Your message dated Sun, 21 Apr 2019 16:16:00 +0000
with message-id <[email protected]>
and subject line Re: Bug#927704: unblock: libpodofo/0.9.6+dfsg-5
has caused the Debian Bug report #927704,
regarding unblock: libpodofo/0.9.6+dfsg-5
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
927704: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=927704
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
User: [email protected]
Usertags: unblock
I uploaded a new libpodofo cherry-picking two security patches from
upstream.
I was waiting to see if more CVEs were going to be fixed, but I guess
the rest will have to wait.
debdiff attached.
--
regards,
Mattia Rizzolo
GPG Key: 66AE 2B4A FCCF 3F52 DA18 4D18 4B04 3FCD B944 4540 .''`.
more about me: https://mapreri.org : :' :
Launchpad user: https://launchpad.net/~mapreri `. `'`
Debian QA page: https://qa.debian.org/developer.php?login=mattia `-
diffstat for libpodofo-0.9.6+dfsg libpodofo-0.9.6+dfsg
changelog | 8 +++++
patches/CVE-2019-9199.patch | 23 ++++++++++++++++
patches/CVE-2019-9687.patch | 61 ++++++++++++++++++++++++++++++++++++++++++++
patches/series | 2 +
4 files changed, 94 insertions(+)
diff -Nru libpodofo-0.9.6+dfsg/debian/changelog
libpodofo-0.9.6+dfsg/debian/changelog
--- libpodofo-0.9.6+dfsg/debian/changelog 2019-02-11 18:49:43.000000000
+0100
+++ libpodofo-0.9.6+dfsg/debian/changelog 2019-04-21 17:13:10.000000000
+0200
@@ -1,3 +1,11 @@
+libpodofo (0.9.6+dfsg-5) unstable; urgency=medium
+
+ * Add upstream patches for security issues:
+ CVE-2019-9199 Closes: #923469
+ CVE-2019-9687 Closes: #924430
+
+ -- Mattia Rizzolo <[email protected]> Sun, 21 Apr 2019 17:13:10 +0200
+
libpodofo (0.9.6+dfsg-4) unstable; urgency=medium
* Add upstream patches for security issues:
diff -Nru libpodofo-0.9.6+dfsg/debian/patches/CVE-2019-9199.patch
libpodofo-0.9.6+dfsg/debian/patches/CVE-2019-9199.patch
--- libpodofo-0.9.6+dfsg/debian/patches/CVE-2019-9199.patch 1970-01-01
01:00:00.000000000 +0100
+++ libpodofo-0.9.6+dfsg/debian/patches/CVE-2019-9199.patch 2019-03-27
15:48:28.000000000 +0100
@@ -0,0 +1,23 @@
+Description: CVE-2019-9199 - NULL pointer dereference
+Author: Matthew Brincke
+Origin: upstream, https://sourceforge.net/p/podofo/code/1971/
+Bug: https://sourceforge.net/p/podofo/tickets/40/
+Bug-Debian: https://bugs.debian.org/923469
+Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2019-9199
+
+--- a/tools/podofoimpose/pdftranslator.cpp
++++ b/tools/podofoimpose/pdftranslator.cpp
+@@ -148,7 +148,12 @@
+ // std::cerr << "Document has "<< pcount << " page(s) " << endl;
+ if ( pcount > 0 ) // only here to avoid possible
segfault, but PDF without page is not conform IIRC
+ {
+- PoDoFo::PdfRect rect ( sourceDoc->GetPage ( 0
)->GetMediaBox() );
++ PoDoFo::PdfPage* pFirstPage = sourceDoc->GetPage ( 0 );
++ if ( NULL == pFirstPage ) // Fixes CVE-2019-9199 (issue #40)
++ {
++ PODOFO_RAISE_ERROR_INFO( ePdfError_PageNotFound, "First
page (0) of source document not found" );
++ }
++ PoDoFo::PdfRect rect ( pFirstPage->GetMediaBox() );
+ // keep in mind it’s just a hint since PDF can
have different page sizes in a same doc
+ sourceWidth = rect.GetWidth() - rect.GetLeft();
+ sourceHeight = rect.GetHeight() -
rect.GetBottom() ;
diff -Nru libpodofo-0.9.6+dfsg/debian/patches/CVE-2019-9687.patch
libpodofo-0.9.6+dfsg/debian/patches/CVE-2019-9687.patch
--- libpodofo-0.9.6+dfsg/debian/patches/CVE-2019-9687.patch 1970-01-01
01:00:00.000000000 +0100
+++ libpodofo-0.9.6+dfsg/debian/patches/CVE-2019-9687.patch 2019-03-27
15:56:25.000000000 +0100
@@ -0,0 +1,61 @@
+Description: CVE-2019-9687 - heap-based buffer overflow in
PdfString::ConvertUTF16toUTF8
+Origin: upstream, https://sourceforge.net/p/podofo/code/1969
+Bug-Debian: https://bugs.debian.org/924430
+Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2019-9687
+
+--- a/src/base/PdfString.cpp
++++ b/src/base/PdfString.cpp
+@@ -626,8 +626,19 @@
+ pdf_long lUtf8 = PdfString::ConvertUTF16toUTF8(
reinterpret_cast<const pdf_utf16be*>(m_buffer.GetBuffer()),
+ this->GetUnicodeLength(),
+
reinterpret_cast<pdf_utf8*>(pBuffer), lBufferLen, ePdfStringConversion_Lenient
);
++ if (lUtf8 + 1 > lBufferLen) // + 1 to account for 2 bytes termination
here vs. 1 byte there
++ {
++ pBuffer = static_cast<char*>(podofo_realloc( pBuffer, lUtf8 + 1 )
);
++ if( !pBuffer )
++ {
++ PODOFO_RAISE_ERROR( ePdfError_OutOfMemory );
++ }
++ if (lUtf8 - 1 > lBufferLen)
++ lUtf8 = PdfString::ConvertUTF16toUTF8( reinterpret_cast<const
pdf_utf16be*>(m_buffer.GetBuffer()),
++
this->GetUnicodeLength(), reinterpret_cast<pdf_utf8*>(pBuffer), lUtf8 + 1);
++ }
+
+- pBuffer[lUtf8-1] = '\0';
++ pBuffer[lUtf8 - 1] = '\0';
+ pBuffer[lUtf8] = '\0';
+ m_sUtf8 = pBuffer;
+ podofo_free( pBuffer );
+@@ -811,6 +822,7 @@
+ return ConvertUTF16toUTF8( pszUtf16, lLen, pszUtf8, lLenUtf8 );
+ }
+
++// returns used, or if not enough memory passed in, needed length incl. 1
byte termination
+ pdf_long PdfString::ConvertUTF16toUTF8( const pdf_utf16be* pszUtf16, pdf_long
lLenUtf16,
+ pdf_utf8* pszUtf8, pdf_long lLenUtf8,
+ EPdfStringConversion eConversion )
+@@ -828,12 +840,21 @@
+ size_t sLength = lLenUtf16;
+ size_t resultBufLength = lLenUtf8;
+
+- u16_to_u8 ( s, sLength, pResultBuf, &resultBufLength);
++ uint8_t* pReturnBuf = u16_to_u8( s, sLength, pResultBuf, &resultBufLength
);
++ if (pReturnBuf != pResultBuf)
++ {
++ free(pReturnBuf); // allocated by libunistring, so don't use
podofo_free()
++ PdfError::LogMessage( eLogSeverity_Warning, "Output string size too
little to hold it\n" );
++ return resultBufLength + 1;
++ }
+
+ pdf_long lBufferLen = PODOFO_MIN( static_cast<pdf_long>(resultBufLength +
1), lLenUtf8 );
+
+- // Make sure buffer is 0 termnated
+- pszUtf8[resultBufLength] = 0;
++ // Make sure buffer is 0 terminated
++ if ( static_cast<pdf_long>(resultBufLength + 1) <= lLenUtf8 )
++ pszUtf8[resultBufLength] = 0;
++ else
++ return resultBufLength + 1; // means: check for this in the caller to
detect non-termination
+
+ return lBufferLen;
+ }
diff -Nru libpodofo-0.9.6+dfsg/debian/patches/series
libpodofo-0.9.6+dfsg/debian/patches/series
--- libpodofo-0.9.6+dfsg/debian/patches/series 2019-02-11 18:44:03.000000000
+0100
+++ libpodofo-0.9.6+dfsg/debian/patches/series 2019-03-27 15:54:01.000000000
+0100
@@ -10,3 +10,5 @@
CVE-2018-14320.patch
CVE-2018-19532.patch
CVE-2018-20751.patch
+CVE-2019-9199.patch
+CVE-2019-9687.patch
signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---
Mattia Rizzolo:
> Package: release.debian.org
> User: [email protected]
> Usertags: unblock
>
> I uploaded a new libpodofo cherry-picking two security patches from
> upstream.
>
> I was waiting to see if more CVEs were going to be fixed, but I guess
> the rest will have to wait.
>
> debdiff attached.
>
Unblocked, thanks.
~Niels
--- End Message ---
