Re: [Podofo-users] CVE confusion, also in Debian (was: Re: Next PoDoFo Release 0.9.6)

2018-06-12 Thread Mattia Rizzolo 
On Tue, Jun 12, 2018 at 03:17:20PM +0200, Matthew Brincke wrote:
> I erred here, I think, AFAICS it

Errr, please, please do try to pay attention and be precise about what
fixed what and where.
Messing CVEs numbers in commit messages (and in messages in general)
it's only going to cause *a lot* of confusion.

> @Mattia Rizzolo: Suggested action(s) to take: Correct the Debian security
> tracker to say "vulnerable (no DSA)" instead of "fixed" in Debian stretch
> (CVE-2017-5854). Fix the non-CVE'd bug too (in unstable, I'd think).

I'm sorry, I find your sentence way too misunderstandable, so I'm going
to ask for confirmation of what you really mean.
Please confirm all of the above, or correct approriatel (I believe the
context is clear enough without any extra explenation of what every
single line mean, but feel free to ask any clarification).

# security-tracker.debian.org:
|diff --git a/data/CVE/list b/data/CVE/list
|index 0e480453ea..fd6015b0e0 100644
|--- a/data/CVE/list
|+++ b/data/CVE/list
|@@ -68732,11 +68732,12 @@ CVE-2017-5855 (The 
PoDoFo::PdfParser::ReadXRefSubsection function in PdfParser.c
|NOTE: upstream commit: http://sourceforge.net/p/podofo/code/1843
| CVE-2017-5854 (base/PdfOutputStream.cpp in PoDoFo 0.9.4 allows remote 
attackers to ...)
|{DLA-929-1}
|-   - libpodofo 0.9.4-5 (bug #854602)
|+   - libpodofo  (bug #854602)
|+   [stretch] - libpodofo  (Minor issue)
|[jessie] - libpodofo  (Minor issue)
|NOTE: 
https://blogs.gentoo.org/ago/2017/02/01/podofo-null-pointer-dereference-in-pdfoutputstream-cpp
|NOTE: 
https://sourceforge.net/p/podofo/mailman/podofo-users/thread/12497325.VLNgGImML2%40blackgate/#msg35640936
|-   NOTE: upstream commit: https://sourceforge.net/p/podofo/code/1836
|+   NOTE: upstream commit: https://sourceforge.net/p/podofo/code/1870
| CVE-2017-5853 (Integer overflow in base/PdfParser.cpp in PoDoFo 0.9.4 allows 
remote ...)
|{DLA-929-1}
|- libpodofo 0.9.4-5 (bug #854601)

# bugs.debian.org commands:
|unarchive 854602
|reopen 854602
|tag 854602 fixed-upstream # by https://sourceforge.net/p/podofo/code/1870
|tag 854605 fixed-upstream # by https://sourceforge.net/p/podofo/code/1836
|close 854605 0.9.4-5


# the packaging:
|diff --git a/debian/changelog b/debian/changelog
|index 7e53789..4d4aac2 100644
|--- a/debian/changelog
|+++ b/debian/changelog
|@@ -115,9 +115,9 @@ libpodofo (0.9.4-5) unstable; urgency=high
|   * Add upstream patches for security issues:
| + CVE-2017-5853 Closes: #854601
| + CVE-2017-6844 Closes: #861561
|-+ CVE-2017-5854 Closes: #854602
| + CVE-2017-5886 Closes: #854604
| + CVE-2017-7379 Closes: #859331
|++ Fix NULL pointer dereference in pdfinfo.  Closes: #854605
|
|  -- Mattia Rizzolo   Wed, 03 May 2017 11:41:19 +0200
|
|diff --git a/debian/patches/CVE-2017-5854.patch 
b/debian/patches/null-point-dereference.patch
|similarity index 78%
|rename from debian/patches/CVE-2017-5854.patch
|rename to debian/patches/null-point-dereference.patch
|index a9753c0..a40ed04 100644
|--- a/debian/patches/CVE-2017-5854.patch
|+++ b/debian/patches/null-point-dereference.patch
|@@ -1,8 +1,8 @@
|-Description: CVE-2017-5854
|+Description: Fix NULL pointer dereference in PdfInfo::GuessFormat 
(pdfinfo.cpp)
| Acked-By: Markus Koschany 
| Acked-By: Mattia Rizzolo 
|-Last-Update: 2017-05-03
|-Bug-Debian: https://bugs.debian.org/854602
|+Last-Update: 2018-06-12
|+Bug-Debian: https://bugs.debian.org/854605
| Origin: https://sourceforge.net/p/podofo/code/1836
|
| --- a/tools/podofopdfinfo/pdfinfo.cpp
|diff --git a/debian/patches/series b/debian/patches/series
|index 07038c1..21657a4 100644
|--- a/debian/patches/series
|+++ b/debian/patches/series
|@@ -3,7 +3,7 @@ fix_test_on_32bit.patch
| spelling_fixes.patch
| CVE-2017-5852.patch
| CVE-2017-5853-and-CVE-2017-6844.patch
|-CVE-2017-5854.patch
|+null-point-dereference.patch
| CVE-2017-5855.patch
| CVE-2017-5886.patch
| CVE-2017-6840-and-CVE-2017-6842-and-CVE-2017-6843.patch


Also, what about
https://security-tracker.debian.org/tracker/DLA-929-1
https://security-tracker.debian.org/tracker/DLA-968-1
Are they correct or they didn't fix some CVEs (like CVE-2017-5854)?
wheezy-lts now ended, so fixes there can't land anymore, but I suppose
we could at least fix the metadata on the security-tracker (I'd need to
check with the LTS team though, I don't really know a thing about their
workflow).
The changes should be in
https://salsa.debian.org/debian/libpodofo/commits/wheezy - I would be
very happy if you could double check.

And if this is really going to reopen a CVE for stretch I'd need to
check with the security team if they need/want to do something extra as
well.

-- 
regards,
Mattia Rizzolo

GPG Key: 66AE 2B4A FCCF 3F52 DA18  4D18 4B04 3FCD B944 4540  .''`.
more about me:  https://mapreri.org : :'  :
Launchpad user: https://launchpad.net/~mapreri  `. `'`
Debian QA

[Podofo-users] CVE confusion, also in Debian (was: Re: Next PoDoFo Release 0.9.6)

2018-06-12 Thread Matthew Brincke 
Hello Dominik, hello all,
> On 26 January 2018 at 23:35 Matthew Brincke  wrote:
> 
> 
> [ Left Dominik in To to help him follow this thread, fixed text typos ]
> 
> Hello Dominik, hello all,
> 
> > Dominik Seichter via Podofo-users has written on 26 January 2018 at 17:37: 
> > Hi Mattia,
> >  
> > Thanks for the good summary! Let me comment on the open issues.
> >  
> > Unfixed security issues: 
... snip ...
> >   
> > Plus this one without CVE that was reported in this ML:  
> > https://blogs.gentoo.org/ago/2017/02/01/podofo-null-pointer-dereference-in-pdfinfoguessformat-pdfinfo-cpp/
> 
> This is *not* fixed yet. I also don't understand why it didn't get
> a CVE entry.
> 
I erred here, I think, AFAICS it did get fixed in svn r1836 on 7 April 2017: 
https://sourceforge.net/p/podofo/code/1836/

The problem is that the commit message of that is incorrect (doesn't have
anything to do with the change): "Fix for CVE-2017-5854" which was only
fixed (AFAICS, untested) in svn r1870 on 21 January 2018 not mentioning it: 
https://sourceforge.net/p/podofo/code/1870/ 
Neither does it mention CVE-2018-5308 which is the same bug (AFAICS of course).
Fortunately this is fixed in Debian (I don't know about other distros, I don't 
use them): https://security-tracker.debian.org/tracker/CVE-2018-5308 
A related bug mentioned there was fixed in svn r1876.

@Mattia Rizzolo: Suggested action(s) to take: Correct the Debian security
tracker to say "vulnerable (no DSA)" instead of "fixed" in Debian stretch
(CVE-2017-5854). Fix the non-CVE'd bug too (in unstable, I'd think).

> > (CVE-2017-8054 had a tentative patch)
> > -> Seems same as above and seems fixed.
> 
> The CVE, yes, contrary to the other one without a CVE entry.

My error, I'm sorry (the latter is fixed upstream, just not in Debian, I
don't know about other distributions).

> > 
> > Best regards,
> >  Dominik
> > 
> 
> Best regards, mabri
>  

Best regards, mabri

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Podofo-users mailing list
Podofo-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/podofo-users