On Fri, Jan 26, 2018 at 11:35:44PM +0100, Matthew Brincke wrote: > > Plus this one without CVE that was reported in this ML: > > https://blogs.gentoo.org/ago/2017/02/01/podofo-null-pointer-dereference-in-pdfinfoguessformat-pdfinfo-cpp/ > > This is *not* fixed yet. I also don't understand why it didn't get > a CVE entry.
I asked for one back then (it was about the time the workflow to request
CVEs from mitre changed from "random mail on oss-security" to the more
private web form,), and after basically copy-pasting the web page into
the form I got back this message on 2017-02-12:
> [snip]
> You may republish or redistribute this message. We think that someone
> has already posted to oss-security about this issue. To make
> oss-security list members aware that there is no CVE ID assignment,
> you could reply to that oss-security post and include pertinent
> information below.
> [snip]
> As far as we can tell, an end user experiences a loss of functionality
> after the podofopdfinfo command-line tool crashes with a NULL pointer
> dereference (because the end user can completely work around this by
> not repeating the specific command-line invocation, there would be no
> security impact).
>
> Although some parts of PoDoFo are library code that could be reached
> from an arbitrary application, the reported code in
> PdfInfo::GuessFormat appears to be reachable only from the
> podofopdfinfo command-line tool.
>
> Thus, we are not assigning a CVE ID unless there is additional
> information about a security impact.
>
> - --
> CVE Assignment Team
After all I didn't redistributed the message for some reason (probably
I was just too lazy).
So it seems the reason the CVE was rejected is only because the crash
doesn't happen in the library, but in the tool itself.
--
regards,
Mattia Rizzolo
GPG Key: 66AE 2B4A FCCF 3F52 DA18 4D18 4B04 3FCD B944 4540 .''`.
more about me: https://mapreri.org : :' :
Launchpad user: https://launchpad.net/~mapreri `. `'`
Debian QA page: https://qa.debian.org/developer.php?login=mattia `-
signature.asc
Description: PGP signature
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ Podofo-users mailing list Podofo-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/podofo-users
