836, so it can't). > The DLA-968-1 doesn't look suspect to me, though I haven't checked in > detail (having been busy with historical digital artifacts ;-) ). ... snip ... > > The changes should be in > > https://salsa.debian.org/debian/libpodofo/commits/wheezy - I would be > > very happy if you could double check. > I could probably do that tomorrow, now I'd like to get this e-mail sent. Upon detailed inspection, which I mostly did yesterday (Wednesday) like I promised, I found the claim in DLA-968-1's d/patches/CVE-2017-7380.patch that it also fixes CVE-2017-7381 to CVE-2017-7383 to be very suspect, if not outright mistaken. For CVE-2017-7381: If m_pResources in src/doc/PdfPage.cpp:609 is NULL, i.e. the page doesn't have resources, not even inherited ones (for those, cf. src/doc/PdfPage.cpp:63 to the end of the constructor), dereferencing it to call a method is undefined behaviour (likely crash/vulnerability). The patch doesn't change that, so it doesn't fix this CVE AFAICS. For CVE-2017-7382: If the dictionary which is the value of/referred to by the /Font entry in the /Resources dictionary exists, the patch changes again nothing AFAICS (is the CVE ID bound to the specific reproducer?) so such a /Font dictionary without /Subtype entry (in the report, queried at src/doc/PdfFontFactory.cpp:200) can still trigger the bug (AFAICS, untested). For CVE-2017-7383: The same except for /Type (in the report, queried at src/doc/PdfFontFactory.cpp:195) instead of /Subtype makes this unfixed. > > > > And if this is really going to reopen a CVE for stretch I'd need to > > check with the security team if they need/want to do something extra as > > well. > > > Please do, thank you. > > > -- > > regards, > > Mattia Rizzolo > > > Best regards, mabri ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Podofo-users mailing list Podofo-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/podofo-users
