Source: libpodofo Version: 0.9.4-1 Severity: important Tags: upstream security
Hi, the following vulnerability was published for libpodofo. CVE-2017-8378[0]: | Heap-based buffer overflow in the PdfParser::ReadObjects function in | base/PdfParser.cpp in PoDoFo 0.9.5 allows remote attackers to cause a | denial of service (application crash) or possibly have unspecified | other impact via vectors related to m_offsets.size. AFAICS, but please double-check/confirm, the same issue is at least present in 0.9.4, the m_offsets.size is not checked. Or do I miss soemthing? If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2017-8378 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8378 [1] https://github.com/xiangxiaobo/poc_and_report/tree/master/podofo_heapoverflow_PdfParser.ReadObjects Please adjust the affected versions in the BTS as needed, specifically older versions have not yet been checked. Regards, Salvatore _______________________________________________ Secure-testing-team mailing list [email protected] http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-team
