Package: release.debian.org
User: release.debian.org@packages.debian.org
Usertags: unblock
I uploaded a new libpodofo cherry-picking two security patches from
upstream.
I was waiting to see if more CVEs were going to be fixed, but I guess
the rest will have to wait.
debdiff attached.
--
regards,
Mattia Rizzolo
GPG Key: 66AE 2B4A FCCF 3F52 DA18 4D18 4B04 3FCD B944 4540 .''`.
more about me: https://mapreri.org : :' :
Launchpad user: https://launchpad.net/~mapreri `. `'`
Debian QA page: https://qa.debian.org/developer.php?login=mattia `-
diffstat for libpodofo-0.9.6+dfsg libpodofo-0.9.6+dfsg
changelog | 8 +++++
patches/CVE-2019-9199.patch | 23 ++++++++++++++++
patches/CVE-2019-9687.patch | 61 ++++++++++++++++++++++++++++++++++++++++++++
patches/series | 2 +
4 files changed, 94 insertions(+)
diff -Nru libpodofo-0.9.6+dfsg/debian/changelog libpodofo-0.9.6+dfsg/debian/changelog
--- libpodofo-0.9.6+dfsg/debian/changelog 2019-02-11 18:49:43.000000000 +0100
+++ libpodofo-0.9.6+dfsg/debian/changelog 2019-04-21 17:13:10.000000000 +0200
@@ -1,3 +1,11 @@
+libpodofo (0.9.6+dfsg-5) unstable; urgency=medium
+
+ * Add upstream patches for security issues:
+ CVE-2019-9199 Closes: #923469
+ CVE-2019-9687 Closes: #924430
+
+ -- Mattia Rizzolo <mattia@debian.org> Sun, 21 Apr 2019 17:13:10 +0200
+
libpodofo (0.9.6+dfsg-4) unstable; urgency=medium
* Add upstream patches for security issues:
diff -Nru libpodofo-0.9.6+dfsg/debian/patches/CVE-2019-9199.patch libpodofo-0.9.6+dfsg/debian/patches/CVE-2019-9199.patch
--- libpodofo-0.9.6+dfsg/debian/patches/CVE-2019-9199.patch 1970-01-01 01:00:00.000000000 +0100
+++ libpodofo-0.9.6+dfsg/debian/patches/CVE-2019-9199.patch 2019-03-27 15:48:28.000000000 +0100
@@ -0,0 +1,23 @@
+Description: CVE-2019-9199 - NULL pointer dereference
+Author: Matthew Brincke
+Origin: upstream, https://sourceforge.net/p/podofo/code/1971/
+Bug: https://sourceforge.net/p/podofo/tickets/40/
+Bug-Debian: https://bugs.debian.org/923469
+Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2019-9199
+
+--- a/tools/podofoimpose/pdftranslator.cpp
++++ b/tools/podofoimpose/pdftranslator.cpp
+@@ -148,7 +148,12 @@
+ // std::cerr << "Document has "<< pcount << " page(s) " << endl;
+ if ( pcount > 0 ) // only here to avoid possible segfault, but PDF without page is not conform IIRC
+ {
+- PoDoFo::PdfRect rect ( sourceDoc->GetPage ( 0 )->GetMediaBox() );
++ PoDoFo::PdfPage* pFirstPage = sourceDoc->GetPage ( 0 );
++ if ( NULL == pFirstPage ) // Fixes CVE-2019-9199 (issue #40)
++ {
++ PODOFO_RAISE_ERROR_INFO( ePdfError_PageNotFound, "First page (0) of source document not found" );
++ }
++ PoDoFo::PdfRect rect ( pFirstPage->GetMediaBox() );
+ // keep in mind it’s just a hint since PDF can have different page sizes in a same doc
+ sourceWidth = rect.GetWidth() - rect.GetLeft();
+ sourceHeight = rect.GetHeight() - rect.GetBottom() ;
diff -Nru libpodofo-0.9.6+dfsg/debian/patches/CVE-2019-9687.patch libpodofo-0.9.6+dfsg/debian/patches/CVE-2019-9687.patch
--- libpodofo-0.9.6+dfsg/debian/patches/CVE-2019-9687.patch 1970-01-01 01:00:00.000000000 +0100
+++ libpodofo-0.9.6+dfsg/debian/patches/CVE-2019-9687.patch 2019-03-27 15:56:25.000000000 +0100
@@ -0,0 +1,61 @@
+Description: CVE-2019-9687 - heap-based buffer overflow in PdfString::ConvertUTF16toUTF8
+Origin: upstream, https://sourceforge.net/p/podofo/code/1969
+Bug-Debian: https://bugs.debian.org/924430
+Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2019-9687
+
+--- a/src/base/PdfString.cpp
++++ b/src/base/PdfString.cpp
+@@ -626,8 +626,19 @@
+ pdf_long lUtf8 = PdfString::ConvertUTF16toUTF8( reinterpret_cast<const pdf_utf16be*>(m_buffer.GetBuffer()),
+ this->GetUnicodeLength(),
+ reinterpret_cast<pdf_utf8*>(pBuffer), lBufferLen, ePdfStringConversion_Lenient );
++ if (lUtf8 + 1 > lBufferLen) // + 1 to account for 2 bytes termination here vs. 1 byte there
++ {
++ pBuffer = static_cast<char*>(podofo_realloc( pBuffer, lUtf8 + 1 ) );
++ if( !pBuffer )
++ {
++ PODOFO_RAISE_ERROR( ePdfError_OutOfMemory );
++ }
++ if (lUtf8 - 1 > lBufferLen)
++ lUtf8 = PdfString::ConvertUTF16toUTF8( reinterpret_cast<const pdf_utf16be*>(m_buffer.GetBuffer()),
++ this->GetUnicodeLength(), reinterpret_cast<pdf_utf8*>(pBuffer), lUtf8 + 1);
++ }
+
+- pBuffer[lUtf8-1] = '\0';
++ pBuffer[lUtf8 - 1] = '\0';
+ pBuffer[lUtf8] = '\0';
+ m_sUtf8 = pBuffer;
+ podofo_free( pBuffer );
+@@ -811,6 +822,7 @@
+ return ConvertUTF16toUTF8( pszUtf16, lLen, pszUtf8, lLenUtf8 );
+ }
+
++// returns used, or if not enough memory passed in, needed length incl. 1 byte termination
+ pdf_long PdfString::ConvertUTF16toUTF8( const pdf_utf16be* pszUtf16, pdf_long lLenUtf16,
+ pdf_utf8* pszUtf8, pdf_long lLenUtf8,
+ EPdfStringConversion eConversion )
+@@ -828,12 +840,21 @@
+ size_t sLength = lLenUtf16;
+ size_t resultBufLength = lLenUtf8;
+
+- u16_to_u8 ( s, sLength, pResultBuf, &resultBufLength);
++ uint8_t* pReturnBuf = u16_to_u8( s, sLength, pResultBuf, &resultBufLength );
++ if (pReturnBuf != pResultBuf)
++ {
++ free(pReturnBuf); // allocated by libunistring, so don't use podofo_free()
++ PdfError::LogMessage( eLogSeverity_Warning, "Output string size too little to hold it\n" );
++ return resultBufLength + 1;
++ }
+
+ pdf_long lBufferLen = PODOFO_MIN( static_cast<pdf_long>(resultBufLength + 1), lLenUtf8 );
+
+- // Make sure buffer is 0 termnated
+- pszUtf8[resultBufLength] = 0;
++ // Make sure buffer is 0 terminated
++ if ( static_cast<pdf_long>(resultBufLength + 1) <= lLenUtf8 )
++ pszUtf8[resultBufLength] = 0;
++ else
++ return resultBufLength + 1; // means: check for this in the caller to detect non-termination
+
+ return lBufferLen;
+ }
diff -Nru libpodofo-0.9.6+dfsg/debian/patches/series libpodofo-0.9.6+dfsg/debian/patches/series
--- libpodofo-0.9.6+dfsg/debian/patches/series 2019-02-11 18:44:03.000000000 +0100
+++ libpodofo-0.9.6+dfsg/debian/patches/series 2019-03-27 15:54:01.000000000 +0100
@@ -10,3 +10,5 @@
CVE-2018-14320.patch
CVE-2018-19532.patch
CVE-2018-20751.patch
+CVE-2019-9199.patch
+CVE-2019-9687.patch
Attachment:
signature.asc
Description: PGP signature