Package: release.debian.org User: release.debian....@packages.debian.org Usertags: unblock
I uploaded a new libpodofo cherry-picking two security patches from
upstream.
I was waiting to see if more CVEs were going to be fixed, but I guess
the rest will have to wait.
debdiff attached.
--
regards,
Mattia Rizzolo
GPG Key: 66AE 2B4A FCCF 3F52 DA18 4D18 4B04 3FCD B944 4540 .''`.
more about me: https://mapreri.org : :' :
Launchpad user: https://launchpad.net/~mapreri `. `'`
Debian QA page: https://qa.debian.org/developer.php?login=mattia `-
diffstat for libpodofo-0.9.6+dfsg libpodofo-0.9.6+dfsg changelog | 8 +++++ patches/CVE-2019-9199.patch | 23 ++++++++++++++++ patches/CVE-2019-9687.patch | 61 ++++++++++++++++++++++++++++++++++++++++++++ patches/series | 2 + 4 files changed, 94 insertions(+) diff -Nru libpodofo-0.9.6+dfsg/debian/changelog libpodofo-0.9.6+dfsg/debian/changelog --- libpodofo-0.9.6+dfsg/debian/changelog 2019-02-11 18:49:43.000000000 +0100 +++ libpodofo-0.9.6+dfsg/debian/changelog 2019-04-21 17:13:10.000000000 +0200 @@ -1,3 +1,11 @@ +libpodofo (0.9.6+dfsg-5) unstable; urgency=medium + + * Add upstream patches for security issues: + CVE-2019-9199 Closes: #923469 + CVE-2019-9687 Closes: #924430 + + -- Mattia Rizzolo <mat...@debian.org> Sun, 21 Apr 2019 17:13:10 +0200 + libpodofo (0.9.6+dfsg-4) unstable; urgency=medium * Add upstream patches for security issues: diff -Nru libpodofo-0.9.6+dfsg/debian/patches/CVE-2019-9199.patch libpodofo-0.9.6+dfsg/debian/patches/CVE-2019-9199.patch --- libpodofo-0.9.6+dfsg/debian/patches/CVE-2019-9199.patch 1970-01-01 01:00:00.000000000 +0100 +++ libpodofo-0.9.6+dfsg/debian/patches/CVE-2019-9199.patch 2019-03-27 15:48:28.000000000 +0100 @@ -0,0 +1,23 @@ +Description: CVE-2019-9199 - NULL pointer dereference +Author: Matthew Brincke +Origin: upstream, https://sourceforge.net/p/podofo/code/1971/ +Bug: https://sourceforge.net/p/podofo/tickets/40/ +Bug-Debian: https://bugs.debian.org/923469 +Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2019-9199 + +--- a/tools/podofoimpose/pdftranslator.cpp ++++ b/tools/podofoimpose/pdftranslator.cpp +@@ -148,7 +148,12 @@ + // std::cerr << "Document has "<< pcount << " page(s) " << endl; + if ( pcount > 0 ) // only here to avoid possible segfault, but PDF without page is not conform IIRC + { +- PoDoFo::PdfRect rect ( sourceDoc->GetPage ( 0 )->GetMediaBox() ); ++ PoDoFo::PdfPage* pFirstPage = sourceDoc->GetPage ( 0 ); ++ if ( NULL == pFirstPage ) // Fixes CVE-2019-9199 (issue #40) ++ { ++ PODOFO_RAISE_ERROR_INFO( ePdfError_PageNotFound, "First page (0) of source document not found" ); ++ } ++ PoDoFo::PdfRect rect ( pFirstPage->GetMediaBox() ); + // keep in mind it’s just a hint since PDF can have different page sizes in a same doc + sourceWidth = rect.GetWidth() - rect.GetLeft(); + sourceHeight = rect.GetHeight() - rect.GetBottom() ; diff -Nru libpodofo-0.9.6+dfsg/debian/patches/CVE-2019-9687.patch libpodofo-0.9.6+dfsg/debian/patches/CVE-2019-9687.patch --- libpodofo-0.9.6+dfsg/debian/patches/CVE-2019-9687.patch 1970-01-01 01:00:00.000000000 +0100 +++ libpodofo-0.9.6+dfsg/debian/patches/CVE-2019-9687.patch 2019-03-27 15:56:25.000000000 +0100 @@ -0,0 +1,61 @@ +Description: CVE-2019-9687 - heap-based buffer overflow in PdfString::ConvertUTF16toUTF8 +Origin: upstream, https://sourceforge.net/p/podofo/code/1969 +Bug-Debian: https://bugs.debian.org/924430 +Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2019-9687 + +--- a/src/base/PdfString.cpp ++++ b/src/base/PdfString.cpp +@@ -626,8 +626,19 @@ + pdf_long lUtf8 = PdfString::ConvertUTF16toUTF8( reinterpret_cast<const pdf_utf16be*>(m_buffer.GetBuffer()), + this->GetUnicodeLength(), + reinterpret_cast<pdf_utf8*>(pBuffer), lBufferLen, ePdfStringConversion_Lenient ); ++ if (lUtf8 + 1 > lBufferLen) // + 1 to account for 2 bytes termination here vs. 1 byte there ++ { ++ pBuffer = static_cast<char*>(podofo_realloc( pBuffer, lUtf8 + 1 ) ); ++ if( !pBuffer ) ++ { ++ PODOFO_RAISE_ERROR( ePdfError_OutOfMemory ); ++ } ++ if (lUtf8 - 1 > lBufferLen) ++ lUtf8 = PdfString::ConvertUTF16toUTF8( reinterpret_cast<const pdf_utf16be*>(m_buffer.GetBuffer()), ++ this->GetUnicodeLength(), reinterpret_cast<pdf_utf8*>(pBuffer), lUtf8 + 1); ++ } + +- pBuffer[lUtf8-1] = '\0'; ++ pBuffer[lUtf8 - 1] = '\0'; + pBuffer[lUtf8] = '\0'; + m_sUtf8 = pBuffer; + podofo_free( pBuffer ); +@@ -811,6 +822,7 @@ + return ConvertUTF16toUTF8( pszUtf16, lLen, pszUtf8, lLenUtf8 ); + } + ++// returns used, or if not enough memory passed in, needed length incl. 1 byte termination + pdf_long PdfString::ConvertUTF16toUTF8( const pdf_utf16be* pszUtf16, pdf_long lLenUtf16, + pdf_utf8* pszUtf8, pdf_long lLenUtf8, + EPdfStringConversion eConversion ) +@@ -828,12 +840,21 @@ + size_t sLength = lLenUtf16; + size_t resultBufLength = lLenUtf8; + +- u16_to_u8 ( s, sLength, pResultBuf, &resultBufLength); ++ uint8_t* pReturnBuf = u16_to_u8( s, sLength, pResultBuf, &resultBufLength ); ++ if (pReturnBuf != pResultBuf) ++ { ++ free(pReturnBuf); // allocated by libunistring, so don't use podofo_free() ++ PdfError::LogMessage( eLogSeverity_Warning, "Output string size too little to hold it\n" ); ++ return resultBufLength + 1; ++ } + + pdf_long lBufferLen = PODOFO_MIN( static_cast<pdf_long>(resultBufLength + 1), lLenUtf8 ); + +- // Make sure buffer is 0 termnated +- pszUtf8[resultBufLength] = 0; ++ // Make sure buffer is 0 terminated ++ if ( static_cast<pdf_long>(resultBufLength + 1) <= lLenUtf8 ) ++ pszUtf8[resultBufLength] = 0; ++ else ++ return resultBufLength + 1; // means: check for this in the caller to detect non-termination + + return lBufferLen; + } diff -Nru libpodofo-0.9.6+dfsg/debian/patches/series libpodofo-0.9.6+dfsg/debian/patches/series --- libpodofo-0.9.6+dfsg/debian/patches/series 2019-02-11 18:44:03.000000000 +0100 +++ libpodofo-0.9.6+dfsg/debian/patches/series 2019-03-27 15:54:01.000000000 +0100 @@ -10,3 +10,5 @@ CVE-2018-14320.patch CVE-2018-19532.patch CVE-2018-20751.patch +CVE-2019-9199.patch +CVE-2019-9687.patch
signature.asc
Description: PGP signature
