Re: [Podofo-users] Fwd: Re: CVE confusion, also in Debian (was: Re: Next PoDoFo Release 0.9.6)
Hello Mattia, hello Dominik, hello all, > On 13 July 2018 at 14:30 Mattia Rizzolo wrote: > > > On Fri, Jul 13, 2018 at 08:17:31AM +0200, Dominik Seichter via Podofo-users > wrote: > > I tagged the podofo-0.9.6 release already and also provided the tarball on > > sourceforge. There was no official announcement though, yet. > > Right, and I already stumbled on the first issue (that wasn't in the > rc1): https://sourceforge.net/p/podofo/mailman/message/36363656/ :) > > I still think we should release 0.9.6, as the status of 0.9.6 is not worse > > than 0.9.5 (PLEASE CORRECT ME IF I AM WRONG HERE!). PoDoFo 0.9.5 was released despite these 5 crashes: https://sourceforge.net/p/podofo/mailman/message/35640936/ which then got CVE IDs whereas in PoDoFo 0.9.6 there are 11 CVEs unfixed: CVE-2018-5783 [1], CVE-2018-6253 [2], CVE-2018-8002 [3], CVE-2018-11254 [4], CVE-2018-11255 [5], CVE-2018-11256 [6], CVE-2018-12982 [7] whose description is IMO incorrect (the actual bug is 1-2 levels up the stack, please see PoDoFo issue #22), CVE-2018-12983 [8] and three ones mistakenly declared fixed in the Debian libpodofo change log (see below). > > Nonetheless, we should concentrate on fixing CVEs in a follow-up release. If > > fixes are ready, I can provide another release 0.9.7 in short time. That sounds good. A security-update release would usually use a four-component version number, i.e. 0.9.6.1 here, no? On the other hand: I'd like to introduce other crash/exception fixes too (for PdfOutlineItem and podofocolor) ... > > I agree. I mean, it's a pity that there are known security > vulnerability, but at this point several months (year+ really) passed > and continue cherry-picking is not so great after a while. > Not to mention, I fear the CVEs are going to keep coming... > > On Thu, Jul 12, 2018 at 3:16 PM, Matthew Brincke wrote: > > > firstly I apologize (especially in case the delay in reaction > > > on my part is the reason PoDoFo 0.9.6 was released with CVEs > > > unfixed, for some of them see below in the original message) > > > for having been busy with another project and not squeezing > > > this in-between, > > I don't think you should apologize for any of this. Thank you. > > > I also was unsure about you (Mattia) possibly being on vacation. > > Alas, I'm not able to go on vacation long enough for anybody to notice… > :( I feel sorry for you (and tired ;-( ) ... > > > (in the Debian changelog they had been > > > mistakenly declared as fixed, and I didn't dare to send a 2nd > > > e-mail or a bug report: I now fear this was wrong of me, so I > > > apologize). > > Apart from the situation in wheezy (which can't be changed anymore), I > believe everything is fine now - at least in debian's git (pending the > fix for the thing above). Please correct me if I'm wrong. It's not just "the situation in wheezy": CVE-2017-738[123] are still unfixed in 0.9.6 (upstream tag RELEASE_0_9_6) and therefore also in Debian unstable (@Mattia: please don't upload until at least these 3 are fixed, I can do that, possibly already this weekend, @Dominik: any objections?) and experimental (the rc1). In short: I'd like it more if 0.9.6 was the -rc2 for it ;-) ... because then a future 0.9.6 (even last number) could be a stable/no known bugs release, and the next one, 0.9.7 (odd last number) a development release like 0.9.5 ... I'm sorry for having neglected to write that before so you (Dominik) couldn't know I had hoped for that ... ;-) I'm also rueful for having put off fixing bugs until you (Dominik) made sure no further ones could go in 0.9.6 by tagging it, of course. I actually feel punished by having been surprised by it (there was not even a warning by private e-mail some days in advance, even if no public one was made). > > -- > regards, > Mattia Rizzolo > Best regards, mabri [1] https://security-tracker.debian.org/tracker/CVE-2018-5783 [2] https://security-tracker.debian.org/tracker/CVE-2018-6253 [3] https://security-tracker.debian.org/tracker/CVE-2018-8002 [4] https://security-tracker.debian.org/tracker/CVE-2018-11254 [5] https://security-tracker.debian.org/tracker/CVE-2018-11255 [6] https://security-tracker.debian.org/tracker/CVE-2018-11256 [7] https://security-tracker.debian.org/tracker/CVE-2018-12982 [8] https://security-tracker.debian.org/tracker/CVE-2018-12983 -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Podofo-users mailing list Podofo-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/podofo-users
Re: [Podofo-users] Fwd: Re: CVE confusion, also in Debian (was: Re: Next PoDoFo Release 0.9.6)
Hi Matthew et al. I tagged the podofo-0.9.6 release already and also provided the tarball on sourceforge. There was no official announcement though, yet. I still think we should release 0.9.6, as the status of 0.9.6 is not worse than 0.9.5 (PLEASE CORRECT ME IF I AM WRONG HERE!). Nontheless, we should concentrate on fixing CVEs in a follow-up release. If fixes are ready, I can provide another relase 0.9.7 in short time. Is that approach fine for the participants of the discussion? Best regards, Dominik On Thu, Jul 12, 2018 at 3:16 PM, Matthew Brincke wrote: > Hello Mattia, hello all, > > firstly I apologize (especially in case the delay in reaction > on my part is the reason PoDoFo 0.9.6 was released with CVEs > unfixed, for some of them see below in the original message) > for having been busy with another project and not squeezing > this in-between, I also was unsure about you (Mattia) possibly > being on vacation. > As it seems to me my original e-mail (see below) was missed, > I'm sending it again, but this time also to the podofo-users > list because I think now that version 0.9.6 has already been > released (IMNSHO prematurely, because of the CVEs and non-free > code in it) it's high time the project and its users get to > know them at last (in the Debian changelog they had been > mistakenly declared as fixed, and I didn't dare to send a 2nd > e-mail or a bug report: I now fear this was wrong of me, so I > apologize). > NB: Note that, contrary to what is in the "Original message" > below (I left it in so the reasoning for why I didn't send it > to the list stays intact), this has the earlier e-mail quotes > mostly snipped (as what was in them is now done), for reasons of > bandwidth economy, these paragraphs are already long enough ... > > Best regards, mabri > > -- Original Message -- > From: Matthew Brincke > To: mat...@mapreri.org > Date: 14 June 2018 at 01:37 CEST > Subject: Re: [Podofo-users] CVE confusion, also in Debian (was: Re: Next > PoDoFo Release 0.9.6) > Hello Mattia, > > I'm full-quoting my previous email because it was rejected by the > list server on account of an IP-address ban and I sent it to you > as a forward as you probably wouldn't like to get the same email > again so I'll avoid sending it to the list, instead you get this, > I hope this is OK. I've not pruned down this one because I don't > know if you are regularly reading your Debian address these days, > which I sent the the forward before (this Tuesday) to. In case of > that being a mistake, I'm sorry. > For the new info, please see my addition below (bad news). > > On 12 June 2018 at 22:21 Matthew Brincke wrote: > > > > > > Hello Mattia, hello all, > > > On 12 June 2018 at 16:25 Mattia Rizzolo wrote: > > > > > > > ... snip ... > > > Also, what about > > > https://security-tracker.debian.org/tracker/DLA-929-1 > > > https://security-tracker.debian.org/tracker/DLA-968-1 > > > Are they correct or they didn't fix some CVEs (like CVE-2017-5854)? > > > > The DLA-929-1 did not fix the CVE-2017-5854 either (the patch supposedly > > doing that is the same change as in upstream svn r1836, so it can't). > > The DLA-968-1 doesn't look suspect to me, though I haven't checked in > > detail (having been busy with historical digital artifacts ;-) ). > ... snip ... > > > The changes should be in > > > https://salsa.debian.org/debian/libpodofo/commits/wheezy - I would be > > > very happy if you could double check. > > I could probably do that tomorrow, now I'd like to get this e-mail sent. > > Upon detailed inspection, which I mostly did yesterday (Wednesday) like I > promised, I found the claim in DLA-968-1's d/patches/CVE-2017-7380.patch > that it also fixes CVE-2017-7381 to CVE-2017-7383 to be very suspect, if > not outright mistaken. > For CVE-2017-7381: If m_pResources in src/doc/PdfPage.cpp:609 is NULL, > i.e. the page doesn't have resources, not even inherited ones (for those, > cf. src/doc/PdfPage.cpp:63 to the end of the constructor), dereferencing > it to call a method is undefined behaviour (likely crash/vulnerability). > The patch doesn't change that, so it doesn't fix this CVE AFAICS. > > For CVE-2017-7382: If the dictionary which is the value of/referred to > by the /Font entry in the /Resources dictionary exists, the patch changes > again nothing AFAICS (is the CVE ID bound to the specific reproducer?) so > such a /Font dictionary without /Subtype entry (in the report, queried at > src/doc/PdfFontFactory.cpp:200) can still trigger the bug (AFAICS, > untested). > > For CVE-2017-7383: The same except for /Type (in the report, queried at > src/doc/PdfFontFactory.cpp:195) instead of /Subtype makes this unfixed. > > > > > > > And if this is really going to reopen a CVE for stretch I'd need to > > > check with the security team if they need/want to do something extra as > > > well. > > > > > Please do, thank you. > > > > > -- > > > regards, > > > Mattia Rizzolo > > > > > Best regards, mabri > >
[Podofo-users] Fwd: Re: CVE confusion, also in Debian (was: Re: Next PoDoFo Release 0.9.6)
Hello Mattia, hello all, firstly I apologize (especially in case the delay in reaction on my part is the reason PoDoFo 0.9.6 was released with CVEs unfixed, for some of them see below in the original message) for having been busy with another project and not squeezing this in-between, I also was unsure about you (Mattia) possibly being on vacation. As it seems to me my original e-mail (see below) was missed, I'm sending it again, but this time also to the podofo-users list because I think now that version 0.9.6 has already been released (IMNSHO prematurely, because of the CVEs and non-free code in it) it's high time the project and its users get to know them at last (in the Debian changelog they had been mistakenly declared as fixed, and I didn't dare to send a 2nd e-mail or a bug report: I now fear this was wrong of me, so I apologize). NB: Note that, contrary to what is in the "Original message" below (I left it in so the reasoning for why I didn't send it to the list stays intact), this has the earlier e-mail quotes mostly snipped (as what was in them is now done), for reasons of bandwidth economy, these paragraphs are already long enough ... Best regards, mabri -- Original Message -- From: Matthew Brincke To: mat...@mapreri.org Date: 14 June 2018 at 01:37 CEST Subject: Re: [Podofo-users] CVE confusion, also in Debian (was: Re: Next PoDoFo Release 0.9.6) Hello Mattia, I'm full-quoting my previous email because it was rejected by the list server on account of an IP-address ban and I sent it to you as a forward as you probably wouldn't like to get the same email again so I'll avoid sending it to the list, instead you get this, I hope this is OK. I've not pruned down this one because I don't know if you are regularly reading your Debian address these days, which I sent the the forward before (this Tuesday) to. In case of that being a mistake, I'm sorry. For the new info, please see my addition below (bad news). > On 12 June 2018 at 22:21 Matthew Brincke wrote: > > > Hello Mattia, hello all, > > On 12 June 2018 at 16:25 Mattia Rizzolo wrote: > > > > ... snip ... > > Also, what about > > https://security-tracker.debian.org/tracker/DLA-929-1 > > https://security-tracker.debian.org/tracker/DLA-968-1 > > Are they correct or they didn't fix some CVEs (like CVE-2017-5854)? > > The DLA-929-1 did not fix the CVE-2017-5854 either (the patch supposedly > doing that is the same change as in upstream svn r1836, so it can't). > The DLA-968-1 doesn't look suspect to me, though I haven't checked in > detail (having been busy with historical digital artifacts ;-) ). ... snip ... > > The changes should be in > > https://salsa.debian.org/debian/libpodofo/commits/wheezy - I would be > > very happy if you could double check. > I could probably do that tomorrow, now I'd like to get this e-mail sent. Upon detailed inspection, which I mostly did yesterday (Wednesday) like I promised, I found the claim in DLA-968-1's d/patches/CVE-2017-7380.patch that it also fixes CVE-2017-7381 to CVE-2017-7383 to be very suspect, if not outright mistaken. For CVE-2017-7381: If m_pResources in src/doc/PdfPage.cpp:609 is NULL, i.e. the page doesn't have resources, not even inherited ones (for those, cf. src/doc/PdfPage.cpp:63 to the end of the constructor), dereferencing it to call a method is undefined behaviour (likely crash/vulnerability). The patch doesn't change that, so it doesn't fix this CVE AFAICS. For CVE-2017-7382: If the dictionary which is the value of/referred to by the /Font entry in the /Resources dictionary exists, the patch changes again nothing AFAICS (is the CVE ID bound to the specific reproducer?) so such a /Font dictionary without /Subtype entry (in the report, queried at src/doc/PdfFontFactory.cpp:200) can still trigger the bug (AFAICS, untested). For CVE-2017-7383: The same except for /Type (in the report, queried at src/doc/PdfFontFactory.cpp:195) instead of /Subtype makes this unfixed. > > > > And if this is really going to reopen a CVE for stretch I'd need to > > check with the security team if they need/want to do something extra as > > well. > > > Please do, thank you. > > > -- > > regards, > > Mattia Rizzolo > > > Best regards, mabri -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Podofo-users mailing list Podofo-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/podofo-users
Re: [Podofo-users] Fwd: Re: CVE confusion, also in Debian (was: Re: Next PoDoFo Release 0.9.6)
On Fri, Jun 15, 2018 at 10:47:14AM +0200, Mattia Rizzolo wrote: > Thanks for all your help, and sorry for the delay in dealing with this. Now that 0.9.6 is out I took my time and had a look at also the new CVEs that appeared this year. I've reported them in the podofo issue tracker (there are also some specifically against 0.9.6-rc1 !). Also, I've committed these changes according to what had been wrote in the several issues on upstream: https://salsa.debian.org/security-tracker-team/security-tracker/commit/5a88ada26271b6f2e12ebcb3dd2bacfa0f20e1eb.patch https://salsa.debian.org/debian/libpodofo/commit/9d6b7844377f8444fc4d5c73ccc103eac5facb35 Just FYI, but I believe at this all the confusion is pretty much gone already :) (hopefully…) -- regards, Mattia Rizzolo GPG Key: 66AE 2B4A FCCF 3F52 DA18 4D18 4B04 3FCD B944 4540 .''`. more about me: https://mapreri.org : :' : Launchpad user: https://launchpad.net/~mapreri `. `'` Debian QA page: https://qa.debian.org/developer.php?login=mattia `- signature.asc Description: PGP signature -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ Podofo-users mailing list Podofo-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/podofo-users
