Hi Mattia,
Thanks for the good summary! Let me comment on the open issues.
Unfixed security issues:
https://security-tracker.debian.org/tracker/CVE-2017-6845
-> I have committed a fix that should address this issue. Maybe someone on
the list can review my fix.
https://security-tracker.debian.org/tracker/CVE-2017-6846
https://security-tracker.debian.org/tracker/CVE-2017-6849
-> I am not sure about this, but this might be fixed with my commit to fix
CVE-2017-6845 above. Any other ideas to address this?
https://security-tracker.debian.org/tracker/CVE-2017-8053
-> Please see proposed patch in attachement. Can somebody test/review?
https://security-tracker.debian.org/tracker/CVE-2017-8054
-> This was fixed zyx in revision: 1872. I have a test PDF for this and
cannot reproduce this issue anymore.
Plus this one without CVE that was reported in this ML:
https://blogs.gentoo.org/ago/2017/02/01/podofo-null-pointer-dereference-in-
pdfinfoguessformat-pdfinfo-cpp/
(CVE-2017-8054 had a tentive patch)
-> Seems ame as above and seems fixed.
A threading problem:
https://sourceforge.net/p/podofo/mailman/message/35915862/
-> There is no need to make the matrix for XObjects static, so I made it
normal member. Same for s_procset in PdfCancas. So should be fixed with my
last commit.
A copyright issue:
https://sourceforge.net/p/podofo/mailman/message/35633858/
-> We still do not have a fix for this.
Regarding bug tracker: Yes, a bug tracker would be nice. But I can barely
follow the mailing list, so I do not feel I able to setup and maintain a
bug tracker. If somebody volunteers, I would not object.
BTW: Just found this on Sourceforge:
https://sourceforge.net/p/podofo/bugs/?source=navbar
Anybody has experience with this? Shall we just use this feature?
Best regards,
Dominik
On Mon, Jan 22, 2018 at 7:25 PM, Mattia Rizzolo <mat...@mapreri.org> wrote:
> [ explicitly put Dominik in To, as I'm unsure how much he follows the
> ML himself… ]
>
> On Sun, Jan 14, 2018 at 08:48:05PM +0100, Dominik Seichter via
> Podofo-users wrote:
> > The last version of PoDoFo was released almost a year ago on February 2nd
> > 2017. I have seen many patches on the mailing list and also many commits
> to
> > SVN over the last year. So, I think it is time for a new PoDoFo release
> > 0.9.6.
> >
> > As there might have been patches, which either Zyx or I have missing, I
> > would suggest the following release time line.
>
> In December there was a similar email to this going on, asking about a
> new release. It was pointed out that there are still known unfixed CVEs
> and other important issues.
> See https://sourceforge.net/p/podofo/mailman/message/36151169/
>
> To recap from that thread:
>
> Unfixed security issues:
> https://security-tracker.debian.org/tracker/CVE-2017-6845
> https://security-tracker.debian.org/tracker/CVE-2017-6846
> https://security-tracker.debian.org/tracker/CVE-2017-6849
> https://security-tracker.debian.org/tracker/CVE-2017-8053
> https://security-tracker.debian.org/tracker/CVE-2017-8054
> Plus this one without CVE that was reported in this ML:
> https://blogs.gentoo.org/ago/2017/02/01/podofo-null-
> pointer-dereference-in-pdfinfoguessformat-pdfinfo-cpp/
> (CVE-2017-8054 had a tentive patch)
>
> A copyright issue:
> https://sourceforge.net/p/podofo/mailman/message/35633858/
>
> A threading problem:
> https://sourceforge.net/p/podofo/mailman/message/35915862/
>
>
> Who knows what more…
> While you are here, would you reconsider opening a bug tracker
> somewhere? When it was proposed in the past in this ML, nobody was
> against it, but everybody deferred to you iirc.
>
> --
> regards,
> Mattia Rizzolo
>
> GPG Key: 66AE 2B4A FCCF 3F52 DA18 4D18 4B04 3FCD B944 4540 .''`.
> more about me: https://mapreri.org : :' :
> Launchpad user: https://launchpad.net/~mapreri `. `'`
> Debian QA page: https://qa.debian.org/developer.php?login=mattia `-
>
Index: src/base/PdfParser.cpp
===================================================================
--- src/base/PdfParser.cpp (Revision 1872)
+++ src/base/PdfParser.cpp (Arbeitskopie)
@@ -645,6 +645,21 @@
pdf_int64 nFirstObject = 0;
pdf_int64 nNumObjects = 0;
+ if( m_visitedXRefOffsets.find( lOffset ) != m_visitedXRefOffsets.end() )
+ {
+ std::ostringstream oss;
+ oss << "Cycle in xref structure. Offset "
+ << lOffset << " allready visisted."
+ << " back-references to object ";
+
+ PODOFO_RAISE_ERROR_INFO( ePdfError_InvalidXRef, oss.str() );
+ }
+ else
+ {
+ m_visitedXRefOffsets.insert( lOffset );
+ }
+
+
size_t curPosition = m_device.Device()->Tell();
m_device.Device()->Seek(0,std::ios_base::end);
std::streamoff fileSize = m_device.Device()->Tell();
Index: src/base/PdfParser.h
===================================================================
--- src/base/PdfParser.h (Revision 1872)
+++ src/base/PdfParser.h (Arbeitskopie)
@@ -594,6 +594,8 @@
int m_nReadNextTrailerLevel;
static long s_nMaxObjects;
+
+ std::set<pdf_long> m_visitedXRefOffsets;
};
// -----------------------------------------------------
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Podofo-users mailing list
Podofo-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/podofo-users
