[Podofo-users] podofo 0.9.4 fails to build with openSSL 1.1.0

get 'src/CMakeFiles/podofo_shared.dir/all' failed make[2]: *** [src/CMakeFiles/podofo_shared.dir/all] Error 2 make[2]: Leaving directory '/<>/obj-x86_64-linux-gnu' Makefile:130: recipe for target 'all' failed make[1]: *** [all] Error 2 make[1]:

Re: [Podofo-users] podofo 0.9.4 fails to build with openSSL 1.1.0

On Mon, Oct 10, 2016 at 11:38:00AM +, Mattia Rizzolo wrote: > Hi there. > > Debian received a bug report that podofo fails to build with the newer > openSSL. > > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=828407 > > I'd report this as a bug report, bu

Re: [Podofo-users] podofo 0.9.4 fails to build with openSSL 1.1.0

egards, Mattia Rizzolo GPG Key: 66AE 2B4A FCCF 3F52 DA18 4D18 4B04 3FCD B944 4540 .''`. more about me: https://mapreri.org : :' : Launchpad user: https://launchpad.net/~mapreri `. `'` Debian QA page: https://qa.debian.org/

Re: [Podofo-users] PoDoFo 0.9.5 Release Plan

lity across releases. -- regards, Mattia Rizzolo GPG Key: 66AE 2B4A FCCF 3F52 DA18 4D18 4B04 3FCD B944 4540 .''`. more about me: https://mapreri.org : :' : Launchpad user: https://launchpad.net/~mapreri

[Podofo-users] non-free piece of code in src/base/PdfString.cpp

r local changes). Another way would be of course to reimplement those functions. Or to depend on similar implementations coming from external libraries. -- regards, Mattia Rizzolo GPG Key: 66AE 2B4A FCCF 3F52 DA18 4D18 4B04 3FCD B944 4540 .''`. more about

Re: [Podofo-users] non-free piece of code in src/base/PdfString.cpp

hat file free, I find the unclearness of the situation as althoughter annoying by itself and worth calming just for it :) -- regards, Mattia Rizzolo GPG Key: 66AE 2B4A FCCF 3F52 DA18 4D18 4B04 3FCD B944 4540 .''`. more about me: https://mapreri.org

[Podofo-users] security bugs in PoDoFo

those. Could you please check them out? Thanks in advance. -- regards, Mattia Rizzolo GPG Key: 66AE 2B4A FCCF 3F52 DA18 4D18 4B04 3FCD B944 4540 .''`. more about me: https://mapreri.org : :' : L

[Podofo-users] please move manpages out of debian/ directory

des the manpages and the jumper CMakeLists.txt, so it is really free to go, imho. Thank you for considering! -- regards, Mattia Rizzolo GPG Key: 66AE 2B4A FCCF 3F52 DA18 4D18 4B04 3FCD B944 4540 .''`. more about me: https://mapreri.org

[Podofo-users] fix test failure on 32 bit architectures

cryptTest.h +++ b/test/unit/EncryptTest.h @@ -87,7 +87,7 @@ private: char* m_pEncBuffer; - long m_lLen; + PoDoFo::pdf_long m_lLen; int m_protection; }; (also attached for convenience) Thank you! -- regards, Mattia Rizzolo GPG Key: 66AE 2B4A FC

[Podofo-users] manpage of podofobox talks about podofocolor

ofocrop (1), .BR podofoencrypt (1), 1 mattia@warren ..an/libpodofo/upstream/trunk/debian/man (svn)-[trunk:1822] % :( -- regards, Mattia Rizzolo GPG Key: 66AE 2B4A FCCF 3F52 DA18 4D18 4B04 3FCD B944 4540 .''`. more about me:

[Podofo-users] Spelling error in manpages

* podofoxmp.1 is actually the only spelling error (but really there is no better way to send patch or stuff than this mailing list?) -- regards, Mattia Rizzolo GPG Key: 66AE 2B4A FCCF 3F52 DA18 4D18 4B04 3FCD B944 4540 .''`.

Re: [Podofo-users] manpage of podofobox talks about podofocolor

e enough MUA... But I do attach patches usually, yes, because they are more easy to handle, thanks to be able to juts save the single attachment instead of messing with copy/pasting or so. -- regards, Mattia Rizzolo GPG Key: 66AE 2B4A FCCF 3F52 DA18 4D18 4B04 3FCD B944

Re: [Podofo-users] another bunch of crashes

libpodofo -- regards, Mattia Rizzolo GPG Key: 66AE 2B4A FCCF 3F52 DA18 4D18 4B04 3FCD B944 4540 .''`. more about me: https://mapreri.org : :' : Launchpad user: https://launchpad.net/~mapreri `. `'` Debian Q

Re: [Podofo-users] please move manpages out of debian/ directory

Do you mind if I ask about the status of this (doesn't seem to be done in SVN): On Wed, Feb 08, 2017 at 05:48:02PM +0100, Mattia Rizzolo wrote: > I've never quite understood why manpages are in debian/man instead of > man/ or doc/man/ or whatever. > > This makes for a ta

Re: [Podofo-users] another bunch of crashes

On Mon, Mar 13, 2017 at 01:39:00PM +0100, Mattia Rizzolo wrote: > On Thu, Mar 02, 2017 at 05:31:34PM +0100, Agostino Sarubbo wrote: > > Please consider the following: > > > > … > > All of these now have CVEs associated. And apparently the Debian release team is cons

Re: [Podofo-users] please move manpages out of debian/ directory

On Fri, Mar 24, 2017 at 07:13:55PM +0100, zyx wrote: > On Mon, 2017-03-13 at 13:42 +0100, Mattia Rizzolo wrote: > > Do you mind if I ask about the status of this (doesn't seem to be done > > in SVN): > > Hi, > you are right, it was not done. I ran those three co

Re: [Podofo-users] another bunch of crashes

ll of those referenced from there) If you need so feel free to drop me a line. -- regards, Mattia Rizzolo GPG Key: 66AE 2B4A FCCF 3F52 DA18 4D18 4B04 3FCD B944 4540 .''`. more about me: https://mapreri.org : :

Re: [Podofo-users] Installation and Compiling PoDoFo

l) > * libpng (optional) > * OpenSSL > * zlib Otherwise you can only use the ubuntu package to get the build-dependencies of libpodofo installed: sudo apt build-dep libpodofo (this requires deb-src lines in /etc/apt/sources.list) This won't pull cppunit, btw. -- regards,

Re: [Podofo-users] Fwd: heap overflow in podofo's pdf parser

.org/ asking for one? Once a CVE id is published there are people routinely triaging those and adding to the list in [1]. > []1 https://security-tracker.debian.org/tracker/source-package/libpodofo -- regards, Mattia Rizzolo GPG Key: 66AE 2B4A FCCF 3F52 DA18 4D18 4B04

Re: [Podofo-users] another bunch of crashes

eption, instead of crashing, btw, about this thing, I asked for a CVE, and was denied as "not a security bug" -- regards, Mattia Rizzolo GPG Key: 66AE 2B4A FCCF 3F52 DA18 4D18 4B04 3FCD B944 4540 .''`. more about me: https://mapreri.org

[Podofo-users] exported symbols

nd do something like https://gcc.gnu.org/wiki/Visibility this could even pave the way to having some kind of ABI stability, and detach the SONAME from the library version… -- regards, Mattia Rizzolo GPG Key: 66AE 2B4A FCCF 3F52 DA18 4D18 4B04 3FCD B944 4540 .

[Podofo-users] CVE-2017-8787: heap based overflow in ReadXRefStreamEntry

e to ask me if you have further question about this report. Best Regards, Xiang Xiaobo of VARAS@IIE - End forwarded message - -- regards, Mattia Rizzolo GPG Key: 66AE 2B4A FCCF 3F52 DA18 4D18 4B04 3FCD B944 4540 .''`. more about me: https://mapreri.org

Re: [Podofo-users] Fwd: heap overflow in podofo's pdf parser

sect or something and identify the fixing commit. -- regards, Mattia Rizzolo GPG Key: 66AE 2B4A FCCF 3F52 DA18 4D18 4B04 3FCD B944 4540 .''`. more about me: https://mapreri.org : :' : Launchpad user: https://launchpad.net/~maprer

Re: [Podofo-users] another bunch of crashes

er/CVE-2017-5852 https://security-tracker.debian.org/tracker/CVE-2017-7994 I got rid of that TEMP-… issue, as Mitre claimed it's not CVE-worthy, and you said it's fixed in trunk either way. -- regards, Mattia Rizzolo GPG Key: 66AE 2B4A FCCF 3F52 DA18 4D18 4

Re: [Podofo-users] Fix r1810 ABI mess

n't break across patch releases… -- regards, Mattia Rizzolo GPG Key: 66AE 2B4A FCCF 3F52 DA18 4D18 4B04 3FCD B944 4540 .''`. more about me: https://mapreri.org : :' : Launchpad user: https://launchpad.net/~mapreri

[Podofo-users] cppunit 1.14 requires C++11, but PoDoFo enforces C++98

regards, Mattia Rizzolo GPG Key: 66AE 2B4A FCCF 3F52 DA18 4D18 4B04 3FCD B944 4540 .''`. more about me: https://mapreri.org : :' : Launchpad user: https://launchpad.net/~mapreri `. `'` Debian QA page: https://qa.debian.or

Re: [Podofo-users] cppunit 1.14 requires C++11, but PoDoFo enforces C++98

On Mon, Jul 31, 2017 at 05:33:21PM +0200, zyx wrote: > it's not. Well, the current development version doesn't do that: > http://sourceforge.net/p/podofo/code/1826 ahah, cool then :) -- regards, Mattia Rizzolo GPG Key: 66AE 2B4A FCCF 3F52 DA18 4D18 4B0

Re: [Podofo-users] ABI fix for the fix CVE-2017-5852

9398/ (then, the lack of an actual bug tracker makes those request/reports very hard to track, and I wouldn't be surprised if many missed it, or even if they did completely forgot about it, as many other reports) -- regards, Mattia Rizzolo GPG Key: 66AE 2B4A FCCF 3F5

Re: [Podofo-users] ABI fix for the fix CVE-2017-5852

On Fri, Oct 27, 2017 at 12:54:11AM +0200, Matthew Brincke wrote: > > Mattia Rizzolo has written on 23. Oktober 2017 at 11:10: > > On Sun, Oct 22, 2017 at 05:20:31PM +0200, Matthew Brincke wrote: > > > Debian bug 854600 [2], I wonder why no one answered to the last post .

Re: [Podofo-users] exported symbols

On Wed, May 03, 2017 at 12:00:20PM +0200, Mattia Rizzolo wrote: > I noticed that libpodofo exports symbols for all of its methods, which > means that things like https://sourceforge.net/p/podofo/code/1838 > actually break the ABI despite it not needed to, as that's a private > m

Re: [Podofo-users] Next release ? Many CVE's

acker/CVE-2017-8054 Plus this one without CVE that was reported in this ML: https://blogs.gentoo.org/ago/2017/02/01/podofo-null-pointer-dereference-in-pdfinfoguessformat-pdfinfo-cpp/ But yes, a release with the already fixed ones would be nice I agree :) -- regards, Matt

[Podofo-users] patch for CVE-2017-8054

r for this bug. -- regards, Mattia Rizzolo GPG Key: 66AE 2B4A FCCF 3F52 DA18 4D18 4B04 3FCD B944 4540 .''`. more about me: https://mapreri.org : :' : Launchpad user: https://launchpad.net/~mapreri `. `

Re: [Podofo-users] Next release ? Many CVE's

one so as a separated thread. > in it, also copyright [2] (for which I recommend libunistring2) and > [2] https://sourceforge.net/p/podofo/mailman/message/35633858/ Oh wow. I'm impressed somebody remembers it without proper tracking! :) ♥ -- regards, Mattia Rizzo

Re: [Podofo-users] Fix for the "could avoid useless dependency" Debian build warning

ign.dir/podofosign.cpp.o: In function `main': > .../tools/podofosign/podofosign.cpp:879: undefined reference to > `OPENSSL_init_ssl' > collect2: error: ld returned 1 exit status I'll let the OP take care of this error :) -- regards,

Re: [Podofo-users] Next PoDoFo Release 0.9.6

862/ Who knows what more… While you are here, would you reconsider opening a bug tracker somewhere? When it was proposed in the past in this ML, nobody was against it, but everybody deferred to you iirc. -- regards, Mattia Rizzolo GPG Key: 66AE 2B4A FCCF 3F52 DA18

Re: [Podofo-users] Next PoDoFo Release 0.9.6

ems the reason the CVE was rejected is only because the crash doesn't happen in the library, but in the tool itself. -- regards, Mattia Rizzolo GPG Key: 66AE 2B4A FCCF 3F52 DA18 4D18 4B04 3FCD B944 4540 .''`. more about me: https://mapreri.org

[Podofo-users] Fwd: [cve-requ...@mitre.org: Re: [scr293896] podofo - 0.9.4]

WUwMIEFMsSMuEr6gAOHfw+VIEnBDXVhGklhBZyq+2XbRGeAdy dlo+9xisMuqmouKq2iO4rpxGdWzOsjhy4ekom3ZVUYSLPj7AFcwjob6T/eoklB/z 8Jh4i8El1uffbiOZ6xkt =vacu -END PGP SIGNATURE- - End forwarded message - -- regards, Mattia Rizzolo GPG Key: 66AE 2B4A FCCF 3F52 DA18 4D18 4B04 3FCD B944 4

Re: [Podofo-users] Bug tracker (was: Re: Next PoDoFo Release 0.9.6)

check: https://sourceforge.net/p/podofo/tickets *Thank you* for configuring it! I actually trying filing another non-coding bug, so it definitely does the job. :) -- regards, Mattia Rizzolo GPG Key: 66AE 2B4A FCCF 3F52 DA18 4D18 4B04 3FCD B944 4540 .''`.

Re: [Podofo-users] Integer Overflow in PdfXRefStreamParserObject::ParseStream

ct for the PoC) exception message > with detailed info and "call stack" (via PdfError method) was output > by podofoimgextract. The patch is attached (it's against released 0.9.5). (PS: should we start moving these kind of things to the bug tracker, or perhaps only start with n

Re: [Podofo-users] Visibility support checking in the build (was: exported symbols)

release candidate. I don't think there is any need to rush this part, or get crazy about. -- regards, Mattia Rizzolo GPG Key: 66AE 2B4A FCCF 3F52 DA18 4D18 4B04 3FCD B944 4540 .''`. more about me: https://mapreri.org : :' : Launc

Re: [Podofo-users] Integer Overflow in PdfXRefStreamParserObject::ParseStream

at TTBOMK are still not fixed in trunk. See https://sourceforge.net/p/podofo/tickets/ -- regards, Mattia Rizzolo GPG Key: 66AE 2B4A FCCF 3F52 DA18 4D18 4B04 3FCD B944 4540 .''`. more about me: https://mapreri.org : :' : Lau

[Podofo-users] Three new CVEs

but I think you should). -- regards, Mattia Rizzolo GPG Key: 66AE 2B4A FCCF 3F52 DA18 4D18 4B04 3FCD B944 4540 .''`. more about me: https://mapreri.org : :' : Launchpad user: https://launchpad.net/~mapreri

[Podofo-users] manpage for podofobox

odofotxt2pdf (1), .BR podofotxtextract (1), .BR podofouncompress (1), .BR podofoxmp (1) .PP .SH AUTHOR .PP PoDoFo is written by Dominik Seichter and others\. .PP This manual page was written by Oleksandr Moskalenko for the Debian Project (but may be used by others)\. <<<<<<<

Re: [Podofo-users] PoDoFo 0.9.6-rc1 ready for download

f8 -> utf16 -> utf8 conversion.", lLenUtf8 + 1, result2 ); ^ test/unit/CMakeFiles/podofo-test.dir/build.make:377: recipe for target 'test/unit/CMakeFiles/podofo-test.dir/StringTest.cpp.o' failed make[3]: *** [test/unit/CMakeFiles/podofo-test.dir/StringTest.cpp.o] Error 1 -- regards,

Re: [Podofo-users] PoDoFo 0.9.6-rc1 ready for download

empty directories. Do you think it's feasible to not ship them? * doc/html/ * doc/latex/ * test/system/data/ -- regards, Mattia Rizzolo GPG Key: 66AE 2B4A FCCF 3F52 DA18 4D18 4B04 3FCD B944 4540 .''`. more about me:

Re: [Podofo-users] PoDoFo 0.9.6-rc1 ready for download

ches will be integrated before release from now on. Not critical, but I'd fine nice if you could fix these last few spelling errors :) Patch attached! -- regards, Mattia Rizzolo GPG Key: 66AE 2B4A FCCF 3F52 DA18 4D18 4B04 3FCD B944 4540 .''`. more abo

Re: [Podofo-users] PoDoFo 0.9.6-rc1 ready for download

egards, Mattia Rizzolo GPG Key: 66AE 2B4A FCCF 3F52 DA18 4D18 4B04 3FCD B944 4540 .''`. more about me: https://mapreri.org : :' : Launchpad user: https://launchpad.net/~mapreri `. `'` Debian QA page: https://qa.debian.org/

Re: [Podofo-users] CVE-2017-5853 and CVE-2017-6844 testing (overflow fixed, but unhandled exception present)

), I'd recommend submitting them, and I would also recommend libpodofo maintainers to accept them (as really, more tests can't possibly be a bad thing…). -- regards, Mattia Rizzolo GPG Key: 66AE 2B4A FCCF 3F52 DA18 4D18 4B04 3FCD B944 4540 .'

Re: [Podofo-users] ABI incompatible changes

spent some hours trying to get something that worked for more than only amd64, but there are several symbols that varies across all archs (which is kind of fine, it's due to things like size_t, ssize_t, uint64_t, etc, but there are really too many and I'm convinced very few of them shou

Re: [Podofo-users] CVE confusion, also in Debian (was: Re: Next PoDoFo Release 0.9.6)

lot* of confusion. > @Mattia Rizzolo: Suggested action(s) to take: Correct the Debian security > tracker to say "vulnerable (no DSA)" instead of "fixed" in Debian stretch > (CVE-2017-5854). Fix the non-CVE'd bug too (in unstable, I'd think). I'm sorry

[Podofo-users] 0.9.6 fails to link a test with -DPODOFO_HAVE_GCC_SYMBOL_VISIBILITY

ll] Error 2 |make[1]: Leaving directory '/build/libpodofo-0.9.6/obj-x86_64-linux-gnu' This can be fixed by e.g.: |--- a/src/base/PdfXRefStreamParserObject.h |+++ b/src/base/PdfXRefStreamParserObject.h |@@ -48,7 +48,7 @@ | * | * It is mainly here to make PdfParser more modular. | */ |-class Pd

Re: [Podofo-users] Fwd: Re: CVE confusion, also in Debian (was: Re: Next PoDoFo Release 0.9.6)

On Fri, Jun 15, 2018 at 10:47:14AM +0200, Mattia Rizzolo wrote: > Thanks for all your help, and sorry for the delay in dealing with this. Now that 0.9.6 is out I took my time and had a look at also the new CVEs that appeared this year. I've reported them in the podofo issue tracker (t

Re: [Podofo-users] Fwd: Re: CVE confusion, also in Debian (was: Re: Next PoDoFo Release 0.9.6)

nged anymore), I believe everything is fine now - at least in debian's git (pending the fix for the thing above). Please correct me if I'm wrong. -- regards, Mattia Rizzolo GPG Key: 66AE 2B4A FCCF 3F52 DA18 4D18 4B04 3FCD B944 4540 .&#

Re: [Podofo-users] 0.9.6 fails to link a test with -DPODOFO_HAVE_GCC_SYMBOL_VISIBILITY

ed (which is not a decent solution) to debian experimental soon. -- regards, Mattia Rizzolo GPG Key: 66AE 2B4A FCCF 3F52 DA18 4D18 4B04 3FCD B944 4540 .''`. more about me: https://mapreri.org : :' : Launchpad user: htt

Re: [Podofo-users] Untracked CVE issues now fixed (was: Re: CVE confusion, also in Debian (was: Re: Next PoDoFo Release 0.9.6))

a/CVE/list), just beware that is a very weird git repository, it's going to melt your CPU. That would potentially save round-trips and misunderstandings :) -- regards, Mattia Rizzolo GPG Key: 66AE 2B4A FCCF 3F52 DA18 4D18 4B04 3FCD B944 4540

[Podofo-users] Releasing 0.9.7 ?

ng patches. Also, it's likely that more will appear the more we wait, so it doesn't make much sense to wait more. Are there any particular blockers for 0.9.7 at this time? -- regards, Mattia Rizzolo GPG Key: 66AE 2B4A FCCF 3F52 DA18 4D18 4B04 3FCD B944 4540

Re: [Podofo-users] Releasing 0.9.7 ?

ion 2000 (see other ML post, please) would come first. Yes, I've seen the posts about r2000. I see we are only a commi away from it ;) In any case, just take this thread of mine as a kind request for a new release, nothing more. I have to take on commits for the debian stable releases an

Re: [Podofo-users] [PROPOSAL] Relicense PoDoFo to Mozilla Public License 2.0

L -> FAIL > > I believe at some point we can just take a more permissive stringprep > implementation written in another language/framework and port it to C++. Why is this not a blocker for going forward? Wouldn't linking against libidn make the resulting library effectively be und

[Podofo-users] Future ABI stability of PoDoFo

have been avoided. For me this is relevant because for each release the updates needs to be manually approved by Debian's archive admins due to the changed soname, which is something I would be happier without :) -- regards, Mattia Rizzolo GPG Key: 66AE 2B4A FCCF

Re: [Podofo-users] PoDoFo virtual meeting

since I should be free I'll lurk in it if you don't mind :) -- regards, Mattia Rizzolo GPG Key: 66AE 2B4A FCCF 3F52 DA18 4D18 4B04 3FCD B944 4540 .''`. More about me: https://mapreri.org : :' : Launchpad use

[Podofo-users] podofo 0.9.8 fails with GCC 12

7 Does anybody here have any patch floating around for this? :) -- regards, Mattia Rizzolo GPG Key: 66AE 2B4A FCCF 3F52 DA18 4D18 4B04 3FCD B944 4540 .''`. More about me: https://mapreri.org : :' : Launchpad user:

Re: [Podofo-users] podofo 0.9.8 fails with GCC 12

s just disabing the failing tests. Indeed, I just received a proposed similar patch in Debian too: https://salsa.debian.org/debian/libpodofo/-/merge_requests/2 So nobody has actually investigated the failures and did a real fix? -- regards, Mattia Rizzolo GPG Key: 66AE 2B4A FCC

Re: [Podofo-users] PoDoFo SO versioning

hat has no/shitty dynamic link support, but I honestly consider proper dynamic linking a very good thing myself, that should be properly handled and supported. -- regards, Mattia Rizzolo GPG Key: 66AE 2B4A FCCF 3F52 DA18 4D18 4B04 3FCD B944 4540

Re: [Podofo-users] PoDoFo SO versioning

have tools that verify that the ABI doesn't break, but that's mostly partial, as it only checks function symbols, and as you know the ABI is much more than that. So indeed, some automated testing wouldn't be bad. -- regards, Mattia Rizzolo GPG Key: