Re: [Podofo-users] Next PoDoFo Release 0.9.6
On Wed, 2018-02-21 at 22:44 +0100, Francesco Pretto wrote: > Can I send git formatted patches to the mailing list? Hi, git-formatted patches are perfectly fine (they generate unified diffs, which are also easy to read). Ideally include some description what and why you did in the patch. Thanks and bye, zyx -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Podofo-users mailing list Podofo-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/podofo-users
Re: [Podofo-users] Next PoDoFo Release 0.9.6
On 21 February 2018 at 21:55, Dominik Seichter via Podofo-userswrote: > Feel free to provide and integrate more fixes, as long as the release > candidate is not prepared yet. > > Hi Dominik, I'm a new comer and I recently began working with PoDoFo. Since it seems I'm using some untested code paths, I found some bugs which I already patched myself in my private git clone of the svn repository. Also I added some convenience accessibility methods and improvements, most of them are one-liners, or very short anyway. What do you recommend me to send these patches? Can I send git formatted patches to the mailing list? Will you be able to apply them? I have the feeling "git am" is able to apply git formatted patches without a git repository, but I have yet to try it. Thank you, Francesco -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Podofo-users mailing list Podofo-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/podofo-users
Re: [Podofo-users] Next PoDoFo Release 0.9.6
Hi everybody, As you have seen, I was not yet able to prepare a release candidate last week. There are still a few mails I want to go through before preparing the RC. So, I would want to shift above timeline by approximately one month, Feel free to provide and integrate more fixes, as long as the release candidate is not prepared yet. Best regards, Dominik On Sun, Jan 14, 2018 at 8:48 PM, Dominik Seichter < domseich...@googlemail.com> wrote: > Hello PoDoFo developers and supporters, > > The last version of PoDoFo was released almost a year ago on February 2nd > 2017. I have seen many patches on the mailing list and also many commits to > SVN over the last year. So, I think it is time for a new PoDoFo release > 0.9.6. > > As there might have been patches, which either Zyx or I have missing, I > would suggest the following release time line. > > - Please submit (or resubmit) all the patches which should go into the > release until February 11th 2018. > - I will try to integrate the patches into SVN trunk and prepare PoDoFo > 0.9.6-rc1! > - Let's test the release candidate for about 4 weeks and head for the > final release aroundt March 11th > > If necessary, we can delay the release for a few weeks or do a second > release candidate. > > Best regards, > Dominik > -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ Podofo-users mailing list Podofo-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/podofo-users
Re: [Podofo-users] Next PoDoFo Release 0.9.6
Hello, Recursion is at many places, not only in PdfParser, I have feeling everywhere where is recursion in pdf structures like trees, for example GetPageNode in PdfPagesTree. There is no problem to create small pdf with too large depth, also this can be cycled via references and I am now not sure whether is this treated. But what would be safe maximum recursion depth, maybe 10-100? Maybe better would be to avoid it and use queues or deques, heap is larger than stack and memory allocation fault can be checked better than size of stack. On Thu, Feb 1, 2018 at 12:46 AM, Matthew Brinckewrote: > [ grammar fix in quoted text ] > > Hello Dominik, hello all, > > Dominik Seichter wrote on 27 January 2018, > 13:23: > > > > > > Hi Matthew et al., > > > > > > On Fri, Jan 26, 2018 at 11:35 PM, Matthew Brincke > wrote: > > > >> [ Left Dominik in To to help him follow this thread, fixed text typos ] > >> > >> Hello Dominik, hello all, > >> > >>> Dominik Seichter via Podofo-users has written on 26 January 2018 at > 17:37: > >>> > >>> > >>> Hi Mattia, > >>> > >>> Thanks for the good summary! Let me comment on the open issues. > >>> > >>> Unfixed security issues: > >> ... snip ... > >>> > >>> https://security-tracker.debian.org/tracker/CVE-2017-8053 > >>> -> Please see proposed patch in attachment. Can somebody test/review? > >>> > >> > >> In line 13 of the patch, there are typos, it should be "already > visited", > >> line 14 doesn't really fit (which object?), and in general, shouldn't > >> there be a maximum recursion depth which is checked for, to prevent a > >> stack overflow? AFAICS there is no standard function/method to check > >> available stack space ;-( ... > > > > Yes, typos fixed and line 14 removed. Also agreed, that a maximum check > > might be nice. Still, the patch should address the main issue of being > > vulnerable to certain PDF files. > > AIUI without a check for a maximum recursion depth files can be crafted, > maximally some MiB large, which cause so deep recursion that the (default) > stack size is exhausted and, therefore, a stack overflow occurs. For that > reason, Dominik, please include the check in your fix for CVE-2017-8053. > > > > > Best regards, > > Dominik > > Best regards, mabri > > > -- > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > ___ > Podofo-users mailing list > Podofo-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/podofo-users > -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ Podofo-users mailing list Podofo-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/podofo-users
Re: [Podofo-users] Next PoDoFo Release 0.9.6
[ grammar fix in quoted text ] Hello Dominik, hello all, Dominik Seichterwrote on 27 January 2018, 13:23: > > > Hi Matthew et al., > > > On Fri, Jan 26, 2018 at 11:35 PM, Matthew Brincke wrote: > >> [ Left Dominik in To to help him follow this thread, fixed text typos ] >> >> Hello Dominik, hello all, >> >>> Dominik Seichter via Podofo-users has written on 26 January 2018 at 17:37: >>> >>> >>> Hi Mattia, >>> >>> Thanks for the good summary! Let me comment on the open issues. >>> >>> Unfixed security issues: >> ... snip ... >>> >>> https://security-tracker.debian.org/tracker/CVE-2017-8053 >>> -> Please see proposed patch in attachment. Can somebody test/review? >>> >> >> In line 13 of the patch, there are typos, it should be "already visited", >> line 14 doesn't really fit (which object?), and in general, shouldn't >> there be a maximum recursion depth which is checked for, to prevent a >> stack overflow? AFAICS there is no standard function/method to check >> available stack space ;-( ... > > Yes, typos fixed and line 14 removed. Also agreed, that a maximum check > might be nice. Still, the patch should address the main issue of being > vulnerable to certain PDF files. AIUI without a check for a maximum recursion depth files can be crafted, maximally some MiB large, which cause so deep recursion that the (default) stack size is exhausted and, therefore, a stack overflow occurs. For that reason, Dominik, please include the check in your fix for CVE-2017-8053. > > Best regards, > Dominik Best regards, mabri -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Podofo-users mailing list Podofo-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/podofo-users
Re: [Podofo-users] Next PoDoFo Release 0.9.6
Hi Matthew et al., On Fri, Jan 26, 2018 at 11:35 PM, Matthew Brinckewrote: > [ Left Dominik in To to help him follow this thread, fixed text typos ] > > Hello Dominik, hello all, > > > Dominik Seichter via Podofo-users has written on 26 January 2018 at > 17:37: > > > > > > Hi Mattia, > > > > Thanks for the good summary! Let me comment on the open issues. > > > > Unfixed security issues: > ... snip ... > > > > https://security-tracker.debian.org/tracker/CVE-2017-8053 > > -> Please see proposed patch in attachment. Can somebody test/review? > > > > In line 13 of the patch, there are typos, it should be "already visited", > line 14 doesn't really fit (which object?), and in general, shouldn't > there be a maximum recursion depth which is checked for, to prevent a > stack overflow? AFAICS there is no standard function/method to check > available stack space ;-( ... > > Yes, typos fixed and line 14 removed. Also agreed, that a maximum check might be nice. Still, the patch should address the main issue of been vulnerable to certain PDF files. > > https://security-tracker.debian.org/tracker/CVE-2017-8054 > > -> This was fixed by zyx in revision: 1872. I have a test PDF > >for this and cannot reproduce this issue anymore. > > The fix was provided by Matthias Brinke > (stands for "PoDoFo security contributor", I'm a friend of his) on the > Debian Bug Tracking System: https://bugs.debian.org/860995 > > Agreed, my statement should better have been: "zyx committed a fix for this" :-) Thanks for the fix! > > > > Plus this one without CVE that was reported in this ML: > > https://blogs.gentoo.org/ago/2017/02/01/podofo-null- > pointer-dereference-in-pdfinfoguessformat-pdfinfo-cpp/ > > This is *not* fixed yet. I also don't understand why it didn't get > a CVE entry. > > > (CVE-2017-8054 had a tentative patch) > > -> Seems same as above and seems fixed. > > The CVE, yes, contrary to the other one without a CVE entry. > > > > > A threading problem: > > https://sourceforge.net/p/podofo/mailman/message/35915862/ > > -> There is no need to make the matrix for XObjects static, so I made > >it a normal member. Same for s_procset in PdfCanvas. So should be > >fixed with my last commit. > > As you said in your next e-mail to the ML the double-checked locking > pattern > isn't fixed yet: https://sourceforge.net/p/podofo/mailman/message/ > 36205920/ > > > > > A copyright issue: > > https://sourceforge.net/p/podofo/mailman/message/35633858/ > > -> We still do not have a fix for this. > > > > I recommend libunistring2 to fix it, but haven't used it yet. > I try to have a look at libunistring2. > > > [snip] Best regards, Dominik -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ Podofo-users mailing list Podofo-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/podofo-users
Re: [Podofo-users] Next PoDoFo Release 0.9.6
On Fri, Jan 26, 2018 at 11:35:44PM +0100, Matthew Brincke wrote: > > Plus this one without CVE that was reported in this ML: > > https://blogs.gentoo.org/ago/2017/02/01/podofo-null-pointer-dereference-in-pdfinfoguessformat-pdfinfo-cpp/ > > This is *not* fixed yet. I also don't understand why it didn't get > a CVE entry. I asked for one back then (it was about the time the workflow to request CVEs from mitre changed from "random mail on oss-security" to the more private web form,), and after basically copy-pasting the web page into the form I got back this message on 2017-02-12: > [snip] > You may republish or redistribute this message. We think that someone > has already posted to oss-security about this issue. To make > oss-security list members aware that there is no CVE ID assignment, > you could reply to that oss-security post and include pertinent > information below. > [snip] > As far as we can tell, an end user experiences a loss of functionality > after the podofopdfinfo command-line tool crashes with a NULL pointer > dereference (because the end user can completely work around this by > not repeating the specific command-line invocation, there would be no > security impact). > > Although some parts of PoDoFo are library code that could be reached > from an arbitrary application, the reported code in > PdfInfo::GuessFormat appears to be reachable only from the > podofopdfinfo command-line tool. > > Thus, we are not assigning a CVE ID unless there is additional > information about a security impact. > > - -- > CVE Assignment Team After all I didn't redistributed the message for some reason (probably I was just too lazy). So it seems the reason the CVE was rejected is only because the crash doesn't happen in the library, but in the tool itself. -- regards, Mattia Rizzolo GPG Key: 66AE 2B4A FCCF 3F52 DA18 4D18 4B04 3FCD B944 4540 .''`. more about me: https://mapreri.org : :' : Launchpad user: https://launchpad.net/~mapreri `. `'` Debian QA page: https://qa.debian.org/developer.php?login=mattia `- signature.asc Description: PGP signature -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ Podofo-users mailing list Podofo-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/podofo-users
Re: [Podofo-users] Next PoDoFo Release 0.9.6
[ Left Dominik in To to help him follow this thread, fixed text typos ] Hello Dominik, hello all, > Dominik Seichter via Podofo-users has written on 26 January 2018 at 17:37: > > > Hi Mattia, > > Thanks for the good summary! Let me comment on the open issues. > > Unfixed security issues: ... snip ... > > https://security-tracker.debian.org/tracker/CVE-2017-8053 > -> Please see proposed patch in attachment. Can somebody test/review? > In line 13 of the patch, there are typos, it should be "already visited", line 14 doesn't really fit (which object?), and in general, shouldn't there be a maximum recursion depth which is checked for, to prevent a stack overflow? AFAICS there is no standard function/method to check available stack space ;-( ... > https://security-tracker.debian.org/tracker/CVE-2017-8054 > -> This was fixed by zyx in revision: 1872. I have a test PDF >for this and cannot reproduce this issue anymore. The fix was provided by Matthias Brinke(stands for "PoDoFo security contributor", I'm a friend of his) on the Debian Bug Tracking System: https://bugs.debian.org/860995 > > Plus this one without CVE that was reported in this ML: > https://blogs.gentoo.org/ago/2017/02/01/podofo-null-pointer-dereference-in-pdfinfoguessformat-pdfinfo-cpp/ This is *not* fixed yet. I also don't understand why it didn't get a CVE entry. > (CVE-2017-8054 had a tentative patch) > -> Seems same as above and seems fixed. The CVE, yes, contrary to the other one without a CVE entry. > > A threading problem: > https://sourceforge.net/p/podofo/mailman/message/35915862/ > -> There is no need to make the matrix for XObjects static, so I made >it a normal member. Same for s_procset in PdfCanvas. So should be >fixed with my last commit. As you said in your next e-mail to the ML the double-checked locking pattern isn't fixed yet: https://sourceforge.net/p/podofo/mailman/message/36205920/ > > A copyright issue: > https://sourceforge.net/p/podofo/mailman/message/35633858/ > -> We still do not have a fix for this. > I recommend libunistring2 to fix it, but haven't used it yet. > Regarding bug tracker: Yes, a bug tracker would be nice. But I can barely > follow the mailing list, so I do not feel I able to setup and maintain a > bug tracker. If somebody volunteers, I would not object. > BTW: Just found this on Sourceforge: > https://sourceforge.net/p/podofo/bugs/?source=navbar > Anybody has experience with this? Shall we just use this feature? > Peter Linnell has said something like that, yes (2.5 months ago on this ML): https://sourceforge.net/p/podofo/mailman/message/36112914/ > > Best regards, > Dominik > Best regards, mabri > On Mon, Jan 22, 2018 at 7:25 PM, Mattia Rizzolo wrote: > > > [ explicitly put Dominik in To, as I'm unsure how much he follows the > > ML himself… ] > > > > On Sun, Jan 14, 2018 at 08:48:05PM +0100, Dominik Seichter via > > Podofo-users wrote: > > > The last version of PoDoFo was released almost a year ago on February 2nd > > > 2017. I have seen many patches on the mailing list and also many commits > > > to > > > SVN over the last year. So, I think it is time for a new PoDoFo release > > > 0.9.6. > > > > > > As there might have been patches, which either Zyx or I have missing, I > > > would suggest the following release time line. > > > > In December there was a similar email to this going on, asking about a > > new release. It was pointed out that there are still known unfixed CVEs > > and other important issues. > > See https://sourceforge.net/p/podofo/mailman/message/36151169/ > > ... snip ... > > > > Who knows what more… > > While you are here, would you reconsider opening a bug tracker > > somewhere? When it was proposed in the past in this ML, nobody was > > against it, but everybody deferred to you iirc. > > > > -- > > regards, > > Mattia Rizzolo > > > > GPG Key: 66AE 2B4A FCCF 3F52 DA18 4D18 4B04 3FCD B944 4540 .''`. > > more about me: https://mapreri.org : :' : > > Launchpad user: https://launchpad.net/~mapreri `. `'` > > Debian QA page: https://qa.debian.org/developer.php?login=mattia `- > > -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Podofo-users mailing list Podofo-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/podofo-users
Re: [Podofo-users] Next PoDoFo Release 0.9.6
[ explicitly put Dominik in To, as I'm unsure how much he follows the ML himself… ] On Sun, Jan 14, 2018 at 08:48:05PM +0100, Dominik Seichter via Podofo-users wrote: > The last version of PoDoFo was released almost a year ago on February 2nd > 2017. I have seen many patches on the mailing list and also many commits to > SVN over the last year. So, I think it is time for a new PoDoFo release > 0.9.6. > > As there might have been patches, which either Zyx or I have missing, I > would suggest the following release time line. In December there was a similar email to this going on, asking about a new release. It was pointed out that there are still known unfixed CVEs and other important issues. See https://sourceforge.net/p/podofo/mailman/message/36151169/ To recap from that thread: Unfixed security issues: https://security-tracker.debian.org/tracker/CVE-2017-6845 https://security-tracker.debian.org/tracker/CVE-2017-6846 https://security-tracker.debian.org/tracker/CVE-2017-6849 https://security-tracker.debian.org/tracker/CVE-2017-8053 https://security-tracker.debian.org/tracker/CVE-2017-8054 Plus this one without CVE that was reported in this ML: https://blogs.gentoo.org/ago/2017/02/01/podofo-null-pointer-dereference-in-pdfinfoguessformat-pdfinfo-cpp/ (CVE-2017-8054 had a tentive patch) A copyright issue: https://sourceforge.net/p/podofo/mailman/message/35633858/ A threading problem: https://sourceforge.net/p/podofo/mailman/message/35915862/ Who knows what more… While you are here, would you reconsider opening a bug tracker somewhere? When it was proposed in the past in this ML, nobody was against it, but everybody deferred to you iirc. -- regards, Mattia Rizzolo GPG Key: 66AE 2B4A FCCF 3F52 DA18 4D18 4B04 3FCD B944 4540 .''`. more about me: https://mapreri.org : :' : Launchpad user: https://launchpad.net/~mapreri `. `'` Debian QA page: https://qa.debian.org/developer.php?login=mattia `- signature.asc Description: PGP signature -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ Podofo-users mailing list Podofo-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/podofo-users
[Podofo-users] Next PoDoFo Release 0.9.6
Hello PoDoFo developers and supporters, The last version of PoDoFo was released almost a year ago on February 2nd 2017. I have seen many patches on the mailing list and also many commits to SVN over the last year. So, I think it is time for a new PoDoFo release 0.9.6. As there might have been patches, which either Zyx or I have missing, I would suggest the following release time line. - Please submit (or resubmit) all the patches which should go into the release until February 11th 2018. - I will try to integrate the patches into SVN trunk and prepare PoDoFo 0.9.6-rc1! - Let's test the release candidate for about 4 weeks and head for the final release aroundt March 11th If necessary, we can delay the release for a few weeks or do a second release candidate. Best regards, Dominik -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ Podofo-users mailing list Podofo-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/podofo-users