[Git][security-tracker-team/security-tracker][master] triage a few libpodofo CVEs

Mattia Rizzolo Mon, 11 Feb 2019 10:03:24 -0800

Mattia Rizzolo pushed to branch master at Debian Security Tracker / 
security-tracker



Commits:
578c015d by Mattia Rizzolo at 2019-02-11T17:53:12Z
triage a few libpodofo CVEs

Signed-off-by: Mattia Rizzolo &lt;[email protected]&gt;

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -1084,8 +1084,9 @@ CVE-2019-7321
 CVE-2019-7320
        RESERVED
 CVE-2018-20751 (An issue was discovered in crop_page in PoDoFo 0.9.6. For a 
crafted PDF ...)
-       - libpodofo <unfixed>
-       [jessie] - libpodofo <ignored> (Minor issue)
+       - libpodofo 0.9.6+dfsg-4
+       [stretch] - libpodofo <no-dsa> (Minor issue)
+       [jessie] - libpodofo <no-dsa> (Minor issue)
        NOTE: https://sourceforge.net/p/podofo/tickets/33/
        NOTE: https://sourceforge.net/p/podofo/code/1954
 CVE-2019-7319
@@ -19503,10 +19504,11 @@ CVE-2018-19534
 CVE-2018-19533
        RESERVED
 CVE-2018-19532 (A NULL pointer dereference vulnerability exists in the 
function ...)
-       - libpodofo <unfixed> (low; bug #916085)
+       - libpodofo 0.9.6+dfsg-4 (low; bug #916085)
        [stretch] - libpodofo <no-dsa> (Minor issue)
        [jessie] - libpodofo <no-dsa> (Minor issue)
        NOTE: https://sourceforge.net/p/podofo/tickets/32/
+       NOTE: https://sourceforge.net/p/podofo/code/1950/
 CVE-2018-19531 (HTTL (aka Hyper-Text Template Language) through 1.0.11 allows 
remote ...)
        NOT-FOR-US: HTTL
 CVE-2018-19530 (HTTL (aka Hyper-Text Template Language) through 1.0.11 allows 
remote ...)
@@ -29203,6 +29205,7 @@ CVE-2018-15889 (In podofo 0.9.6, the function 
PoDoFo::PdfParser::ReadObjects() i
        [jessie] - libpodofo <no-dsa> (Minor issue)
        NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1620065
        NOTE: https://sourceforge.net/p/podofo/tickets/27/
+       NOTE: upstream thinks this could be a duplicate of CVE-2018-5783
 CVE-2018-15888 (An issue was discovered in ASPCMS 2.5.6. When registering 
ordinary ...)
        NOT-FOR-US: ASPCMS
 CVE-2017-18346
@@ -33451,9 +33454,9 @@ CVE-2018-14322
 CVE-2018-14321
        RESERVED
 CVE-2018-14320 (This vulnerability allows remote attackers to disclose 
sensitive ...)
-       - libpodofo <unfixed> (bug #916240)
+       - libpodofo 0.9.6+dfsg-4 (bug #916240)
        [stretch] - libpodofo <no-dsa> (Minor issue)
-       [jessie] - libpodofo <ignored> (Minor issue)
+       [jessie] - libpodofo <no-dsa> (Minor issue)
        NOTE: https://www.zerodayinitiative.com/advisories/ZDI-18-1046/
        NOTE: https://sourceforge.net/p/podofo/code/1953
 CVE-2018-14319
@@ -36473,7 +36476,7 @@ CVE-2018-12983 (A stack-based buffer over-read in the 
...)
        NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1595693
        NOTE: https://sourceforge.net/p/podofo/tickets/23
 CVE-2018-12982 (Invalid memory read in the PoDoFo::PdfVariant::DelayedLoad() 
function ...)
-       - libpodofo <unfixed> (low; bug #916581)
+       - libpodofo 0.9.6+dfsg-4 (low; bug #916581)
        [stretch] - libpodofo <no-dsa> (Minor issue)
        [jessie] - libpodofo <no-dsa> (Minor issue)
        NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1595689
@@ -41446,7 +41449,7 @@ CVE-2017-18274
        RESERVED
        NOT-FOR-US: Qualcomm components for Android
 CVE-2018-11256 (An issue was discovered in PoDoFo 0.9.5. The function ...)
-       - libpodofo <unfixed> (low; bug #916583)
+       - libpodofo 0.9.6+dfsg-4 (low; bug #916583)
        [stretch] - libpodofo <no-dsa> (Minor issue)
        [jessie] - libpodofo <no-dsa> (Minor issue)
        [wheezy] - libpodofo <no-dsa> (Minor issue)
@@ -41460,9 +41463,9 @@ CVE-2018-11255 (An issue was discovered in PoDoFo 
0.9.5. The function ...)
        [wheezy] - libpodofo <no-dsa> (Minor issue)
        NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1575502
        NOTE: https://sourceforge.net/p/podofo/tickets/20
-       NOTE: https://sourceforge.net/p/podofo/code/1952
+       NOTE: https://sourceforge.net/p/podofo/code/1952 (this commit doesn't 
fix the crash)
 CVE-2018-11254 (An issue was discovered in PoDoFo 0.9.5. There is an Excessive 
...)
-       - libpodofo <unfixed> (low; bug #916585)
+       - libpodofo 0.9.6+dfsg-4 (low; bug #916585)
        [stretch] - libpodofo <no-dsa> (Minor issue)
        [jessie] - libpodofo <no-dsa> (Minor issue)
        [wheezy] - libpodofo <no-dsa> (Minor issue)
@@ -57130,7 +57133,7 @@ CVE-2018-5784 (In LibTIFF 4.0.9, there is an 
uncontrolled resource consumption i
        NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2772
        NOTE: Fixed by: 
https://gitlab.com/libtiff/libtiff/commit/473851d211cf8805a161820337ca74cc9615d6ef
 CVE-2018-5783 (In PoDoFo 0.9.5, there is an uncontrolled memory allocation in 
the ...)
-       - libpodofo <unfixed> (bug #916142)
+       - libpodofo 0.9.6+dfsg-4 (bug #916142)
        [stretch] - libpodofo <no-dsa> (Minor issue)
        [jessie] - libpodofo <no-dsa> (Minor issue)
        [wheezy] - libpodofo <no-dsa> (Minor issue)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/578c015de783e925e820dc5a23661d3e0f6ab2ba

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/578c015de783e925e820dc5a23661d3e0f6ab2ba
You're receiving this email because of your account on salsa.debian.org.

_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] triage a few libpodofo CVEs

Reply via email to