File _patchinfo of Package patchinfo.7908

<patchinfo incident="7908">
  <issue id="1023067" tracker="bnc">VUL-1: CVE-2017-5852: podofo: infinite loop in PoDoFo::PdfPage::GetInheritedKeyFromObject (PdfPage.cpp)</issue>
  <issue id="1023069" tracker="bnc">VUL-1: CVE-2017-5853: podofo: signed integer overflow in PdfParser.cpp</issue>
  <issue id="1023070" tracker="bnc">VUL-1: CVE-2017-5854: podofo: NULL pointer dereference in PdfOutputStream.cpp</issue>
  <issue id="1023071" tracker="bnc">VUL-1: CVE-2017-5855: podofo: NULL pointer dereference in PoDoFo::PdfParser::ReadXRefSubsection (PdfParser.cpp)</issue>
  <issue id="1023380" tracker="bnc">VUL-1: CVE-2017-5886: podofo: heap-based buffer overflow in PoDoFo::PdfTokenizer::GetNextToken (PdfTokenizer.cpp)</issue>
  <issue id="1027778" tracker="bnc">VUL-1: CVE-2017-6847: podofo: NULL pointer dereference in PoDoFo::PdfVariant::DelayedLoad (PdfVariant.h)</issue>
  <issue id="1027782" tracker="bnc">VUL-1: CVE-2017-6844: podofo: global buffer overflow in PoDoFo::PdfParser::ReadXRefSubsection (PdfParser.cpp)</issue>
  <issue id="1027787" tracker="bnc">VUL-1: CVE-2017-6840: podofo: invalid memory read in ColorChanger::GetColorFromStack (colorchanger.cpp)</issue>
  <issue id="1032017" tracker="bnc">VUL-1: CVE-2017-7378: podofo: heap-based buffer overflow in PoDoFo::PdfPainter::ExpandTabs (PdfPainter.cpp)</issue>
  <issue id="1032018" tracker="bnc">VUL-1: CVE-2017-7379: podofo: heap-based buffer overflow in PoDoFo::PdfSimpleEncoding::ConvertToEncoding (PdfEncoding.cpp)</issue>
  <issue id="1032019" tracker="bnc">VUL-1: CVE-2017-7380: podofo: four null pointer dereference</issue>
  <issue id="1035534" tracker="bnc">VUL-1: CVE-2017-7994: podofo: denial of service (NULL pointer dereference and application crash) via a crafted PDF document(TextExtractor::ExtractText in TextExtractor.cpp:77)</issue>
  <issue id="1035596" tracker="bnc">VUL-1: CVE-2017-8054: podofo: denial of service via a crafted PDF document (PdfPagesTree::GetPageNodeFromArray in PdfPageTree.cpp:464)</issue>
  <issue id="1037739" tracker="bnc">VUL-1: CVE-2017-8787: podofo: The PoDoFo::PdfXRefStreamParserObject::ReadXRefStreamEntry function inbase/PdfXRefStreamParserObjec...</issue>
  <issue id="1075772" tracker="bnc">VUL-1: CVE-2018-5308: podofo: Undefined behavior  (memcpy with NULL pointer) in PdfMemoryOutputStream::Write (src/base/PdfOutputStream.cpp)</issue>
  <issue id="1084894" tracker="bnc">VUL-0: CVE-2018-8001: podofo: Heap overflow read vulnerability in function UnescapeName() in PdfName.cpp</issue>
  <issue id="2017-5852" tracker="cve" />
  <issue id="2017-5853" tracker="cve" />
  <issue id="2017-5854" tracker="cve" />
  <issue id="2017-5855" tracker="cve" />
  <issue id="2017-5886" tracker="cve" />
  <issue id="2017-6840" tracker="cve" />
  <issue id="2017-6844" tracker="cve" />
  <issue id="2017-6847" tracker="cve" />
  <issue id="2017-7378" tracker="cve" />
  <issue id="2017-7379" tracker="cve" />
  <issue id="2017-7380" tracker="cve" />
  <issue id="2017-7994" tracker="cve" />
  <issue id="2017-8054" tracker="cve" />
  <issue id="2017-8787" tracker="cve" />
  <issue id="2018-5308" tracker="cve" />
  <issue id="2018-8001" tracker="cve" />
  <category>security</category>
  <rating>moderate</rating>
  <packager>alarrosa</packager>
  <description>This update for podofo fixes the following issues:

- CVE-2017-5852: The PoDoFo::PdfPage::GetInheritedKeyFromObject function
  allowed remote attackers to cause a denial of service (infinite loop) via a
  crafted file (bsc#1023067).
- CVE-2017-5853: Integer overflow allowed remote attackers to have unspecified
  impact via a crafted file (bsc#1023069).
- CVE-2017-5854: Prevent NULL pointer dereference that allowed remote attackers
  to cause a denial of service via a crafted file (bsc#1023070).
- CVE-2017-5855: The PoDoFo::PdfParser::ReadXRefSubsection function allowed
  remote attackers to cause a denial of service (NULL pointer dereference) via a
  crafted file (bsc#1023071).
- CVE-2017-5886: Prevent heap-based buffer overflow in the
  PoDoFo::PdfTokenizer::GetNextToken function that allowed remote attackers to
  have unspecified impact via a crafted file (bsc#1023380).
- CVE-2017-6847: The PoDoFo::PdfVariant::DelayedLoad function allowed remote
  attackers to cause a denial of service (NULL pointer dereference) via a crafted
  file (bsc#1027778).
- CVE-2017-6844: Buffer overflow in the PoDoFo::PdfParser::ReadXRefSubsection
  function allowed remote attackers to have unspecified impact via a crafted file
  (bsc#1027782).
- CVE-2017-6840: The ColorChanger::GetColorFromStack function allowed remote
  attackers to cause a denial of service (invalid read) via a crafted file
  (bsc#1027787).
- CVE-2017-7378: The PoDoFo::PdfPainter::ExpandTabs function allowed remote
  attackers to cause a denial of service (heap-based buffer over-read and
  application crash) via a crafted PDF document (bsc#1032017).
- CVE-2017-7379: The PoDoFo::PdfSimpleEncoding::ConvertToEncoding function
  allowed remote attackers to cause a denial of service (heap-based buffer
  over-read and application crash) via a crafted PDF document (bsc#1032018).
- CVE-2017-7380: Prevent NULL pointer dereference that allowed remote attackers
  to cause a denial of service via a crafted PDF document (bsc#1032019).
- CVE-2017-7994: The function TextExtractor::ExtractText allowed remote
  attackers to cause a denial of service (NULL pointer dereference and
  application crash) via a crafted PDF document (bsc#1035534).
- CVE-2017-8054: The function PdfPagesTree::GetPageNodeFromArray allowed remote
  attackers to cause a denial of service (infinite recursion and application
  crash) via a crafted PDF document (bsc#1035596).
- CVE-2017-8787: The PoDoFo::PdfXRefStreamParserObject::ReadXRefStreamEntry
  function allowed remote attackers to cause a denial of service (heap-based
  buffer over-read) or possibly have unspecified other impact via a crafted PDF
  file (bsc#1037739).
- CVE-2018-5308: Properly validate memcpy arguments in the
  PdfMemoryOutputStream::Write function to prevent remote attackers from causing
  a denial-of-service or possibly have unspecified other impact via a crafted pdf
  file (bsc#1075772).
- CVE-2018-8001: Prevent heap-based buffer over-read vulnerability in
  UnescapeName() that allowed remote attackers to cause a denial-of-service or
  possibly unspecified other impact via a crafted pdf file (bsc#1084894).
</description>
  <summary>Security update for podofo</summary>
</patchinfo>