Canonical has released Ubuntu Security Notice USN-7217-1, addressing multiple vulnerabilities found in the PoDoFo library, a popular PDF manipulation tool.
This update affects various long-term support (LTS) releases of Ubuntu, highlighting critical security flaws that could allow attackers to exploit crafted PDF files.
Vulnerabilities Overview
The PoDoFo library is afflicted by several security issues that could lead to denial of service (DoS) conditions and, in certain cases, arbitrary code execution:
Several CVEs (Common Vulnerabilities and Exposures) disclose that the library improperly handled memory allocation and pointers, enabling conditions for buffer overflows and infinite loops.
- CVE-2018-11255: NULL pointer dereference causing potential DoS (Affects Ubuntu 14.04, 16.04, 18.04, and 20.04).
- CVE-2018-12983: Buffer overflow during encryption key computation (Affects Ubuntu 14.04, 16.04, 18.04, and 20.04).
- CVE-2018-20797: Memory allocation oversight leading to potential DoS (Affects Ubuntu 18.04, 20.04, 22.04).
The library’s failure to validate memcpy arguments and other parameters opens further avenues for attacks.
- CVE-2018-5308: Improper validation leading to DoS or arbitrary code execution (Affects Ubuntu 14.04 and 16.04).
- CVE-2017-5886: Inadequate memory handling in token processing, risking buffer overflow (Affects Ubuntu 16.04).
Mitigation Steps
According to the Lwn.net report, users of affected Ubuntu LTS releases are urged to perform a system update to patch these vulnerabilities.
The recommended package versions are available through Ubuntu Pro.
- For Ubuntu 22.04 LTS: Update to
libpodofo0.9.7 0.9.7+dfsg-3ubuntu0.1~esm1 - For Ubuntu 20.04 LTS: Update to
libpodofo0.9.6 0.9.6+dfsg-5ubuntu0.1~esm1 - For Ubuntu 18.04 LTS: Update to
libpodofo0.9.5 0.9.5-9ubuntu0.1~esm1 - For Ubuntu 16.04 LTS: Update to
libpodofo0.9.3 0.9.3-4ubuntu0.1~esm1 - For Ubuntu 14.04 LTS: Update to
libpodofo0.9.0 0.9.0-1.2ubuntu0.1~esm3
Regular system updates are recommended to ensure all vulnerabilities are patched.
