Bugzilla – Bug 1035596
VUL-1: CVE-2017-8054: podofo: denial of service via a crafted PDF document (PdfPagesTree::GetPageNodeFromArray in PdfPageTree.cpp:464)
Last modified: 2019-10-31 08:17:40 UTC
Ref: https://nvd.nist.gov/vuln/detail/CVE-2017-8054 ============================================ Description The function PdfPagesTree::GetPageNodeFromArray in PdfPageTree.cpp:464 in PoDoFo 0.9.5 allows remote attackers to cause a denial of service (infinite recursion and application crash) via a crafted PDF document. Source: MITRE Last Modified: 04/22/2017 ============================================ Hyperlink [1] http://qwertwwwe.github.io/2017/04/22/PoDoFo-0-9-5-allows-remote-attackers-to-cause-a-denial-of-service-infinit-loop/ (open-)SUSE: https://software.opensuse.org/package/podofo 0.9.4 (TW, official repo) 0.9.3 (42.{1,2}, official repo)
I plan to send podofo 0.9.5 to Factory soon. 0.9.6 is in the works upstream and has fixes for many of these CVE's
Reassign to security-team since a patch was submitted to SUSE:SLE-12:Update in isr 167536
SUSE-SU-2018:2481-1: An update that fixes 16 vulnerabilities is now available. Category: security (moderate) Bug References: 1023067,1023069,1023070,1023071,1023380,1027778,1027782,1027787,1032017,1032018,1032019,1035534,1035596,1037739,1075772,1084894 CVE References: CVE-2017-5852,CVE-2017-5853,CVE-2017-5854,CVE-2017-5855,CVE-2017-5886,CVE-2017-6840,CVE-2017-6844,CVE-2017-6847,CVE-2017-7378,CVE-2017-7379,CVE-2017-7380,CVE-2017-7994,CVE-2017-8054,CVE-2017-8787,CVE-2018-5308,CVE-2018-8001 Sources used: SUSE Linux Enterprise Workstation Extension 12-SP3 (src): podofo-0.9.2-3.3.1 SUSE Linux Enterprise Software Development Kit 12-SP3 (src): podofo-0.9.2-3.3.1 SUSE Linux Enterprise Desktop 12-SP3 (src): podofo-0.9.2-3.3.1
opensuse leap 42.3 and 15.0 not fixed.
This is an autogenerated message for OBS integration: This bug (1035596) was mentioned in https://build.opensuse.org/request/show/664264 42.3 / podofo https://build.opensuse.org/request/show/664265 15.0 / podofo
openSUSE-SU-2019:0066-1: An update that fixes 20 vulnerabilities is now available. Category: security (important) Bug References: 1023067,1023069,1023070,1023071,1023380,1027778,1027779,1027782,1027787,1032017,1032018,1032019,1035534,1035596,1037739,1075021,1075026,1075322,1075772,1084894 CVE References: CVE-2017-5852,CVE-2017-5853,CVE-2017-5854,CVE-2017-5855,CVE-2017-5886,CVE-2017-6840,CVE-2017-6844,CVE-2017-6845,CVE-2017-6847,CVE-2017-7378,CVE-2017-7379,CVE-2017-7380,CVE-2017-7994,CVE-2017-8054,CVE-2017-8787,CVE-2018-5295,CVE-2018-5296,CVE-2018-5308,CVE-2018-5309,CVE-2018-8001 Sources used: openSUSE Leap 42.3 (src): podofo-0.9.6-10.3.1
Hi, I am testing podofo on sle12sp3 and sle12sp4. but I cannot install libpodofo0_9_2 on s390x platform. Is this expected? s390vsw067:~ # zypper in libpodofo0_9_2 Loading repository data... Reading installed packages... 'libpodofo0_9_2' not found in package names. Trying capabilities. No provider of 'libpodofo0_9_2' found. Resolving package dependencies... Nothing to do. BTW: I found libpodofo0_9_2 in SLE-WE repo, but there is no such repo for s390x.
Hi Liu, Since podofo is only used by scribus, maybe the reason podofo is not available is that scribus is not released for s390x? Can you check if scribus is available?
(In reply to Antonio Larrosa from comment #11) > Hi Liu, > > Since podofo is only used by scribus, maybe the reason podofo is not > available is that scribus is not released for s390x? Can you check if > scribus is available? no, scribus is not available on s390x. it's in the sle-we repo on other platform, but there is no sle-we repo on s390x. So, my questions are: 1, there is libpodofo-devel on s390x's repo, it cannot be installed because of the dependency problem, should we remove it from the repo? 2, my podofo test report template contains the s390x platform, should I remove these sections from my report? s390vsw067:~ # zypper se scribus Retrieving repository 'sle-ha:12-SP4::update' metadata ................................................................[done] Building repository 'sle-ha:12-SP4::update' cache .....................................................................[done] Loading repository data... Reading installed packages... No matching items found.
(In reply to Liu Shukui from comment #12) > (In reply to Antonio Larrosa from comment #11) > > Hi Liu, > > > > Since podofo is only used by scribus, maybe the reason podofo is not > > available is that scribus is not released for s390x? Can you check if > > scribus is available? > > no, scribus is not available on s390x. it's in the sle-we repo on other > platform, but there is no sle-we repo on s390x. > > So, my questions are: > > 1, there is libpodofo-devel on s390x's repo, it cannot be installed because > of the dependency problem, should we remove it from the repo? > > 2, my podofo test report template contains the s390x platform, should I > remove these sections from my report? > > s390vsw067:~ # zypper se scribus > Retrieving repository 'sle-ha:12-SP4::update' metadata > ................................................................[done] > Building repository 'sle-ha:12-SP4::update' cache > .....................................................................[done] > Loading repository data... > Reading installed packages... > No matching items found. I filed a new bug #1130791: the testcase from the source code always crashes.
SUSE-SU-2019:1849-1: An update that fixes 5 vulnerabilities is now available. Category: security (moderate) Bug References: 1035596,1076962,1096890,1099720,1124357 CVE References: CVE-2017-8054,CVE-2018-11255,CVE-2018-12982,CVE-2018-20751,CVE-2018-5783 Sources used: SUSE Linux Enterprise Workstation Extension 12-SP4 (src): podofo-0.9.2-3.9.2 SUSE Linux Enterprise Software Development Kit 12-SP4 (src): podofo-0.9.2-3.9.2 SUSE Linux Enterprise Desktop 12-SP4 (src): podofo-0.9.2-3.9.2 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
released