Hi Moritz, On Thu, May 11, 2023 at 02:10:44PM +0200, Moritz Mühlenhoff wrote: > Source: libpodofo > X-Debbugs-CC: t...@security.debian.org > Severity: important > Tags: security > > Hi, > > The following vulnerabilities were published for libpodofo. > > CVE-2023-31555[0]: > | podofoinfo 0.10.0 was discovered to contain a segmentation violation > | via the function PoDoFo::PdfObject::DelayedLoad. > > https://github.com/podofo/podofo/issues/67 > https://github.com/podofo/podofo/commit/3759eb6aae7c01f2d8670f16ac46f5e116c7f468 > > CVE-2023-31556[1]: > | podofoinfo 0.10.0 was discovered to contain a segmentation violation > | via the function PoDoFo::PdfDictionary::findKeyParent. > > https://github.com/podofo/podofo/issues/66 > https://github.com/podofo/podofo/commit/8d3e9104ea10f8b53a0b5a2a806e6388acd41a40 > > CVE-2023-31568[2]: > | Podofo v0.10.0 was discovered to contain a heap buffer overflow via > | the component PoDoFo::PdfEncryptRC4::PdfEncryptRC4. > > https://github.com/podofo/podofo/issues/72 > Fixed by: > https://github.com/podofo/podofo/commit/29d59f604b37159e938a2f46acd4856cfd1e7bac
Would appreicate if you can double check as well, my triage on those issues: I looked at all three and further recent libpodofo issues and the upstream "refactoring" in https://github.com/podofo/podofo/commit/a2eca000e5a4337fb79ee8215d06413785653184 seems to be the cause. I then verified these three above with an ASAN build of podofo. If you think this is wrong, then let's revert https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/35925ae1ecb64f1cae0d3f456f0453532cfc6eaa . Regards, Salvatore
