[ Left Dominik in To to help him follow this thread, fixed text typos ] Hello Dominik, hello all,
> Dominik Seichter via Podofo-users has written on 26 January 2018 at 17:37: > > > Hi Mattia, > > Thanks for the good summary! Let me comment on the open issues. > > Unfixed security issues: ... snip ... > > https://security-tracker.debian.org/tracker/CVE-2017-8053 > -> Please see proposed patch in attachment. Can somebody test/review? > In line 13 of the patch, there are typos, it should be "already visited", line 14 doesn't really fit (which object?), and in general, shouldn't there be a maximum recursion depth which is checked for, to prevent a stack overflow? AFAICS there is no standard function/method to check available stack space ;-( ... > https://security-tracker.debian.org/tracker/CVE-2017-8054 > -> This was fixed by zyx in revision: 1872. I have a test PDF > for this and cannot reproduce this issue anymore. The fix was provided by Matthias Brinke <podofo-sec-cont...@mailbox.org> (stands for "PoDoFo security contributor", I'm a friend of his) on the Debian Bug Tracking System: https://bugs.debian.org/860995 > > Plus this one without CVE that was reported in this ML: > https://blogs.gentoo.org/ago/2017/02/01/podofo-null-pointer-dereference-in-pdfinfoguessformat-pdfinfo-cpp/ This is *not* fixed yet. I also don't understand why it didn't get a CVE entry. > (CVE-2017-8054 had a tentative patch) > -> Seems same as above and seems fixed. The CVE, yes, contrary to the other one without a CVE entry. > > A threading problem: > https://sourceforge.net/p/podofo/mailman/message/35915862/ > -> There is no need to make the matrix for XObjects static, so I made > it a normal member. Same for s_procset in PdfCanvas. So should be > fixed with my last commit. As you said in your next e-mail to the ML the double-checked locking pattern isn't fixed yet: https://sourceforge.net/p/podofo/mailman/message/36205920/ > > A copyright issue: > https://sourceforge.net/p/podofo/mailman/message/35633858/ > -> We still do not have a fix for this. > I recommend libunistring2 to fix it, but haven't used it yet. > Regarding bug tracker: Yes, a bug tracker would be nice. But I can barely > follow the mailing list, so I do not feel I able to setup and maintain a > bug tracker. If somebody volunteers, I would not object. > BTW: Just found this on Sourceforge: > https://sourceforge.net/p/podofo/bugs/?source=navbar > Anybody has experience with this? Shall we just use this feature? > Peter Linnell has said something like that, yes (2.5 months ago on this ML): https://sourceforge.net/p/podofo/mailman/message/36112914/ > > Best regards, > Dominik > Best regards, mabri > On Mon, Jan 22, 2018 at 7:25 PM, Mattia Rizzolo <mat...@mapreri.org> wrote: > > > [ explicitly put Dominik in To, as I'm unsure how much he follows the > > ML himself… ] > > > > On Sun, Jan 14, 2018 at 08:48:05PM +0100, Dominik Seichter via > > Podofo-users wrote: > > > The last version of PoDoFo was released almost a year ago on February 2nd > > > 2017. I have seen many patches on the mailing list and also many commits > > > to > > > SVN over the last year. So, I think it is time for a new PoDoFo release > > > 0.9.6. > > > > > > As there might have been patches, which either Zyx or I have missing, I > > > would suggest the following release time line. > > > > In December there was a similar email to this going on, asking about a > > new release. It was pointed out that there are still known unfixed CVEs > > and other important issues. > > See https://sourceforge.net/p/podofo/mailman/message/36151169/ > > ... snip ... > > > > Who knows what more… > > While you are here, would you reconsider opening a bug tracker > > somewhere? When it was proposed in the past in this ML, nobody was > > against it, but everybody deferred to you iirc. > > > > -- > > regards, > > Mattia Rizzolo > > > > GPG Key: 66AE 2B4A FCCF 3F52 DA18 4D18 4B04 3FCD B944 4540 .''`. > > more about me: https://mapreri.org : :' : > > Launchpad user: https://launchpad.net/~mapreri `. `'` > > Debian QA page: https://qa.debian.org/developer.php?login=mattia `- > > ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Podofo-users mailing list Podofo-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/podofo-users
