I'm forwarding here the message I got back from mitre when I tried to ask for a CVE about https://blogs.gentoo.org/ago/2017/02/01/podofo-null-pointer-dereference-in-pdfinfoguessformat-pdfinfo-cpp/
This is just for public safekeeping of the message, so it doesn't stay secret in my own mailbox... (it's also nicely inline PGP signed itself, so you can say it's really from mitre :P) ----- Forwarded message from cve-requ...@mitre.org ----- Date: Sun, 12 Feb 2017 13:33:38 -0500 From: cve-requ...@mitre.org To: mat...@mapreri.org CC: cve-requ...@mitre.org Subject: Re: [scr293896] podofo - 0.9.4 Message-ID: <2f885f0085e24805adb9409f1fe34...@imshyb02.mitre.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 We have provided an explanation below, after the text associated with your https://cveform.mitre.org submission. You may republish or redistribute this message. We think that someone has already posted to oss-security about this issue. To make oss-security list members aware that there is no CVE ID assignment, you could reply to that oss-security post and include pertinent information below. Again, the best solution is to "reply" to an oss-security post, so that the text below stays within an oss-security thread. Please do not use a "forward" option that begins a separate thread. > [Suggested description] > podofo: NULL pointer dereference in PdfInfo::GuessFormat (pdfinfo.cpp) > > ------------------------------------------ > > [Additional Information] > Originally reported in oss-security, but nobody seemed to reply there, > see https://marc.info/?l=oss-security&m=148603648823037&w=2 There > might be a CVE already that I didn't found, you should probably > double check before issuing a duplicate. > > ------------------------------------------ > > [Vulnerability Type] > NULL pointer dereference > > ------------------------------------------ > > [Vendor of Product] > podofo > > ------------------------------------------ > > [Affected Product Code Base] > podofo - 0.9.4 > > ------------------------------------------ > > [Reference] > https://blogs.gentoo.org/ago/2017/02/01/podofo-null-pointer-dereference-in-pdfinfoguessformat-pdfinfo-cpp/ > > ------------------------------------------ > > [Discoverer] > Agostino Sarubbo As far as we can tell, an end user experiences a loss of functionality after the podofopdfinfo command-line tool crashes with a NULL pointer dereference (because the end user can completely work around this by not repeating the specific command-line invocation, there would be no security impact). Although some parts of PoDoFo are library code that could be reached from an arbitrary application, the reported code in PdfInfo::GuessFormat appears to be reachable only from the podofopdfinfo command-line tool. Thus, we are not assigning a CVE ID unless there is additional information about a security impact. - -- CVE Assignment Team M/S M300, 202 Burlington Road, Bedford, MA 01730 USA [ A PGP key is available for encrypted communications at http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJYoKpQAAoJEHb/MwWLVhi2tToP+gIlkpTboYXAKUxALCebNyXT kgT3lcA4UkdCzDcdI54aOJzV+ZkWAxl10dERZAY+hrsB0mV0CGcTS35RkBvf7AHA GGyMW74uyOIz5WXx3ihyxfa1iVtqduamQasdHoNDrlYAWa72ecOyK3pLJLZjg87n ynn1fM7/4bEYuczHArTRPXNhTF4Bc5VNXojjJcA/NPF9O4zbpaaUVJYd00FT2hi0 i7cKuiXZWGoyvXvjelOwjEaMVJE9NHa9V6AgolT1Odl8c84/PowomixHIQGhhs4/ zUMQTZlniAWfIPt6YvAIPaQeIZ6z5OsLTmG7UnZhmz7GvDm3SpbNnTQ2LTLfww3o H8/gHCokvCHQOt2AmjsGltXTJRjcRIdn872+H1FoQEz4NvBjDb/BU3lP0M1M3gGI NBKyY9E0iZXb7Hh/U7DjN/i8Cu3rl1QMEN8/lPQmdnmb2xgpHvjoskp39oQTussZ WiV/YX8nr7dDQHhLnAXrbNDx7z8XaI4pRjqdPn4Ph+2cvqBtdxhHAUBMAh2yIQPl QGSWo0vGH5QQBhQWUwMIEFMsSMuEr6gAOHfw+VIEnBDXVhGklhBZyq+2XbRGeAdy dlo+9xisMuqmouKq2iO4rpxGdWzOsjhy4ekom3ZVUYSLPj7AFcwjob6T/eoklB/z 8Jh4i8El1uffbiOZ6xkt =vacu -----END PGP SIGNATURE----- ----- End forwarded message ----- -- regards, Mattia Rizzolo GPG Key: 66AE 2B4A FCCF 3F52 DA18 4D18 4B04 3FCD B944 4540 .''`. more about me: https://mapreri.org : :' : Launchpad user: https://launchpad.net/~mapreri `. `'` Debian QA page: https://qa.debian.org/developer.php?login=mattia `-
signature.asc
Description: PGP signature
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ Podofo-users mailing list Podofo-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/podofo-users
