Your message dated Sun, 21 Apr 2019 16:16:00 +0000 with message-id <a09d41a7-cd23-5908-82d0-a1f822430f72@thykier.net> and subject line Re: Bug#927704: unblock: libpodofo/0.9.6+dfsg-5 has caused the Debian Bug report #927704, regarding unblock: libpodofo/0.9.6+dfsg-5 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 927704: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=927704 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: submit@bugs.debian.org
- Subject: unblock: libpodofo/0.9.6+dfsg-5
- From: Mattia Rizzolo <mattia@debian.org>
- Date: Sun, 21 Apr 2019 17:20:07 +0200
- Message-id: <[🔎] 20190421152005.GG18464@mapreri.org>
Package: release.debian.org User: release.debian.org@packages.debian.org Usertags: unblock I uploaded a new libpodofo cherry-picking two security patches from upstream. I was waiting to see if more CVEs were going to be fixed, but I guess the rest will have to wait. debdiff attached. -- regards, Mattia Rizzolo GPG Key: 66AE 2B4A FCCF 3F52 DA18 4D18 4B04 3FCD B944 4540 .''`. more about me: https://mapreri.org : :' : Launchpad user: https://launchpad.net/~mapreri `. `'` Debian QA page: https://qa.debian.org/developer.php?login=mattia `-diffstat for libpodofo-0.9.6+dfsg libpodofo-0.9.6+dfsg changelog | 8 +++++ patches/CVE-2019-9199.patch | 23 ++++++++++++++++ patches/CVE-2019-9687.patch | 61 ++++++++++++++++++++++++++++++++++++++++++++ patches/series | 2 + 4 files changed, 94 insertions(+) diff -Nru libpodofo-0.9.6+dfsg/debian/changelog libpodofo-0.9.6+dfsg/debian/changelog --- libpodofo-0.9.6+dfsg/debian/changelog 2019-02-11 18:49:43.000000000 +0100 +++ libpodofo-0.9.6+dfsg/debian/changelog 2019-04-21 17:13:10.000000000 +0200 @@ -1,3 +1,11 @@ +libpodofo (0.9.6+dfsg-5) unstable; urgency=medium + + * Add upstream patches for security issues: + CVE-2019-9199 Closes: #923469 + CVE-2019-9687 Closes: #924430 + + -- Mattia Rizzolo <mattia@debian.org> Sun, 21 Apr 2019 17:13:10 +0200 + libpodofo (0.9.6+dfsg-4) unstable; urgency=medium * Add upstream patches for security issues: diff -Nru libpodofo-0.9.6+dfsg/debian/patches/CVE-2019-9199.patch libpodofo-0.9.6+dfsg/debian/patches/CVE-2019-9199.patch --- libpodofo-0.9.6+dfsg/debian/patches/CVE-2019-9199.patch 1970-01-01 01:00:00.000000000 +0100 +++ libpodofo-0.9.6+dfsg/debian/patches/CVE-2019-9199.patch 2019-03-27 15:48:28.000000000 +0100 @@ -0,0 +1,23 @@ +Description: CVE-2019-9199 - NULL pointer dereference +Author: Matthew Brincke +Origin: upstream, https://sourceforge.net/p/podofo/code/1971/ +Bug: https://sourceforge.net/p/podofo/tickets/40/ +Bug-Debian: https://bugs.debian.org/923469 +Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2019-9199 + +--- a/tools/podofoimpose/pdftranslator.cpp ++++ b/tools/podofoimpose/pdftranslator.cpp +@@ -148,7 +148,12 @@ + // std::cerr << "Document has "<< pcount << " page(s) " << endl; + if ( pcount > 0 ) // only here to avoid possible segfault, but PDF without page is not conform IIRC + { +- PoDoFo::PdfRect rect ( sourceDoc->GetPage ( 0 )->GetMediaBox() ); ++ PoDoFo::PdfPage* pFirstPage = sourceDoc->GetPage ( 0 ); ++ if ( NULL == pFirstPage ) // Fixes CVE-2019-9199 (issue #40) ++ { ++ PODOFO_RAISE_ERROR_INFO( ePdfError_PageNotFound, "First page (0) of source document not found" ); ++ } ++ PoDoFo::PdfRect rect ( pFirstPage->GetMediaBox() ); + // keep in mind it’s just a hint since PDF can have different page sizes in a same doc + sourceWidth = rect.GetWidth() - rect.GetLeft(); + sourceHeight = rect.GetHeight() - rect.GetBottom() ; diff -Nru libpodofo-0.9.6+dfsg/debian/patches/CVE-2019-9687.patch libpodofo-0.9.6+dfsg/debian/patches/CVE-2019-9687.patch --- libpodofo-0.9.6+dfsg/debian/patches/CVE-2019-9687.patch 1970-01-01 01:00:00.000000000 +0100 +++ libpodofo-0.9.6+dfsg/debian/patches/CVE-2019-9687.patch 2019-03-27 15:56:25.000000000 +0100 @@ -0,0 +1,61 @@ +Description: CVE-2019-9687 - heap-based buffer overflow in PdfString::ConvertUTF16toUTF8 +Origin: upstream, https://sourceforge.net/p/podofo/code/1969 +Bug-Debian: https://bugs.debian.org/924430 +Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2019-9687 + +--- a/src/base/PdfString.cpp ++++ b/src/base/PdfString.cpp +@@ -626,8 +626,19 @@ + pdf_long lUtf8 = PdfString::ConvertUTF16toUTF8( reinterpret_cast<const pdf_utf16be*>(m_buffer.GetBuffer()), + this->GetUnicodeLength(), + reinterpret_cast<pdf_utf8*>(pBuffer), lBufferLen, ePdfStringConversion_Lenient ); ++ if (lUtf8 + 1 > lBufferLen) // + 1 to account for 2 bytes termination here vs. 1 byte there ++ { ++ pBuffer = static_cast<char*>(podofo_realloc( pBuffer, lUtf8 + 1 ) ); ++ if( !pBuffer ) ++ { ++ PODOFO_RAISE_ERROR( ePdfError_OutOfMemory ); ++ } ++ if (lUtf8 - 1 > lBufferLen) ++ lUtf8 = PdfString::ConvertUTF16toUTF8( reinterpret_cast<const pdf_utf16be*>(m_buffer.GetBuffer()), ++ this->GetUnicodeLength(), reinterpret_cast<pdf_utf8*>(pBuffer), lUtf8 + 1); ++ } + +- pBuffer[lUtf8-1] = '\0'; ++ pBuffer[lUtf8 - 1] = '\0'; + pBuffer[lUtf8] = '\0'; + m_sUtf8 = pBuffer; + podofo_free( pBuffer ); +@@ -811,6 +822,7 @@ + return ConvertUTF16toUTF8( pszUtf16, lLen, pszUtf8, lLenUtf8 ); + } + ++// returns used, or if not enough memory passed in, needed length incl. 1 byte termination + pdf_long PdfString::ConvertUTF16toUTF8( const pdf_utf16be* pszUtf16, pdf_long lLenUtf16, + pdf_utf8* pszUtf8, pdf_long lLenUtf8, + EPdfStringConversion eConversion ) +@@ -828,12 +840,21 @@ + size_t sLength = lLenUtf16; + size_t resultBufLength = lLenUtf8; + +- u16_to_u8 ( s, sLength, pResultBuf, &resultBufLength); ++ uint8_t* pReturnBuf = u16_to_u8( s, sLength, pResultBuf, &resultBufLength ); ++ if (pReturnBuf != pResultBuf) ++ { ++ free(pReturnBuf); // allocated by libunistring, so don't use podofo_free() ++ PdfError::LogMessage( eLogSeverity_Warning, "Output string size too little to hold it\n" ); ++ return resultBufLength + 1; ++ } + + pdf_long lBufferLen = PODOFO_MIN( static_cast<pdf_long>(resultBufLength + 1), lLenUtf8 ); + +- // Make sure buffer is 0 termnated +- pszUtf8[resultBufLength] = 0; ++ // Make sure buffer is 0 terminated ++ if ( static_cast<pdf_long>(resultBufLength + 1) <= lLenUtf8 ) ++ pszUtf8[resultBufLength] = 0; ++ else ++ return resultBufLength + 1; // means: check for this in the caller to detect non-termination + + return lBufferLen; + } diff -Nru libpodofo-0.9.6+dfsg/debian/patches/series libpodofo-0.9.6+dfsg/debian/patches/series --- libpodofo-0.9.6+dfsg/debian/patches/series 2019-02-11 18:44:03.000000000 +0100 +++ libpodofo-0.9.6+dfsg/debian/patches/series 2019-03-27 15:54:01.000000000 +0100 @@ -10,3 +10,5 @@ CVE-2018-14320.patch CVE-2018-19532.patch CVE-2018-20751.patch +CVE-2019-9199.patch +CVE-2019-9687.patchAttachment: signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---
- To: Mattia Rizzolo <mattia@debian.org>, 927704-done@bugs.debian.org
- Subject: Re: Bug#927704: unblock: libpodofo/0.9.6+dfsg-5
- From: Niels Thykier <niels@thykier.net>
- Date: Sun, 21 Apr 2019 16:16:00 +0000
- Message-id: <a09d41a7-cd23-5908-82d0-a1f822430f72@thykier.net>
- In-reply-to: <[🔎] 20190421152005.GG18464@mapreri.org>
- References: <[🔎] 20190421152005.GG18464@mapreri.org>
Mattia Rizzolo: > Package: release.debian.org > User: release.debian.org@packages.debian.org > Usertags: unblock > > I uploaded a new libpodofo cherry-picking two security patches from > upstream. > > I was waiting to see if more CVEs were going to be fixed, but I guess > the rest will have to wait. > > debdiff attached. > Unblocked, thanks. ~Niels
--- End Message ---