Podofo security bugs

DoneSubmitted by Leo Famulari.
Details
2 participants
  • Leo Famulari
  • Ludovic Courtès
Owner
unassigned
Severity
normal
L
L
Leo Famulari wrote on 28 Jun 2017 17:49
(address . bug-guix@gnu.org)
20170628154923.GA12428@jasmine.lan
There were some bugs with security implications reported in Podoforecently:
http://seclists.org/oss-sec/2017/q2/0http://seclists.org/oss-sec/2017/q2/1http://seclists.org/oss-sec/2017/q2/2
I noticed some fixes committed to the Podofo SVN repo:
https://sourceforge.net/p/podofo/mailman/podofo-svn/?viewmonth=201706
We need to try to cherry-pick these fixes.
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAllT0AMACgkQJkb6MLrKfwg8fRAA3RzF2Nj4dXSacUGlHu/mxEFtsutaFgPo4HCq+g6hURu/VJj+IXkG4+dQw8Fbbl4X+SAP8/AZ7kgRlCaE1KFb6DN6UIrCi5b8vxLPUywgdEyRH4z19Mm5bfeqEWzg2nuAF8gwbP3Esf10SJ4FRDMFdfpHKZfd28epWLm/AFAmv1uXNUJKZKEFntew7mpQiO8xA4Z+BTzqQF9OmfVc8PZChqiFvUbVYGbfsel8qVahkefkkzh2oKACpw1CBtgni5twMNo0TesO6F4KoAmC7fDf+835AxMaqHSU4WBIQYIlYfIA9IAymPWhso3WZDQfHL2ZtCA1Gl4vSiQ93RSZhuHPnHyAx2TZrb458Dkg3pR+mthlAs41pZx260sIEDyx8vmG4ux9UvhAf2yNxXQuA0jQuZKnNv18VNiXcH1fyswv4VDuVrlwiGDQ3fvZR4preuX5mvk9aPt1/J+LHq94Bz9p8fGWat3aDOJydccek3V5OVRT6LButsTYJXNDbkG7ueHErRL3C6y1TLziTI0OTFSMHoIONAbOCFtTJsTWhEO9+etEBcLMWMYImcvPRJto+tuwclGutAz9PVQGXZYUIL+5sJzk8b90rxlHRPJshWG8NYLY0HFVXlI2dHTRIndB1y+fJmFI8gy6deAmNb/0oCkHvCEaVk3M7y4KxM1hpJfu2DA==Mozw-----END PGP SIGNATURE-----

L
L
Ludovic Courtès wrote on 27 Jul 2017 14:25
control message for bug #27519
(address . control@debbugs.gnu.org)
87tw1y3w3v.fsf@gnu.org
tags 27519 security
L
L
Leo Famulari wrote on 5 Feb 2019 00:34
Re: Podofo security bugs
(address . 27519-done@debbugs.gnu.org)
20190204233401.GA20023@jasmine.lan
We have since packaged a new release of PoDoFo (0.9.6) which apparentlyfixed many bugs.
The PoDoFo team does not write changelogs or any sort of releaseannouncement file. Their SVN repo includes several commits like "FixCVE-XXX" followed by "Really fix CVE-XXX".
Since PoDoFo is not widely used in Guix (only by calibre and Scribus),I'm not going to dig in to whether or not these bugs are really fixed ornot in the current Guix package.
At this point, this bug report is not helping us much, so I am closingit :)
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAlxYy+kACgkQJkb6MLrKfwiGhxAApb51r3XJ6MumX4FUKSUkL/3gJDBl70KxHl46TLx3gaWsyAvnEZLaZwLobBOFSKFMPot78Kp6u3UAFb4Z5DOEB6JkOKeSc0fd3h4+Ui2uENofclD5gifcQfy0BkIXayb1AUgX4qoI8jYfmlYmsz3m6YfBucDVUPs7Ld0BjKGj6DhX29Am+r0M4uXJzBamnmVuA9CMZMLOQprNcACXg4OELrz1DIhP7ITmDuRGwh9UNHSJmKl/+wayUR2ZEG0NeCTkWKSgO4qky/DjVcsyWDXgP/4zYJVSVyzX+ouBnzQSc4QN/9IpoGgoU9CqE7qGvH2JaRBB25JE6ShU/9kV1XYNIUNUb+QRTQI0DsYUge/GCrKUU8ghJvrd1e15aEPiEoXLWpxjZT4NrFMyZbLmUb54i8PJQD0/p1IXgxGJPVOsSti8x30oXBqD9Pjpx4kkh8fLi9M23ebBKpF3vE10rtben/Zz5II3q5/8CqauUgXgEzoVjreiH6J++o0HFOsgMyhRp9aNLY/tLRWgL+IXz3CDtTFJQEYBlsuOOYtqjGqmGWcU8x55RIa783JRtUN3qbufCemkI2jYbXgMijawDt5G0eO+4SNnkk5dag9BYbudtbuRB+9/xNmDbx3VJy0S6KM33Rx2aEKtUKVXwM4O9EHMKExQ+Z0IMzSkapsQxhiaoXI==8NOy-----END PGP SIGNATURE-----

Closed
?
Your comment

This issue is archived.

To comment on this conversation send email to 27519@debbugs.gnu.org