[Git][security-tracker-team/security-tracker][master] triage a few libpodofo CVEs

Mattia Rizzolo mattia at debian.org
Mon Feb 11 18:02:58 GMT 2019 

Mattia Rizzolo pushed to branch master at Debian Security Tracker / security-tracker


Commits:
578c015d by Mattia Rizzolo at 2019-02-11T17:53:12Z
triage a few libpodofo CVEs

Signed-off-by: Mattia Rizzolo <mattia at debian.org>

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -1084,8 +1084,9 @@ CVE-2019-7321
 CVE-2019-7320
 	RESERVED
 CVE-2018-20751 (An issue was discovered in crop_page in PoDoFo 0.9.6. For a crafted PDF ...)
-	- libpodofo <unfixed>
-	[jessie] - libpodofo <ignored> (Minor issue)
+	- libpodofo 0.9.6+dfsg-4
+	[stretch] - libpodofo <no-dsa> (Minor issue)
+	[jessie] - libpodofo <no-dsa> (Minor issue)
 	NOTE: https://sourceforge.net/p/podofo/tickets/33/
 	NOTE: https://sourceforge.net/p/podofo/code/1954
 CVE-2019-7319
@@ -19503,10 +19504,11 @@ CVE-2018-19534
 CVE-2018-19533
 	RESERVED
 CVE-2018-19532 (A NULL pointer dereference vulnerability exists in the function ...)
-	- libpodofo <unfixed> (low; bug #916085)
+	- libpodofo 0.9.6+dfsg-4 (low; bug #916085)
 	[stretch] - libpodofo <no-dsa> (Minor issue)
 	[jessie] - libpodofo <no-dsa> (Minor issue)
 	NOTE: https://sourceforge.net/p/podofo/tickets/32/
+	NOTE: https://sourceforge.net/p/podofo/code/1950/
 CVE-2018-19531 (HTTL (aka Hyper-Text Template Language) through 1.0.11 allows remote ...)
 	NOT-FOR-US: HTTL
 CVE-2018-19530 (HTTL (aka Hyper-Text Template Language) through 1.0.11 allows remote ...)
@@ -29203,6 +29205,7 @@ CVE-2018-15889 (In podofo 0.9.6, the function PoDoFo::PdfParser::ReadObjects() i
 	[jessie] - libpodofo <no-dsa> (Minor issue)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1620065
 	NOTE: https://sourceforge.net/p/podofo/tickets/27/
+	NOTE: upstream thinks this could be a duplicate of CVE-2018-5783
 CVE-2018-15888 (An issue was discovered in ASPCMS 2.5.6. When registering ordinary ...)
 	NOT-FOR-US: ASPCMS
 CVE-2017-18346
@@ -33451,9 +33454,9 @@ CVE-2018-14322
 CVE-2018-14321
 	RESERVED
 CVE-2018-14320 (This vulnerability allows remote attackers to disclose sensitive ...)
-	- libpodofo <unfixed> (bug #916240)
+	- libpodofo 0.9.6+dfsg-4 (bug #916240)
 	[stretch] - libpodofo <no-dsa> (Minor issue)
-	[jessie] - libpodofo <ignored> (Minor issue)
+	[jessie] - libpodofo <no-dsa> (Minor issue)
 	NOTE: https://www.zerodayinitiative.com/advisories/ZDI-18-1046/
 	NOTE: https://sourceforge.net/p/podofo/code/1953
 CVE-2018-14319
@@ -36473,7 +36476,7 @@ CVE-2018-12983 (A stack-based buffer over-read in the ...)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1595693
 	NOTE: https://sourceforge.net/p/podofo/tickets/23
 CVE-2018-12982 (Invalid memory read in the PoDoFo::PdfVariant::DelayedLoad() function ...)
-	- libpodofo <unfixed> (low; bug #916581)
+	- libpodofo 0.9.6+dfsg-4 (low; bug #916581)
 	[stretch] - libpodofo <no-dsa> (Minor issue)
 	[jessie] - libpodofo <no-dsa> (Minor issue)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1595689
@@ -41446,7 +41449,7 @@ CVE-2017-18274
 	RESERVED
 	NOT-FOR-US: Qualcomm components for Android
 CVE-2018-11256 (An issue was discovered in PoDoFo 0.9.5. The function ...)
-	- libpodofo <unfixed> (low; bug #916583)
+	- libpodofo 0.9.6+dfsg-4 (low; bug #916583)
 	[stretch] - libpodofo <no-dsa> (Minor issue)
 	[jessie] - libpodofo <no-dsa> (Minor issue)
 	[wheezy] - libpodofo <no-dsa> (Minor issue)
@@ -41460,9 +41463,9 @@ CVE-2018-11255 (An issue was discovered in PoDoFo 0.9.5. The function ...)
 	[wheezy] - libpodofo <no-dsa> (Minor issue)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1575502
 	NOTE: https://sourceforge.net/p/podofo/tickets/20
-	NOTE: https://sourceforge.net/p/podofo/code/1952
+	NOTE: https://sourceforge.net/p/podofo/code/1952 (this commit doesn't fix the crash)
 CVE-2018-11254 (An issue was discovered in PoDoFo 0.9.5. There is an Excessive ...)
-	- libpodofo <unfixed> (low; bug #916585)
+	- libpodofo 0.9.6+dfsg-4 (low; bug #916585)
 	[stretch] - libpodofo <no-dsa> (Minor issue)
 	[jessie] - libpodofo <no-dsa> (Minor issue)
 	[wheezy] - libpodofo <no-dsa> (Minor issue)
@@ -57130,7 +57133,7 @@ CVE-2018-5784 (In LibTIFF 4.0.9, there is an uncontrolled resource consumption i
 	NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2772
 	NOTE: Fixed by: https://gitlab.com/libtiff/libtiff/commit/473851d211cf8805a161820337ca74cc9615d6ef
 CVE-2018-5783 (In PoDoFo 0.9.5, there is an uncontrolled memory allocation in the ...)
-	- libpodofo <unfixed> (bug #916142)
+	- libpodofo 0.9.6+dfsg-4 (bug #916142)
 	[stretch] - libpodofo <no-dsa> (Minor issue)
 	[jessie] - libpodofo <no-dsa> (Minor issue)
 	[wheezy] - libpodofo <no-dsa> (Minor issue)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/578c015de783e925e820dc5a23661d3e0f6ab2ba

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/578c015de783e925e820dc5a23661d3e0f6ab2ba
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20190211/179ae0ae/attachment.html>

More information about the debian-security-tracker-commits mailing list