Re: [Podofo-users] CVE confusion, also in Debian (was: Re: Next PoDoFo Release 0.9.6)

Tue, 12 Jun 2018 07:41:32 -0700 

On Tue, Jun 12, 2018 at 03:17:20PM +0200, Matthew Brincke wrote:
> I erred here, I think, AFAICS it

Errr, please, please do try to pay attention and be precise about what
fixed what and where.
Messing CVEs numbers in commit messages (and in messages in general)
it's only going to cause *a lot* of confusion.

> @Mattia Rizzolo: Suggested action(s) to take: Correct the Debian security
> tracker to say "vulnerable (no DSA)" instead of "fixed" in Debian stretch
> (CVE-2017-5854). Fix the non-CVE'd bug too (in unstable, I'd think).

I'm sorry, I find your sentence way too misunderstandable, so I'm going
to ask for confirmation of what you really mean.
Please confirm all of the above, or correct approriatel (I believe the
context is clear enough without any extra explenation of what every
single line mean, but feel free to ask any clarification).

# security-tracker.debian.org:
|diff --git a/data/CVE/list b/data/CVE/list
|index 0e480453ea..fd6015b0e0 100644
|--- a/data/CVE/list
|+++ b/data/CVE/list
|@@ -68732,11 +68732,12 @@ CVE-2017-5855 (The 
PoDoFo::PdfParser::ReadXRefSubsection function in PdfParser.c
|        NOTE: upstream commit: http://sourceforge.net/p/podofo/code/1843
| CVE-2017-5854 (base/PdfOutputStream.cpp in PoDoFo 0.9.4 allows remote 
attackers to ...)
|        {DLA-929-1}
|-       - libpodofo 0.9.4-5 (bug #854602)
|+       - libpodofo <unfixed> (bug #854602)
|+       [stretch] - libpodofo <no-dsa> (Minor issue)
|        [jessie] - libpodofo <no-dsa> (Minor issue)
|        NOTE: 
https://blogs.gentoo.org/ago/2017/02/01/podofo-null-pointer-dereference-in-pdfoutputstream-cpp
|        NOTE: 
https://sourceforge.net/p/podofo/mailman/podofo-users/thread/12497325.VLNgGImML2%40blackgate/#msg35640936
|-       NOTE: upstream commit: https://sourceforge.net/p/podofo/code/1836
|+       NOTE: upstream commit: https://sourceforge.net/p/podofo/code/1870
| CVE-2017-5853 (Integer overflow in base/PdfParser.cpp in PoDoFo 0.9.4 allows 
remote ...)
|        {DLA-929-1}
|        - libpodofo 0.9.4-5 (bug #854601)

# bugs.debian.org commands:
|unarchive 854602
|reopen 854602
|tag 854602 fixed-upstream # by https://sourceforge.net/p/podofo/code/1870
|tag 854605 fixed-upstream # by https://sourceforge.net/p/podofo/code/1836
|close 854605 0.9.4-5


# the packaging:
|diff --git a/debian/changelog b/debian/changelog
|index 7e53789..4d4aac2 100644
|--- a/debian/changelog
|+++ b/debian/changelog
|@@ -115,9 +115,9 @@ libpodofo (0.9.4-5) unstable; urgency=high
|   * Add upstream patches for security issues:
|     + CVE-2017-5853 Closes: #854601
|     + CVE-2017-6844 Closes: #861561
|-    + CVE-2017-5854 Closes: #854602
|     + CVE-2017-5886 Closes: #854604
|     + CVE-2017-7379 Closes: #859331
|+    + Fix NULL pointer dereference in pdfinfo.  Closes: #854605
|
|  -- Mattia Rizzolo <mat...@debian.org>  Wed, 03 May 2017 11:41:19 +0200
|
|diff --git a/debian/patches/CVE-2017-5854.patch 
b/debian/patches/null-point-dereference.patch
|similarity index 78%
|rename from debian/patches/CVE-2017-5854.patch
|rename to debian/patches/null-point-dereference.patch
|index a9753c0..a40ed04 100644
|--- a/debian/patches/CVE-2017-5854.patch
|+++ b/debian/patches/null-point-dereference.patch
|@@ -1,8 +1,8 @@
|-Description: CVE-2017-5854
|+Description: Fix NULL pointer dereference in PdfInfo::GuessFormat 
(pdfinfo.cpp)
| Acked-By: Markus Koschany <a...@debian.org>
| Acked-By: Mattia Rizzolo <mat...@debian.org>
|-Last-Update: 2017-05-03
|-Bug-Debian: https://bugs.debian.org/854602
|+Last-Update: 2018-06-12
|+Bug-Debian: https://bugs.debian.org/854605
| Origin: https://sourceforge.net/p/podofo/code/1836
|
| --- a/tools/podofopdfinfo/pdfinfo.cpp
|diff --git a/debian/patches/series b/debian/patches/series
|index 07038c1..21657a4 100644
|--- a/debian/patches/series
|+++ b/debian/patches/series
|@@ -3,7 +3,7 @@ fix_test_on_32bit.patch
| spelling_fixes.patch
| CVE-2017-5852.patch
| CVE-2017-5853-and-CVE-2017-6844.patch
|-CVE-2017-5854.patch
|+null-point-dereference.patch
| CVE-2017-5855.patch
| CVE-2017-5886.patch
| CVE-2017-6840-and-CVE-2017-6842-and-CVE-2017-6843.patch


Also, what about
https://security-tracker.debian.org/tracker/DLA-929-1
https://security-tracker.debian.org/tracker/DLA-968-1
Are they correct or they didn't fix some CVEs (like CVE-2017-5854)?
wheezy-lts now ended, so fixes there can't land anymore, but I suppose
we could at least fix the metadata on the security-tracker (I'd need to
check with the LTS team though, I don't really know a thing about their
workflow).
The changes should be in
https://salsa.debian.org/debian/libpodofo/commits/wheezy - I would be
very happy if you could double check.

And if this is really going to reopen a CVE for stretch I'd need to
check with the security team if they need/want to do something extra as
well.

-- 
regards,
                        Mattia Rizzolo

GPG Key: 66AE 2B4A FCCF 3F52 DA18  4D18 4B04 3FCD B944 4540      .''`.
more about me:  https://mapreri.org                             : :'  :
Launchpad user: https://launchpad.net/~mapreri                  `. `'`
Debian QA page: https://qa.debian.org/developer.php?login=mattia  `-

Attachment: signature.asc
Description: PGP signature

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Podofo-users mailing list
Podofo-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/podofo-users

Reply via email to