Your message dated Tue, 18 Sep 2018 14:41:25 +0000
with message-id <[email protected]>
and subject line Bug#860994: fixed in libpodofo 0.9.6+dfsg-1
has caused the Debian Bug report #860994,
regarding libpodofo: CVE-2017-8053
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
860994: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860994
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: libpodofo
Version: 0.9.4-1
Severity: important
Tags: security upstream
Hi,
the following vulnerability was published for libpodofo.
CVE-2017-8053[0]:
| PoDoFo 0.9.5 allows denial of service (infinite recursion and stack
| consumption) via a crafted PDF file in
| PoDoFo::PdfParser::ReadDocumentStructure (PdfParser.cpp).
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-8053
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8053
[1] http://openwall.com/lists/oss-security/2017/04/22/1
[1] contains a reproducer/poc.
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: libpodofo
Source-Version: 0.9.6+dfsg-1
We believe that the bug you reported is fixed in the latest version of
libpodofo, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Mattia Rizzolo <[email protected]> (supplier of updated libpodofo package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 18 Sep 2018 15:53:46 +0200
Source: libpodofo
Binary: libpodofo-dev libpodofo-utils libpodofo0.9.6
Architecture: source
Version: 0.9.6+dfsg-1
Distribution: experimental
Urgency: medium
Maintainer: Mattia Rizzolo <[email protected]>
Changed-By: Mattia Rizzolo <[email protected]>
Description:
libpodofo-dev - PoDoFo development files
libpodofo-utils - PoDoFo utilities
libpodofo0.9.6 - PoDoFo - library to work with the PDF file format
Closes: 860994 906781
Changes:
libpodofo (0.9.6+dfsg-1) experimental; urgency=medium
.
* New upstream version 0.9.6+dfsg:
+ CVE-2017-8053 Closes: #860994
+ CVE-2018-5296
* d/control:
+ Bump Standards-Version to 4.2.1, no changes needed.
+ Use the new notation )ebian-compat(=11), and drop d/compat.
* d/patches:
+ Drop all patches, applied upstream.
+ Add patch from Juhani Numminen <[email protected]> to fix FTBFS
with cmake 3.12. Closes: #906781
+ Add patch to fix the build with -fvisibility=hidden.
Checksums-Sha1:
069dd785352cb2e4bcb8296b64077af0a14f2b77 2179 libpodofo_0.9.6+dfsg-1.dsc
29187afc5321a936ba86a19c82d270e451773ae0 745952
libpodofo_0.9.6+dfsg.orig.tar.xz
e9c6f11b666a6cae7168144045846028bad68718 9468
libpodofo_0.9.6+dfsg-1.debian.tar.xz
deceeb021fa7dcb309aeb3b7ce4d29583413c132 8689
libpodofo_0.9.6+dfsg-1_amd64.buildinfo
Checksums-Sha256:
a5ce0f2e3a46b0186e6adfffb520c6681988d7abe76d904aecab8f304856f843 2179
libpodofo_0.9.6+dfsg-1.dsc
fc3ce118d31231518943392f3cc096036f34f769f6a94abcbb8145c467bf57a7 745952
libpodofo_0.9.6+dfsg.orig.tar.xz
9d1747059b53a2cac0a233573510731c126b98185cb4d976321060e4a6af3aae 9468
libpodofo_0.9.6+dfsg-1.debian.tar.xz
83774ab608e5e35ba3d5510005d08295bc4e1821d5c8bc3107395720ff03bbea 8689
libpodofo_0.9.6+dfsg-1_amd64.buildinfo
Files:
ceaa36bb04d36972500e005c80d8c9c5 2179 libdevel optional
libpodofo_0.9.6+dfsg-1.dsc
4c5ff4de787fe7d4c7c535d6103983d7 745952 libdevel optional
libpodofo_0.9.6+dfsg.orig.tar.xz
423a42b2930e5fe00c070da50a1ce3ae 9468 libdevel optional
libpodofo_0.9.6+dfsg-1.debian.tar.xz
4ffd64ec9f9b42b3ff2b6f36fa9e54d0 8689 libdevel optional
libpodofo_0.9.6+dfsg-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEi3hoeGwz5cZMTQpICBa54Yx2K60FAluhBA4ACgkQCBa54Yx2
K63PDA//ejhkv5PIMXzYypt0YTozRLbuVy0w2I8ZVVzcfCysWn4K4Kchcx7tT2U6
0WbQl22LMQkvwX3aFV/WB4ToDl9qcYTWFYbdD2c4yEOOvSvmSBkroGlPOg+B7wri
0qBv7l5G9K013UOf6/zHk8LenzvAz3P+BXe9JgxQGqpH3yUrxJ9aooB0ZAKS0Y0m
kk4ZcARVJIKvqosX09VTgBVz5poWovjmyMyrI5gBz5EPWpwpCPTl5H+4VTRdmAQA
m6oISH6tiwhvwLtdXdaF2SGmgwgSSe+Kr3sDV593f9ywhbu2E/vXKlkTKf4+xsqz
t5OORNKGguKNkk60wkzgA/I67L+eaB4NfQJeRjBNaTG3CfiAu9Ou3/8VuzHp25Ac
Mdkk87Rdzfd6/cmJ4GGk47Dh/mMcIjPWyk5ersN2hVrfBS+LGwANo4c9VRDafG2J
FpnJUCERRth1v3pTwlad7xOaiEzAnnFdlbHuLz1XtBMPBclhKqXcR8g+RL+KwU2i
BWlnnrG8cEqyDSvTAzT2kZbzm9Cs+yZbU9Cmt8lB/P9A1CGvaJ+QBv/gHFB9CJV1
XF1gckMoYZwuO0pcp8BJUkK2p0FgeCu8FjtMa4xa44LlvcfPgkAEn/ZSh7yJORjQ
P4w1/j4gnE8lEB+E3PNkud3UGUVhKFAXp7LQD4naBF4I1CMKoxI=
=ix48
-----END PGP SIGNATURE-----
--- End Message ---
