Hello Mattia, hello all, > Mattia Rizzolo has written on 26 January 2018 at 23:44: > > > On Fri, Jan 26, 2018 at 11:35:44PM +0100, Matthew Brincke wrote: > > > Plus this one without CVE that was reported in this ML: > > > https://blogs.gentoo.org/ago/2017/02/01/podofo-null-pointer-dereference-in-pdfinfoguessformat-pdfinfo-cpp/ > > This is *not* fixed yet. I also don't understand why it didn't get > > a CVE entry. > > I asked for one back then (it was about the time the workflow to request > CVEs from mitre changed from "random mail on oss-security" to the more > private web form), and after basically copy-pasting the web page into > the form I got back this message on 2017-02-12: ... part of it snipped ... > > > Although some parts of PoDoFo are library code that could be reached > > > from an arbitrary application, the reported code in > > > PdfInfo::GuessFormat appears to be reachable only from the > > > podofopdfinfo command-line tool. > > > > > > Thus, we are not assigning a CVE ID unless there is additional > > > information about a security impact. > > > > > > > * -- > > > > > > CVE Assignment Team > > > After all I didn't redistributed the message for some reason (probably > I was just too lazy). > So it seems the reason the CVE was rejected is only because the crash > doesn't happen in the library, but in the tool itself. >
thank you very much for (finally :-) ) forwarding the message (nearly 11.5 months later) and (so) explaining why that crash didn't get a CVE. > -- > regards, > Mattia Rizzolo > Best regards, mabri ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Podofo-users mailing list Podofo-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/podofo-users
