Hello all, the CVE entries referenced below are now fixed in svn r1937. These are CVE-2017-738[1-3]. URL: https://sourceforge.net/p/podofo/code/1937/
This means also: the Debian security tracker should be updated (the "fixed versions" there didn't fix it AFAIK). Best regards, mabri > On 14 June 2018 at 01:37 Matthew Brincke <ma...@mailbox.org> wrote: > > ... snip ... > For the new info, please see my addition below (bad news). > > On 12 June 2018 at 22:21 Matthew Brincke <ma...@mailbox.org> wrote: > > > > > > Hello Mattia, hello all, > > > On 12 June 2018 at 16:25 Mattia Rizzolo <mat...@mapreri.org> wrote: > > > > > > > ...snip... > Upon detailed inspection, which I mostly did yesterday (Wednesday) like I > promised, I found the claim in DLA-968-1's d/patches/CVE-2017-7380.patch > that it also fixes CVE-2017-7381 to CVE-2017-7383 to be very suspect, if > not outright mistaken. > For CVE-2017-7381: If m_pResources in src/doc/PdfPage.cpp:609 is NULL, > i.e. the page doesn't have resources, not even inherited ones (for those, > cf. src/doc/PdfPage.cpp:63 to the end of the constructor), dereferencing > it to call a method is undefined behaviour (likely crash/vulnerability). > The patch doesn't change that, so it doesn't fix this CVE AFAICS. > > For CVE-2017-7382: If the dictionary which is the value of/referred to > by the /Font entry in the /Resources dictionary exists, the patch changes > again nothing AFAICS (is the CVE ID bound to the specific reproducer?) so > such a /Font dictionary without /Subtype entry (in the report, queried at > src/doc/PdfFontFactory.cpp:200) can still trigger the bug (AFAICS, untested). > > For CVE-2017-7383: The same except for /Type (in the report, queried at > src/doc/PdfFontFactory.cpp:195) instead of /Subtype makes this unfixed. > > > > > > > And if this is really going to reopen a CVE for stretch I'd need to > > > check with the security team if they need/want to do something extra as > > > well. > > > > > Please do, thank you. > > > > > -- > > > regards, > > > Mattia Rizzolo > > > > > Best regards, mabri ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Podofo-users mailing list Podofo-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/podofo-users
