Hi Matthew et al.,
On Fri, Jan 26, 2018 at 11:35 PM, Matthew Brincke <ma...@mailbox.org> wrote:
> [ Left Dominik in To to help him follow this thread, fixed text typos ]
>
> Hello Dominik, hello all,
>
> > Dominik Seichter via Podofo-users has written on 26 January 2018 at
> 17:37:
> >
> >
> > Hi Mattia,
> >
> > Thanks for the good summary! Let me comment on the open issues.
> >
> > Unfixed security issues:
> ... snip ...
> >
> > https://security-tracker.debian.org/tracker/CVE-2017-8053
> > -> Please see proposed patch in attachment. Can somebody test/review?
> >
>
> In line 13 of the patch, there are typos, it should be "already visited",
> line 14 doesn't really fit (which object?), and in general, shouldn't
> there be a maximum recursion depth which is checked for, to prevent a
> stack overflow? AFAICS there is no standard function/method to check
> available stack space ;-( ...
>
>
Yes, typos fixed and line 14 removed. Also agreed, that a maximum check
might be nice. Still, the patch should address the main issue of been
vulnerable to certain PDF files.
> > https://security-tracker.debian.org/tracker/CVE-2017-8054
> > -> This was fixed by zyx in revision: 1872. I have a test PDF
> > for this and cannot reproduce this issue anymore.
>
> The fix was provided by Matthias Brinke <podofo-sec-cont...@mailbox.org>
> (stands for "PoDoFo security contributor", I'm a friend of his) on the
> Debian Bug Tracking System: https://bugs.debian.org/860995
>
>
Agreed, my statement should better have been: "zyx committed a fix for
this" :-) Thanks for the fix!
> >
> > Plus this one without CVE that was reported in this ML:
> > https://blogs.gentoo.org/ago/2017/02/01/podofo-null-
> pointer-dereference-in-pdfinfoguessformat-pdfinfo-cpp/
>
> This is *not* fixed yet. I also don't understand why it didn't get
> a CVE entry.
>
> > (CVE-2017-8054 had a tentative patch)
> > -> Seems same as above and seems fixed.
>
> The CVE, yes, contrary to the other one without a CVE entry.
>
> >
> > A threading problem:
> > https://sourceforge.net/p/podofo/mailman/message/35915862/
> > -> There is no need to make the matrix for XObjects static, so I made
> > it a normal member. Same for s_procset in PdfCanvas. So should be
> > fixed with my last commit.
>
> As you said in your next e-mail to the ML the double-checked locking
> pattern
> isn't fixed yet: https://sourceforge.net/p/podofo/mailman/message/
> 36205920/
>
> >
> > A copyright issue:
> > https://sourceforge.net/p/podofo/mailman/message/35633858/
> > -> We still do not have a fix for this.
> >
>
> I recommend libunistring2 to fix it, but haven't used it yet.
>
I try to have a look at libunistring2.
>
> > [snip]
Best regards,
Dominik
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Podofo-users mailing list
Podofo-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/podofo-users
