Arch Linux Security Advisory ASA-202101-36
=========================================
Severity: Medium
Date    : 2021-01-20
CVE-ID  : CVE-2017-8054  CVE-2018-5783  CVE-2018-11254 CVE-2018-11255
          CVE-2018-11256 CVE-2018-12982 CVE-2018-14320 CVE-2018-19532
          CVE-2018-20751 CVE-2019-9199  CVE-2019-9687 
Package : podofo
Type    : multiple issues
Remote  : No
Link    : https://security.archlinux.org/AVG-867

Summary
======
The package podofo before version 0.9.7-1 is vulnerable to multiple
issues including arbitrary code execution and denial of service.

Resolution
=========
Upgrade to 0.9.7-1.

# pacman -Syu "podofo>=0.9.7-1"

The problems have been fixed upstream in version 0.9.7.

Workaround
=========
None.

Description
==========
- CVE-2017-8054 (denial of service)

The function PdfPagesTree::GetPageNodeFromArray in PdfPageTree.cpp:464
in PoDoFo 0.9.6 allows remote attackers to cause a denial of service
(infinite recursion and application crash) via a crafted PDF document.
The issue is fixed in PoDoFo version 0.9.7.

- CVE-2018-5783 (denial of service)

In PoDoFo 0.9.6, there is an uncontrolled memory allocation in the
PoDoFo::PdfVecObjects::Reserve function (base/PdfVecObjects.h). Remote
attackers could leverage this vulnerability to cause a denial of
service via a crafted pdf file. The issue is fixed in PoDoFo version
0.9.7.

- CVE-2018-11254 (denial of service)

An issue was discovered in PoDoFo 0.9.6. There is an Excessive
Recursion in the PdfPagesTree::GetPageNode() function of
PdfPagesTree.cpp. Remote attackers could leverage this vulnerability to
cause a denial of service through a crafted pdf file, a related issue
to CVE-2017-8054. The issue is fixed in PoDoFo version 0.9.7.

- CVE-2018-11255 (denial of service)

An issue was discovered in PoDoFo 0.9.6. The function
PdfPage::GetPageNumber() in PdfPage.cpp in PoDoFo 0.9.5 allows remote
attackers to cause a denial of service (NULL pointer dereference and
application crash) via a crafted PDF document.  The issue is fixed in
PoDoFo version 0.9.7.

- CVE-2018-11256 (denial of service)

An issue was discovered in PoDoFo 0.9.6. The function
PdfDocument::Append() in PdfDocument.cpp in PoDoFo 0.9.5 allows remote
attackers to cause a denial of service (NULL pointer dereference and
application crash) via a crafted PDF document.  The issue is fixed in
PoDoFo version 0.9.7.

- CVE-2018-12982 (denial of service)

An invalid memory read in the PoDoFo::PdfVariant::DelayedLoad()
function in PdfVariant.h in PoDoFo 0.9.6-rc1 allows remote attackers to
have denial-of-service impact via a crafted file. The issue is fixed in
PoDoFo version 0.9.7.

- CVE-2018-14320 (arbitrary code execution)

This vulnerability in PoDoFo 0.9.6 allows remote attackers to disclose
sensitive information on vulnerable installations of PoDoFo. User
interaction is required to exploit this vulnerability in that the
target must visit a malicious page or open a malicious file. The
specific flaw exists within PdfEncoding::ParseToUnicode. The issue
results from the lack of proper validation of user-supplied data, which
can result in a memory corruption condition. An attacker can leverage
this in conjunction with other vulnerabilities to execute arbitrary
code in the context of the current process. The issue is fixed in
PoDoFo version 0.9.7.

- CVE-2018-19532 (denial of service)

A NULL pointer dereference vulnerability exists in the function
PdfTranslator::setTarget() in pdftranslator.cpp of PoDoFo 0.9.6, while
creating the PdfXObject, as demonstrated by podofoimpose. It allows an
attacker to cause Denial of Service. The issue is fixed in PoDoFo
version 0.9.7.

- CVE-2018-20751 (denial of service)

An issue was discovered in crop_page in PoDoFo 0.9.6. For a crafted PDF
document,
pPage->GetObject()->GetDictionary().AddKey(PdfName("MediaBox"),var) can
be problematic due to the function GetObject() being called for the
pPage NULL pointer object. The value of pPage at this point is 0x0,
which causes a NULL pointer dereference. The issue is fixed in PoDoFo
version 0.9.7.

- CVE-2019-9199 (denial of service)

PoDoFo::Impose::PdfTranslator::setSource() in pdftranslator.cpp in
PoDoFo 0.9.6 has a NULL pointer dereference that can (for example) be
triggered by sending a crafted PDF file to the podofoimpose binary. It
allows an attacker to cause Denial of Service (Segmentation fault) or
possibly have unspecified other impact. The issue is fixed in PoDoFo
version 0.9.7.

- CVE-2019-9687 (arbitrary code execution)

PoDoFo 0.9.6 has a heap-based buffer overflow in
PdfString::ConvertUTF16toUTF8 in base/PdfString.cpp. The issue is fixed
in PoDoFo version 0.9.7.

Impact
=====
A maliciously crafted PDF file can crash the application or execute
arbitrary code.

References
=========
https://bugs.archlinux.org/task/61651
https://qwertwwwe.github.io/2017/04/22/PoDoFo-0-9-5-allows-remote-attackers-to-cause-a-denial-of-service-infinit-loop/
https://sourceforge.net/p/podofo/code/1941/
https://sourceforge.net/p/podofo/tickets/4/
https://sourceforge.net/p/podofo/code/1949/
https://bugzilla.redhat.com/show_bug.cgi?id=1576174
https://sourceforge.net/p/podofo/tickets/20/
https://bugzilla.redhat.com/show_bug.cgi?id=1575502
https://bugzilla.redhat.com/attachment.cgi?id=1432515
https://sourceforge.net/p/podofo/code/1952/
https://bugzilla.redhat.com/show_bug.cgi?id=1575851
https://sourceforge.net/p/podofo/code/1938/
https://sourceforge.net/p/podofo/tickets/22/
https://bugzilla.redhat.com/show_bug.cgi?id=1595689
https://bugzilla.redhat.com/attachment.cgi?id=1455023
https://sourceforge.net/p/podofo/code/1948/
https://www.zerodayinitiative.com/advisories/ZDI-18-1046/
https://sourceforge.net/p/podofo/code/1953/
https://research.loginsoft.com/vulnerability/null-pointer-dereference-vulnerability-in-pdftranslatorsettarget-podofo-0-9-6/
https://sourceforge.net/p/podofo/tickets/32/
https://sourceforge.net/p/podofo/code/1950/
https://research.loginsoft.com/bugs/null-pointer-dereference-vulnerability-in-crop_page-podofo-0-9-6/
https://sourceforge.net/p/podofo/tickets/33/
https://sourceforge.net/p/podofo/code/1954/
https://research.loginsoft.com/vulnerability/null-pointer-dereference-vulnerability-in-setsource-podofo-0-9-6-trunk-r1967/
https://sourceforge.net/p/podofo/tickets/40/
https://sourceforge.net/p/podofo/code/1971/
https://sourceforge.net/p/podofo/mailman/podofo-users/thread/CAD3bFv0VMb1DHK0wta0t%3DXg45Oc0gW%2BiS1dYV-Cxpk7hKBoeZQ%40mail.gmail.com/
https://sourceforge.net/p/podofo/code/1969/
https://security.archlinux.org/CVE-2017-8054
https://security.archlinux.org/CVE-2018-5783
https://security.archlinux.org/CVE-2018-11254
https://security.archlinux.org/CVE-2018-11255
https://security.archlinux.org/CVE-2018-11256
https://security.archlinux.org/CVE-2018-12982
https://security.archlinux.org/CVE-2018-14320
https://security.archlinux.org/CVE-2018-19532
https://security.archlinux.org/CVE-2018-20751
https://security.archlinux.org/CVE-2019-9199
https://security.archlinux.org/CVE-2019-9687

ArchLinux: 202101-36: podofo: multiple issues

January 28, 2021

Summary

- CVE-2017-8054 (denial of service) The function PdfPagesTree::GetPageNodeFromArray in PdfPageTree.cpp:464 in PoDoFo 0.9.6 allows remote attackers to cause a denial of service (infinite recursion and application crash) via a crafted PDF document. The issue is fixed in PoDoFo version 0.9.7.
- CVE-2018-5783 (denial of service)
In PoDoFo 0.9.6, there is an uncontrolled memory allocation in the PoDoFo::PdfVecObjects::Reserve function (base/PdfVecObjects.h). Remote attackers could leverage this vulnerability to cause a denial of service via a crafted pdf file. The issue is fixed in PoDoFo version 0.9.7.
- CVE-2018-11254 (denial of service)
An issue was discovered in PoDoFo 0.9.6. There is an Excessive Recursion in the PdfPagesTree::GetPageNode() function of PdfPagesTree.cpp. Remote attackers could leverage this vulnerability to cause a denial of service through a crafted pdf file, a related issue to CVE-2017-8054. The issue is fixed in PoDoFo version 0.9.7.
- CVE-2018-11255 (denial of service)
An issue was discovered in PoDoFo 0.9.6. The function PdfPage::GetPageNumber() in PdfPage.cpp in PoDoFo 0.9.5 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted PDF document. The issue is fixed in PoDoFo version 0.9.7.
- CVE-2018-11256 (denial of service)
An issue was discovered in PoDoFo 0.9.6. The function PdfDocument::Append() in PdfDocument.cpp in PoDoFo 0.9.5 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted PDF document. The issue is fixed in PoDoFo version 0.9.7.
- CVE-2018-12982 (denial of service)
An invalid memory read in the PoDoFo::PdfVariant::DelayedLoad() function in PdfVariant.h in PoDoFo 0.9.6-rc1 allows remote attackers to have denial-of-service impact via a crafted file. The issue is fixed in PoDoFo version 0.9.7.
- CVE-2018-14320 (arbitrary code execution)
This vulnerability in PoDoFo 0.9.6 allows remote attackers to disclose sensitive information on vulnerable installations of PoDoFo. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within PdfEncoding::ParseToUnicode. The issue results from the lack of proper validation of user-supplied data, which can result in a memory corruption condition. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of the current process. The issue is fixed in PoDoFo version 0.9.7.
- CVE-2018-19532 (denial of service)
A NULL pointer dereference vulnerability exists in the function PdfTranslator::setTarget() in pdftranslator.cpp of PoDoFo 0.9.6, while creating the PdfXObject, as demonstrated by podofoimpose. It allows an attacker to cause Denial of Service. The issue is fixed in PoDoFo version 0.9.7.
- CVE-2018-20751 (denial of service)
An issue was discovered in crop_page in PoDoFo 0.9.6. For a crafted PDF document, pPage->GetObject()->GetDictionary().AddKey(PdfName("MediaBox"),var) can be problematic due to the function GetObject() being called for the pPage NULL pointer object. The value of pPage at this point is 0x0, which causes a NULL pointer dereference. The issue is fixed in PoDoFo version 0.9.7.
- CVE-2019-9199 (denial of service)
PoDoFo::Impose::PdfTranslator::setSource() in pdftranslator.cpp in PoDoFo 0.9.6 has a NULL pointer dereference that can (for example) be triggered by sending a crafted PDF file to the podofoimpose binary. It allows an attacker to cause Denial of Service (Segmentation fault) or possibly have unspecified other impact. The issue is fixed in PoDoFo version 0.9.7.
- CVE-2019-9687 (arbitrary code execution)
PoDoFo 0.9.6 has a heap-based buffer overflow in PdfString::ConvertUTF16toUTF8 in base/PdfString.cpp. The issue is fixed in PoDoFo version 0.9.7.

Resolution

Upgrade to 0.9.7-1. # pacman -Syu "podofo>=0.9.7-1"
The problems have been fixed upstream in version 0.9.7.

References

https://bugs.archlinux.org/task/61651 https://qwertwwwe.github.io/2017/04/22/PoDoFo-0-9-5-allows-remote-attackers-to-cause-a-denial-of-service-infinit-loop/ https://sourceforge.net/p/podofo/code/1941/ https://sourceforge.net/p/podofo/tickets/4/ https://sourceforge.net/p/podofo/code/1949/ https://bugzilla.redhat.com/show_bug.cgi?id=1576174 https://sourceforge.net/p/podofo/tickets/20/ https://bugzilla.redhat.com/show_bug.cgi?id=1575502 https://bugzilla.redhat.com/attachment.cgi?id=1432515 https://sourceforge.net/p/podofo/code/1952/ https://bugzilla.redhat.com/show_bug.cgi?id=1575851 https://sourceforge.net/p/podofo/code/1938/ https://sourceforge.net/p/podofo/tickets/22/ https://bugzilla.redhat.com/show_bug.cgi?id=1595689 https://bugzilla.redhat.com/attachment.cgi?id=1455023 https://sourceforge.net/p/podofo/code/1948/ https://www.zerodayinitiative.com/advisories/ZDI-18-1046/ https://sourceforge.net/p/podofo/code/1953/ https://research.loginsoft.com/vulnerability/null-pointer-dereference-vulnerability-in-pdftranslatorsettarget-podofo-0-9-6/ https://sourceforge.net/p/podofo/tickets/32/ https://sourceforge.net/p/podofo/code/1950/ https://research.loginsoft.com/bugs/null-pointer-dereference-vulnerability-in-crop_page-podofo-0-9-6/ https://sourceforge.net/p/podofo/tickets/33/ https://sourceforge.net/p/podofo/code/1954/ https://research.loginsoft.com/vulnerability/null-pointer-dereference-vulnerability-in-setsource-podofo-0-9-6-trunk-r1967/ https://sourceforge.net/p/podofo/tickets/40/ https://sourceforge.net/p/podofo/code/1971/ https://sourceforge.net/p/podofo/mailman/podofo-users/thread/CAD3bFv0VMb1DHK0wta0t%3DXg45Oc0gW%2BiS1dYV-Cxpk7hKBoeZQ%40mail.gmail.com/ https://sourceforge.net/p/podofo/code/1969/ https://security.archlinux.org/CVE-2017-8054 https://security.archlinux.org/CVE-2018-5783 https://security.archlinux.org/CVE-2018-11254 https://security.archlinux.org/CVE-2018-11255 https://security.archlinux.org/CVE-2018-11256 https://security.archlinux.org/CVE-2018-12982 https://security.archlinux.org/CVE-2018-14320 https://security.archlinux.org/CVE-2018-19532 https://security.archlinux.org/CVE-2018-20751 https://security.archlinux.org/CVE-2019-9199 https://security.archlinux.org/CVE-2019-9687

Severity
CVE-2018-11256 CVE-2018-12982 CVE-2018-14320 CVE-2018-19532
CVE-2018-20751 CVE-2019-9199 CVE-2019-9687
Package : podofo
Type : multiple issues
Remote : No
Link : https://security.archlinux.org/AVG-867

Workaround

None.

Related News

19.Laptop Bed Esm H320
2 - 3 min read
AlmaLinux 9.4 beta has been released and provides compelling reasons to consider it for desktop usage. While AlmaLinux is primarily known as a
32.Lock Code Circular Esm H320
2 - 3 min read
Linux admins and security practitioners face significant challenges in keeping their Linux systems secure amidst the constant threat of kernel bugs.
1.Penguin Landscape Esm H320
2 - 3 min read
A significant security threat, known as the Spectre v2 exploit, has been observed targeting Linux systems running on modern Intel processors. Let's
10.FingerPrint Locks Esm H320
2 - 3 min read
The recent release of I2P 2.5.0 , an anonymous P2P network that protects against online censorship, surveillance, and monitoring, has brought a slew
24.Key Code Esm H320
2 - 3 min read
The Akira ransomware group has extorted approximately $42 million from over 250 victims since January 1, 2024. The group initially focused on
5.ShakingHands Esm H320
2 - 3 min read
At The Linux Foundation's Open Source Summit North America , Linus Torvalds, the creator of Linux, discussed various topics related to Linux
30.Lock Globe Motherboard Esm H320
1 - 2 min read
The SPDX 3.0 release marks a significant milestone in software management, particularly for Linux admins, infosec professionals, internet security
11.Locks IsometricPattern Esm H320
2 - 3 min read
Open Source maintainers and developers have been warned about the continued wave of attacks aimed at project maintainers similar to those recently
Sign Up

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved