> Fair enough. In any case, I am going to upload to backports as soon as > the version in sid stabilises.
Great. > Well, I think a DSA would be too much for a tool like this :) Specially > since there has not been any PoC to show a real security issue. I won't try to force it, but I'd certainly consider it worthy of such a thing. Just because people, like me, use catdoc in their console-mail clients to read arbitrary/untrusted documents received. If there is even a hint that memory corruption can lead to code execution that's a severe problem. > like to lower the severity of this bug, but I would gladly keep it if > you can find a real threat there. I suspect the only way to know for sure is to develop an exploit, and memory-corruption issues are something I've not touched for a while - buffer overflows are much easier to reason about! > Thanks for the test file. i will debug this and try to come up with a fix. Great. I have about twenty more files that crash the version of catdoc available to sid. I will wait to see your fix, and once posted I'll test the current samples against them, I expect that some of them are non-unique. Steve --