Hello Dominik, hello all, > On 26 January 2018 at 23:35 Matthew Brincke <ma...@mailbox.org> wrote: > > > [ Left Dominik in To to help him follow this thread, fixed text typos ] > > Hello Dominik, hello all, > > > Dominik Seichter via Podofo-users has written on 26 January 2018 at 17:37: > > Hi Mattia, > > > > Thanks for the good summary! Let me comment on the open issues. > > > > Unfixed security issues: ... snip ... > > > > Plus this one without CVE that was reported in this ML: > > https://blogs.gentoo.org/ago/2017/02/01/podofo-null-pointer-dereference-in-pdfinfoguessformat-pdfinfo-cpp/ > > This is *not* fixed yet. I also don't understand why it didn't get > a CVE entry. > I erred here, I think, AFAICS it did get fixed in svn r1836 on 7 April 2017: https://sourceforge.net/p/podofo/code/1836/
The problem is that the commit message of that is incorrect (doesn't have anything to do with the change): "Fix for CVE-2017-5854" which was only fixed (AFAICS, untested) in svn r1870 on 21 January 2018 not mentioning it: https://sourceforge.net/p/podofo/code/1870/ Neither does it mention CVE-2018-5308 which is the same bug (AFAICS of course). Fortunately this is fixed in Debian (I don't know about other distros, I don't use them): https://security-tracker.debian.org/tracker/CVE-2018-5308 A related bug mentioned there was fixed in svn r1876. @Mattia Rizzolo: Suggested action(s) to take: Correct the Debian security tracker to say "vulnerable (no DSA)" instead of "fixed" in Debian stretch (CVE-2017-5854). Fix the non-CVE'd bug too (in unstable, I'd think). > > (CVE-2017-8054 had a tentative patch) > > -> Seems same as above and seems fixed. > > The CVE, yes, contrary to the other one without a CVE entry. My error, I'm sorry (the latter is fixed upstream, just not in Debian, I don't know about other distributions). > > > > Best regards, > > Dominik > > > > Best regards, mabri > Best regards, mabri ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Podofo-users mailing list Podofo-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/podofo-users