Podofo security bugs

Done

Details

2 participants

Leo Famulari
Ludovic Courtès

Owner: unassigned

Submitted by: Leo Famulari

Severity: normal

L

L

Leo Famulari wrote on 28 Jun 2017 17:49

Recipients:(address . bug-guix@gnu.org)

Message-ID:20170628154923.GA12428@jasmine.lan

There were some bugs with security implications reported in Podofo

recently:

http://seclists.org/oss-sec/2017/q2/0

http://seclists.org/oss-sec/2017/q2/1

http://seclists.org/oss-sec/2017/q2/2

I noticed some fixes committed to the Podofo SVN repo:

https://sourceforge.net/p/podofo/mailman/podofo-svn/?viewmonth=201706

We need to try to cherry-pick these fixes.

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAllT0AMACgkQJkb6MLrK
fwg8fRAA3RzF2Nj4dXSacUGlHu/mxEFtsutaFgPo4HCq+g6hURu/VJj+IXkG4+dQ
w8Fbbl4X+SAP8/AZ7kgRlCaE1KFb6DN6UIrCi5b8vxLPUywgdEyRH4z19Mm5bfeq
EWzg2nuAF8gwbP3Esf10SJ4FRDMFdfpHKZfd28epWLm/AFAmv1uXNUJKZKEFntew
7mpQiO8xA4Z+BTzqQF9OmfVc8PZChqiFvUbVYGbfsel8qVahkefkkzh2oKACpw1C
Btgni5twMNo0TesO6F4KoAmC7fDf+835AxMaqHSU4WBIQYIlYfIA9IAymPWhso3W
ZDQfHL2ZtCA1Gl4vSiQ93RSZhuHPnHyAx2TZrb458Dkg3pR+mthlAs41pZx260sI
EDyx8vmG4ux9UvhAf2yNxXQuA0jQuZKnNv18VNiXcH1fyswv4VDuVrlwiGDQ3fvZ
R4preuX5mvk9aPt1/J+LHq94Bz9p8fGWat3aDOJydccek3V5OVRT6LButsTYJXND
bkG7ueHErRL3C6y1TLziTI0OTFSMHoIONAbOCFtTJsTWhEO9+etEBcLMWMYImcvP
RJto+tuwclGutAz9PVQGXZYUIL+5sJzk8b90rxlHRPJshWG8NYLY0HFVXlI2dHTR
IndB1y+fJmFI8gy6deAmNb/0oCkHvCEaVk3M7y4KxM1hpJfu2DA=
=Mozw
-----END PGP SIGNATURE-----

L

L

Ludovic Courtès wrote on 27 Jul 2017 14:25

control message for bug #27519

Recipients:(address . control@debbugs.gnu.org)

Message-ID:87tw1y3w3v.fsf@gnu.org

tags 27519 security

L

L

Leo Famulari wrote on 5 Feb 2019 00:34

Re: Podofo security bugs

Recipients:(address . 27519-done@debbugs.gnu.org)

Message-ID:20190204233401.GA20023@jasmine.lan

We have since packaged a new release of PoDoFo (0.9.6) which apparently

fixed many bugs.

The PoDoFo team does not write changelogs or any sort of release

announcement file. Their SVN repo includes several commits like "Fix

CVE-XXX" followed by "Really fix CVE-XXX".

Since PoDoFo is not widely used in Guix (only by calibre and Scribus),

I'm not going to dig in to whether or not these bugs are really fixed or

not in the current Guix package.

At this point, this bug report is not helping us much, so I am closing

it :)

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAlxYy+kACgkQJkb6MLrK
fwiGhxAApb51r3XJ6MumX4FUKSUkL/3gJDBl70KxHl46TLx3gaWsyAvnEZLaZwLo
bBOFSKFMPot78Kp6u3UAFb4Z5DOEB6JkOKeSc0fd3h4+Ui2uENofclD5gifcQfy0
BkIXayb1AUgX4qoI8jYfmlYmsz3m6YfBucDVUPs7Ld0BjKGj6DhX29Am+r0M4uXJ
zBamnmVuA9CMZMLOQprNcACXg4OELrz1DIhP7ITmDuRGwh9UNHSJmKl/+wayUR2Z
EG0NeCTkWKSgO4qky/DjVcsyWDXgP/4zYJVSVyzX+ouBnzQSc4QN/9IpoGgoU9Cq
E7qGvH2JaRBB25JE6ShU/9kV1XYNIUNUb+QRTQI0DsYUge/GCrKUU8ghJvrd1e15
aEPiEoXLWpxjZT4NrFMyZbLmUb54i8PJQD0/p1IXgxGJPVOsSti8x30oXBqD9Pjp
x4kkh8fLi9M23ebBKpF3vE10rtben/Zz5II3q5/8CqauUgXgEzoVjreiH6J++o0H
FOsgMyhRp9aNLY/tLRWgL+IXz3CDtTFJQEYBlsuOOYtqjGqmGWcU8x55RIa783JR
tUN3qbufCemkI2jYbXgMijawDt5G0eO+4SNnkk5dag9BYbudtbuRB+9/xNmDbx3V
Jy0S6KM33Rx2aEKtUKVXwM4O9EHMKExQ+Z0IMzSkapsQxhiaoXI=
=8NOy
-----END PGP SIGNATURE-----

Closed

?

Your comment

This issue is archived.

To comment on this conversation send an email to 27519@debbugs.gnu.org

To respond to this issue using the mumi CLI, first switch to it

mumi current 27519

Then, you may apply the latest patchset in this issue (with sign off)

mumi am -- -s

Or, compose a reply to this issue

mumi compose

Or, send patches to this issue

mumi send-email *.patch