Hi zyx, hi Mattia, hi all, zyx <z...@litepdf.cz> has written on 3 May 2017 at 18:24: > > On Wed, 2017-05-03 at 15:47 +0200, Matthew Brincke wrote: > > > on May 1st, the Debian bug #861597 [1] was filed, mentioning the CVE > > ID > > of this PdfParser::ReadObjects heap overflow vulnerability: CVE-2017- > > 8378, > > under which it's also listed in the Debian security tracker for > > libpodofo > > (detail page [2]). > > > > [1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=861597 > > [2] https://security-tracker.debian.org/tracker/CVE-2017-8378 > > Hi, > nice, I gave it a quick try and using that provided PDF and the code > suggested there, with svn trunk at revision 1824, I get this output:
very probably there are transposed digits, you actually meaning the svn revision 1842, as the fix is in svn revision 1833 [1] committed a month (minus ca. 4 hours) before the report on this mailing list. > > Test test_cve_2017_8378 failed with error: > > PoDoFo encountered an error. Error: 31 > ePdfError_InvalidEncryptionDict > Error Description: The encryption dictionary is invalid or > misses a required key. [... snip ...] > > Thus it's already fixed in the current development version. Yes, in svn trunk leading to version 0.9.6, but as I can't know when that'll be released: Mattia, could you please cherry-pick the security fixes for Debian's libpodofo0.9.4? > Bye, > zyx Best regards, mabri > > -- > http://www.litePDF.cz i...@litepdf.cz > ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Podofo-users mailing list Podofo-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/podofo-users ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Podofo-users mailing list Podofo-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/podofo-users
