Re: [Podofo-users] Next PoDoFo Release 0.9.6

2018-02-22 Thread zyx 
On Wed, 2018-02-21 at 22:44 +0100, Francesco Pretto wrote:
> Can I send git formatted patches to the mailing list?

Hi,
git-formatted patches are perfectly fine (they generate unified diffs,
which are also easy to read). Ideally include some description what and
why you did in the patch.
Thanks and bye,
zyx

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Podofo-users mailing list
Podofo-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/podofo-users

Re: [Podofo-users] Next PoDoFo Release 0.9.6

2018-02-21 Thread Francesco Pretto 
On 21 February 2018 at 21:55, Dominik Seichter via Podofo-users
 wrote:
> Feel free to provide and integrate more fixes, as long as the release
> candidate is not prepared yet.
>
>

Hi Dominik,

I'm a new comer and I recently began working with PoDoFo. Since it
seems I'm using some untested code paths, I found some bugs which I
already patched myself in my private git clone of the svn repository.
Also I added some convenience accessibility methods and improvements,
most of them are one-liners, or very short anyway. What do you
recommend me to send these patches? Can I send git formatted patches
to the mailing list? Will you be able to apply them? I have the
feeling "git am" is able to apply git formatted patches without a git
repository, but I have yet to try it.

Thank you,
Francesco

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Podofo-users mailing list
Podofo-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/podofo-users

Re: [Podofo-users] Next PoDoFo Release 0.9.6

2018-02-21 Thread Dominik Seichter via Podofo-users 
Hi everybody,

As you have seen, I was not yet able to prepare a release candidate last
week. There are still a few mails I want to go through before preparing the
RC. So, I would want to shift above timeline by approximately one month,
Feel free to provide and integrate more fixes, as long as the release
candidate is not prepared yet.

Best regards,
 Dominik

On Sun, Jan 14, 2018 at 8:48 PM, Dominik Seichter <
domseich...@googlemail.com> wrote:

> Hello PoDoFo developers and supporters,
>
> The last version of PoDoFo was released almost a year ago on February 2nd
> 2017. I have seen many patches on the mailing list and also many commits to
> SVN over the last year. So, I think it is time for a new PoDoFo release
> 0.9.6.
>
> As there might have been patches, which either Zyx or I have missing, I
> would suggest the following release time line.
>
> - Please submit (or resubmit) all the patches which should go into the
> release until February 11th 2018.
> - I will try to integrate the patches into SVN trunk and prepare PoDoFo
> 0.9.6-rc1!
> - Let's test the release candidate for about 4 weeks and head for the
> final release aroundt March 11th
>
> If necessary, we can delay the release for a few weeks or do a second
> release candidate.
>
> Best regards,
>  Dominik
>
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Podofo-users mailing list
Podofo-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/podofo-users

Re: [Podofo-users] Next PoDoFo Release 0.9.6

2018-01-31 Thread Michal Sudolsky 
Hello,

Recursion is at many places, not only in PdfParser, I have feeling
everywhere where is recursion in pdf structures like trees, for example
GetPageNode in PdfPagesTree. There is no problem to create small pdf with
too large depth, also this can be cycled via references and I am now not
sure whether is this treated. But what would be safe maximum recursion
depth, maybe 10-100? Maybe better would be to avoid it and use queues or
deques, heap is larger than stack and memory allocation fault can be
checked better than size of stack.


On Thu, Feb 1, 2018 at 12:46 AM, Matthew Brincke  wrote:

> [ grammar fix in quoted text ]
>
> Hello Dominik, hello all,
>
> Dominik Seichter  wrote on 27 January 2018,
> 13:23:
> >
> >
> > Hi Matthew et al.,
> >
> >
> > On Fri, Jan 26, 2018 at 11:35 PM, Matthew Brincke 
> wrote:
> >
> >> [ Left Dominik in To to help him follow this thread, fixed text typos ]
> >>
> >>  Hello Dominik, hello all,
> >>
> >>> Dominik Seichter via Podofo-users has written on 26 January 2018 at
> 17:37:
> >>>
> >>>
> >>> Hi Mattia,
> >>>
> >>> Thanks for the good summary! Let me comment on the open issues.
> >>>
> >>> Unfixed security issues:
> >>  ... snip ...
> >>>
> >>> https://security-tracker.debian.org/tracker/CVE-2017-8053
> >>> -> Please see proposed patch in attachment. Can somebody test/review?
> >>>
> >>
> >>  In line 13 of the patch, there are typos, it should be "already
> visited",
> >>  line 14 doesn't really fit (which object?), and in general, shouldn't
> >>  there be a maximum recursion depth which is checked for, to prevent a
> >>  stack overflow? AFAICS there is no standard function/method to check
> >>  available stack space ;-( ...
> >
> > Yes, typos fixed and line 14 removed. Also agreed, that a maximum check
> > might be nice. Still, the patch should address the main issue of being
> > vulnerable to certain PDF files.
>
> AIUI without a check for a maximum recursion depth files can be crafted,
> maximally some MiB large, which cause so deep recursion that the (default)
> stack size is exhausted and, therefore, a stack overflow occurs. For that
> reason, Dominik, please include the check in your fix for CVE-2017-8053.
>
> >
> > Best regards,
> >  Dominik
>
> Best regards, mabri
>
> 
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> ___
> Podofo-users mailing list
> Podofo-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/podofo-users
>
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Podofo-users mailing list
Podofo-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/podofo-users

Re: [Podofo-users] Next PoDoFo Release 0.9.6

2018-01-31 Thread Matthew Brincke 
[ grammar fix in quoted text ]

Hello Dominik, hello all,

Dominik Seichter  wrote on 27 January 2018, 13:23:
>  
> 
> Hi Matthew et al.,
> 
> 
> On Fri, Jan 26, 2018 at 11:35 PM, Matthew Brincke  wrote: 
> 
>> [ Left Dominik in To to help him follow this thread, fixed text typos ] 
>>  
>>  Hello Dominik, hello all, 
>>  
>>> Dominik Seichter via Podofo-users has written on 26 January 2018 at 17:37: 
>>>
>>>
>>> Hi Mattia,
>>>  
>>> Thanks for the good summary! Let me comment on the open issues.
>>>  
>>> Unfixed security issues:
>>  ... snip ... 
>>> 
>>> https://security-tracker.debian.org/tracker/CVE-2017-8053
>>> -> Please see proposed patch in attachment. Can somebody test/review? 
>>> 
>>  
>>  In line 13 of the patch, there are typos, it should be "already visited", 
>>  line 14 doesn't really fit (which object?), and in general, shouldn't 
>>  there be a maximum recursion depth which is checked for, to prevent a 
>>  stack overflow? AFAICS there is no standard function/method to check 
>>  available stack space ;-( ...
>  
> Yes, typos fixed and line 14 removed. Also agreed, that a maximum check
> might be nice. Still, the patch should address the main issue of being
> vulnerable to certain PDF files.

AIUI without a check for a maximum recursion depth files can be crafted,
maximally some MiB large, which cause so deep recursion that the (default)
stack size is exhausted and, therefore, a stack overflow occurs. For that
reason, Dominik, please include the check in your fix for CVE-2017-8053.

>  
> Best regards,
>  Dominik

Best regards, mabri

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Podofo-users mailing list
Podofo-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/podofo-users

Re: [Podofo-users] Next PoDoFo Release 0.9.6

2018-01-27 Thread Dominik Seichter via Podofo-users 
Hi Matthew et al.,



On Fri, Jan 26, 2018 at 11:35 PM, Matthew Brincke  wrote:

> [ Left Dominik in To to help him follow this thread, fixed text typos ]
>
> Hello Dominik, hello all,
>
> > Dominik Seichter via Podofo-users has written on 26 January 2018 at
> 17:37:
> >
> >
> > Hi Mattia,
> >
> > Thanks for the good summary! Let me comment on the open issues.
> >
> > Unfixed security issues:
> ... snip ...
> >
> > https://security-tracker.debian.org/tracker/CVE-2017-8053
> > -> Please see proposed patch in attachment. Can somebody test/review?
> >
>
> In line 13 of the patch, there are typos, it should be "already visited",
> line 14 doesn't really fit (which object?), and in general, shouldn't
> there be a maximum recursion depth which is checked for, to prevent a
> stack overflow? AFAICS there is no standard function/method to check
> available stack space ;-( ...
>
>
Yes, typos fixed and line 14 removed. Also agreed, that a maximum check
might be nice. Still, the patch should address the main issue of been
vulnerable to certain PDF files.



> > https://security-tracker.debian.org/tracker/CVE-2017-8054
> > -> This was fixed by zyx in revision: 1872. I have a test PDF
> >for this and cannot reproduce this issue anymore.
>
> The fix was provided by Matthias Brinke 
> (stands for "PoDoFo security contributor", I'm a friend of his) on the
> Debian Bug Tracking System: https://bugs.debian.org/860995
>
>
Agreed, my statement should better have been: "zyx committed a fix for
this" :-) Thanks for the fix!



> >
> > Plus this one without CVE that was reported in this ML:
> > https://blogs.gentoo.org/ago/2017/02/01/podofo-null-
> pointer-dereference-in-pdfinfoguessformat-pdfinfo-cpp/
>
> This is *not* fixed yet. I also don't understand why it didn't get
> a CVE entry.
>
> > (CVE-2017-8054 had a tentative patch)
> > -> Seems same as above and seems fixed.
>
> The CVE, yes, contrary to the other one without a CVE entry.
>
> >
> > A threading problem:
> >  https://sourceforge.net/p/podofo/mailman/message/35915862/
> > -> There is no need to make the matrix for XObjects static, so I made
> >it a normal member. Same for s_procset in PdfCanvas. So should be
> >fixed with my last commit.
>
> As you said in your next e-mail to the ML the double-checked locking
> pattern
> isn't fixed yet: https://sourceforge.net/p/podofo/mailman/message/
> 36205920/
>
> >
> > A copyright issue:
> >  https://sourceforge.net/p/podofo/mailman/message/35633858/
> > -> We still do not have a fix for this.
> >
>
> I recommend libunistring2 to fix it, but haven't used it yet.
>

I try to have a look at libunistring2.


>
> >  [snip]


Best regards,
 Dominik
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Podofo-users mailing list
Podofo-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/podofo-users

Re: [Podofo-users] Next PoDoFo Release 0.9.6

2018-01-26 Thread Mattia Rizzolo 
On Fri, Jan 26, 2018 at 11:35:44PM +0100, Matthew Brincke wrote:
> > Plus this one without CVE that was reported in this ML:  
> > https://blogs.gentoo.org/ago/2017/02/01/podofo-null-pointer-dereference-in-pdfinfoguessformat-pdfinfo-cpp/
> 
> This is *not* fixed yet. I also don't understand why it didn't get
> a CVE entry.

I asked for one back then (it was about the time the workflow to request
CVEs from mitre changed from "random mail on oss-security" to the more
private web form,), and after basically copy-pasting the web page into
the form I got back this message on 2017-02-12:

> [snip]
> You may republish or redistribute this message. We think that someone
> has already posted to oss-security about this issue. To make
> oss-security list members aware that there is no CVE ID assignment,
> you could reply to that oss-security post and include pertinent
> information below.
> [snip]
> As far as we can tell, an end user experiences a loss of functionality
> after the podofopdfinfo command-line tool crashes with a NULL pointer
> dereference (because the end user can completely work around this by
> not repeating the specific command-line invocation, there would be no
> security impact).
> 
> Although some parts of PoDoFo are library code that could be reached
> from an arbitrary application, the reported code in
> PdfInfo::GuessFormat appears to be reachable only from the
> podofopdfinfo command-line tool.
> 
> Thus, we are not assigning a CVE ID unless there is additional
> information about a security impact.
> 
> - --
> CVE Assignment Team


After all I didn't redistributed the message for some reason (probably
I was just too lazy).
So it seems the reason the CVE was rejected is only because the crash
doesn't happen in the library, but in the tool itself.

-- 
regards,
Mattia Rizzolo

GPG Key: 66AE 2B4A FCCF 3F52 DA18  4D18 4B04 3FCD B944 4540  .''`.
more about me:  https://mapreri.org : :'  :
Launchpad user: https://launchpad.net/~mapreri  `. `'`
Debian QA page: https://qa.debian.org/developer.php?login=mattia  `-


signature.asc
Description: PGP signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Podofo-users mailing list
Podofo-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/podofo-users

Re: [Podofo-users] Next PoDoFo Release 0.9.6

2018-01-26 Thread Matthew Brincke 
[ Left Dominik in To to help him follow this thread, fixed text typos ]

Hello Dominik, hello all,

> Dominik Seichter via Podofo-users has written on 26 January 2018 at 17:37: 
>  
> 
> Hi Mattia,
>  
> Thanks for the good summary! Let me comment on the open issues.
>  
> Unfixed security issues: 
... snip ...
> 
> https://security-tracker.debian.org/tracker/CVE-2017-8053
> -> Please see proposed patch in attachment. Can somebody test/review?
> 

In line 13 of the patch, there are typos, it should be "already visited",
line 14 doesn't really fit (which object?), and in general, shouldn't
there be a maximum recursion depth which is checked for, to prevent a
stack overflow? AFAICS there is no standard function/method to check
available stack space ;-( ...

> https://security-tracker.debian.org/tracker/CVE-2017-8054
> -> This was fixed by zyx in revision: 1872. I have a test PDF
>for this and cannot reproduce this issue anymore.

The fix was provided by Matthias Brinke 
(stands for "PoDoFo security contributor", I'm a friend of his) on the
Debian Bug Tracking System: https://bugs.debian.org/860995

>  
> Plus this one without CVE that was reported in this ML:  
> https://blogs.gentoo.org/ago/2017/02/01/podofo-null-pointer-dereference-in-pdfinfoguessformat-pdfinfo-cpp/

This is *not* fixed yet. I also don't understand why it didn't get
a CVE entry.

> (CVE-2017-8054 had a tentative patch)
> -> Seems same as above and seems fixed.

The CVE, yes, contrary to the other one without a CVE entry.
 
>  
> A threading problem: 
>  https://sourceforge.net/p/podofo/mailman/message/35915862/
> -> There is no need to make the matrix for XObjects static, so I made
>it a normal member. Same for s_procset in PdfCanvas. So should be
>fixed with my last commit.

As you said in your next e-mail to the ML the double-checked locking pattern
isn't fixed yet: https://sourceforge.net/p/podofo/mailman/message/36205920/

>  
> A copyright issue: 
>  https://sourceforge.net/p/podofo/mailman/message/35633858/
> -> We still do not have a fix for this.
>

I recommend libunistring2 to fix it, but haven't used it yet.
  
> Regarding bug tracker: Yes, a bug tracker would be nice. But I can barely
> follow the mailing list, so I do not feel I able to setup and maintain a
> bug tracker. If somebody volunteers, I would not object. 
> BTW: Just found this on Sourceforge: 
> https://sourceforge.net/p/podofo/bugs/?source=navbar 
> Anybody has experience with this? Shall we just use this feature?
> 

Peter Linnell has said something like that, yes (2.5 months ago on this ML):
https://sourceforge.net/p/podofo/mailman/message/36112914/

> 
> Best regards,
>  Dominik
> 

Best regards, mabri
 
> On Mon, Jan 22, 2018 at 7:25 PM, Mattia Rizzolo  wrote: 
> 
> > [ explicitly put Dominik in To, as I'm unsure how much he follows the 
> >  ML himself… ] 
> >  
> >  On Sun, Jan 14, 2018 at 08:48:05PM +0100, Dominik Seichter via 
> > Podofo-users wrote:
> > > The last version of PoDoFo was released almost a year ago on February 2nd
> > > 2017. I have seen many patches on the mailing list and also many commits 
> > > to
> > > SVN over the last year. So, I think it is time for a new PoDoFo release
> > > 0.9.6.
> > >
> > > As there might have been patches, which either Zyx or I have missing, I
> > > would suggest the following release time line.
> >  
> >  In December there was a similar email to this going on, asking about a 
> >  new release.  It was pointed out that there are still known unfixed CVEs 
> >  and other important issues. 
> >  See https://sourceforge.net/p/podofo/mailman/message/36151169/
> >  
... snip ...
> > 
> >  Who knows what more… 
> >  While you are here, would you reconsider opening a bug tracker 
> >  somewhere?  When it was proposed in the past in this ML, nobody was 
> >  against it, but everybody deferred to you iirc. 
> >  
> >  --
> >  regards,
> >                          Mattia Rizzolo
> >  
> >  GPG Key: 66AE 2B4A FCCF 3F52 DA18  4D18 4B04 3FCD B944 4540      .''`.
> >  more about me:  https://mapreri.org                             : :'  :
> >  Launchpad user: https://launchpad.net/~mapreri                  `. `'`
> >  Debian QA page: https://qa.debian.org/developer.php?login=mattia  `-
> >

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Podofo-users mailing list
Podofo-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/podofo-users

Re: [Podofo-users] Next PoDoFo Release 0.9.6

2018-01-22 Thread Mattia Rizzolo 
[ explicitly put Dominik in To, as I'm unsure how much he follows the
ML himself… ]

On Sun, Jan 14, 2018 at 08:48:05PM +0100, Dominik Seichter via Podofo-users 
wrote:
> The last version of PoDoFo was released almost a year ago on February 2nd
> 2017. I have seen many patches on the mailing list and also many commits to
> SVN over the last year. So, I think it is time for a new PoDoFo release
> 0.9.6.
> 
> As there might have been patches, which either Zyx or I have missing, I
> would suggest the following release time line.

In December there was a similar email to this going on, asking about a
new release.  It was pointed out that there are still known unfixed CVEs
and other important issues.
See https://sourceforge.net/p/podofo/mailman/message/36151169/

To recap from that thread:

Unfixed security issues:
https://security-tracker.debian.org/tracker/CVE-2017-6845
https://security-tracker.debian.org/tracker/CVE-2017-6846
https://security-tracker.debian.org/tracker/CVE-2017-6849
https://security-tracker.debian.org/tracker/CVE-2017-8053
https://security-tracker.debian.org/tracker/CVE-2017-8054
Plus this one without CVE that was reported in this ML: 
https://blogs.gentoo.org/ago/2017/02/01/podofo-null-pointer-dereference-in-pdfinfoguessformat-pdfinfo-cpp/
(CVE-2017-8054 had a tentive patch)

A copyright issue:
https://sourceforge.net/p/podofo/mailman/message/35633858/

A threading problem:
https://sourceforge.net/p/podofo/mailman/message/35915862/


Who knows what more…
While you are here, would you reconsider opening a bug tracker
somewhere?  When it was proposed in the past in this ML, nobody was
against it, but everybody deferred to you iirc.

-- 
regards,
Mattia Rizzolo

GPG Key: 66AE 2B4A FCCF 3F52 DA18  4D18 4B04 3FCD B944 4540  .''`.
more about me:  https://mapreri.org : :'  :
Launchpad user: https://launchpad.net/~mapreri  `. `'`
Debian QA page: https://qa.debian.org/developer.php?login=mattia  `-


signature.asc
Description: PGP signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Podofo-users mailing list
Podofo-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/podofo-users

[Podofo-users] Next PoDoFo Release 0.9.6

2018-01-14 Thread Dominik Seichter via Podofo-users 
Hello PoDoFo developers and supporters,

The last version of PoDoFo was released almost a year ago on February 2nd
2017. I have seen many patches on the mailing list and also many commits to
SVN over the last year. So, I think it is time for a new PoDoFo release
0.9.6.

As there might have been patches, which either Zyx or I have missing, I
would suggest the following release time line.

- Please submit (or resubmit) all the patches which should go into the
release until February 11th 2018.
- I will try to integrate the patches into SVN trunk and prepare PoDoFo
0.9.6-rc1!
- Let's test the release candidate for about 4 weeks and head for the final
release aroundt March 11th

If necessary, we can delay the release for a few weeks or do a second
release candidate.

Best regards,
 Dominik
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Podofo-users mailing list
Podofo-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/podofo-users