Hi Matthew et al.
I tagged the podofo-0.9.6 release already and also provided the tarball on
sourceforge. There was no official announcement though, yet.
I still think we should release 0.9.6, as the status of 0.9.6 is not worse
than 0.9.5 (PLEASE CORRECT ME IF I AM WRONG HERE!).
Nontheless, we should concentrate on fixing CVEs in a follow-up release. If
fixes are ready, I can provide another relase 0.9.7 in short time.
Is that approach fine for the participants of the discussion?
Best regards,
Dominik
On Thu, Jul 12, 2018 at 3:16 PM, Matthew Brincke <ma...@mailbox.org> wrote:
> Hello Mattia, hello all,
>
> firstly I apologize (especially in case the delay in reaction
> on my part is the reason PoDoFo 0.9.6 was released with CVEs
> unfixed, for some of them see below in the original message)
> for having been busy with another project and not squeezing
> this in-between, I also was unsure about you (Mattia) possibly
> being on vacation.
> As it seems to me my original e-mail (see below) was missed,
> I'm sending it again, but this time also to the podofo-users
> list because I think now that version 0.9.6 has already been
> released (IMNSHO prematurely, because of the CVEs and non-free
> code in it) it's high time the project and its users get to
> know them at last (in the Debian changelog they had been
> mistakenly declared as fixed, and I didn't dare to send a 2nd
> e-mail or a bug report: I now fear this was wrong of me, so I
> apologize).
> NB: Note that, contrary to what is in the "Original message"
> below (I left it in so the reasoning for why I didn't send it
> to the list stays intact), this has the earlier e-mail quotes
> mostly snipped (as what was in them is now done), for reasons of
> bandwidth economy, these paragraphs are already long enough ...
>
> Best regards, mabri
>
> ---------- Original Message ----------
> From: Matthew Brincke <ma...@mailbox.org>
> To: mat...@mapreri.org
> Date: 14 June 2018 at 01:37 CEST
> Subject: Re: [Podofo-users] CVE confusion, also in Debian (was: Re: Next
> PoDoFo Release 0.9.6)
> Hello Mattia,
>
> I'm full-quoting my previous email because it was rejected by the
> list server on account of an IP-address ban and I sent it to you
> as a forward as you probably wouldn't like to get the same email
> again so I'll avoid sending it to the list, instead you get this,
> I hope this is OK. I've not pruned down this one because I don't
> know if you are regularly reading your Debian address these days,
> which I sent the the forward before (this Tuesday) to. In case of
> that being a mistake, I'm sorry.
> For the new info, please see my addition below (bad news).
> > On 12 June 2018 at 22:21 Matthew Brincke <ma...@mailbox.org> wrote:
> >
> >
> > Hello Mattia, hello all,
> > > On 12 June 2018 at 16:25 Mattia Rizzolo <mat...@mapreri.org> wrote:
> > >
> > >
> ... snip ...
> > > Also, what about
> > > https://security-tracker.debian.org/tracker/DLA-929-1
> > > https://security-tracker.debian.org/tracker/DLA-968-1
> > > Are they correct or they didn't fix some CVEs (like CVE-2017-5854)?
> >
> > The DLA-929-1 did not fix the CVE-2017-5854 either (the patch supposedly
> > doing that is the same change as in upstream svn r1836, so it can't).
> > The DLA-968-1 doesn't look suspect to me, though I haven't checked in
> > detail (having been busy with historical digital artifacts ;-) ).
> ... snip ...
> > > The changes should be in
> > > https://salsa.debian.org/debian/libpodofo/commits/wheezy - I would be
> > > very happy if you could double check.
> > I could probably do that tomorrow, now I'd like to get this e-mail sent.
>
> Upon detailed inspection, which I mostly did yesterday (Wednesday) like I
> promised, I found the claim in DLA-968-1's d/patches/CVE-2017-7380.patch
> that it also fixes CVE-2017-7381 to CVE-2017-7383 to be very suspect, if
> not outright mistaken.
> For CVE-2017-7381: If m_pResources in src/doc/PdfPage.cpp:609 is NULL,
> i.e. the page doesn't have resources, not even inherited ones (for those,
> cf. src/doc/PdfPage.cpp:63 to the end of the constructor), dereferencing
> it to call a method is undefined behaviour (likely crash/vulnerability).
> The patch doesn't change that, so it doesn't fix this CVE AFAICS.
>
> For CVE-2017-7382: If the dictionary which is the value of/referred to
> by the /Font entry in the /Resources dictionary exists, the patch changes
> again nothing AFAICS (is the CVE ID bound to the specific reproducer?) so
> such a /Font dictionary without /Subtype entry (in the report, queried at
> src/doc/PdfFontFactory.cpp:200) can still trigger the bug (AFAICS,
> untested).
>
> For CVE-2017-7383: The same except for /Type (in the report, queried at
> src/doc/PdfFontFactory.cpp:195) instead of /Subtype makes this unfixed.
>
> > >
> > > And if this is really going to reopen a CVE for stretch I'd need to
> > > check with the security team if they need/want to do something extra as
> > > well.
> > >
> > Please do, thank you.
> >
> > > --
> > > regards,
> > > Mattia Rizzolo
> > >
> > Best regards, mabri
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> Podofo-users mailing list
> Podofo-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/podofo-users
>
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Podofo-users mailing list
Podofo-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/podofo-users
