Hello Mattia, hello Dominik, hello all, > On 13 July 2018 at 14:30 Mattia Rizzolo <mat...@mapreri.org> wrote: > > > On Fri, Jul 13, 2018 at 08:17:31AM +0200, Dominik Seichter via Podofo-users > wrote: > > I tagged the podofo-0.9.6 release already and also provided the tarball on > > sourceforge. There was no official announcement though, yet. > > Right, and I already stumbled on the first issue (that wasn't in the > rc1): https://sourceforge.net/p/podofo/mailman/message/36363656/ :) > > I still think we should release 0.9.6, as the status of 0.9.6 is not worse > > than 0.9.5 (PLEASE CORRECT ME IF I AM WRONG HERE!).
PoDoFo 0.9.5 was released despite these 5 crashes: https://sourceforge.net/p/podofo/mailman/message/35640936/ which then got CVE IDs whereas in PoDoFo 0.9.6 there are 11 CVEs unfixed: CVE-2018-5783 [1], CVE-2018-6253 [2], CVE-2018-8002 [3], CVE-2018-11254 [4], CVE-2018-11255 [5], CVE-2018-11256 [6], CVE-2018-12982 [7] whose description is IMO incorrect (the actual bug is 1-2 levels up the stack, please see PoDoFo issue #22), CVE-2018-12983 [8] and three ones mistakenly declared fixed in the Debian libpodofo change log (see below). > > Nonetheless, we should concentrate on fixing CVEs in a follow-up release. If > > fixes are ready, I can provide another release 0.9.7 in short time. That sounds good. A security-update release would usually use a four-component version number, i.e. 0.9.6.1 here, no? On the other hand: I'd like to introduce other crash/exception fixes too (for PdfOutlineItem and podofocolor) ... > > I agree. I mean, it's a pity that there are known security > vulnerability, but at this point several months (year+ really) passed > and continue cherry-picking is not so great after a while. > Not to mention, I fear the CVEs are going to keep coming... > > On Thu, Jul 12, 2018 at 3:16 PM, Matthew Brincke <ma...@mailbox.org> wrote: > > > firstly I apologize (especially in case the delay in reaction > > > on my part is the reason PoDoFo 0.9.6 was released with CVEs > > > unfixed, for some of them see below in the original message) > > > for having been busy with another project and not squeezing > > > this in-between, > > I don't think you should apologize for any of this. Thank you. > > > I also was unsure about you (Mattia) possibly being on vacation. > > Alas, I'm not able to go on vacation long enough for anybody to noticeā¦ > :( I feel sorry for you (and tired ;-( ) ... > > > (in the Debian changelog they had been > > > mistakenly declared as fixed, and I didn't dare to send a 2nd > > > e-mail or a bug report: I now fear this was wrong of me, so I > > > apologize). > > Apart from the situation in wheezy (which can't be changed anymore), I > believe everything is fine now - at least in debian's git (pending the > fix for the thing above). Please correct me if I'm wrong. It's not just "the situation in wheezy": CVE-2017-738[123] are still unfixed in 0.9.6 (upstream tag RELEASE_0_9_6) and therefore also in Debian unstable (@Mattia: please don't upload until at least these 3 are fixed, I can do that, possibly already this weekend, @Dominik: any objections?) and experimental (the rc1). In short: I'd like it more if 0.9.6 was the -rc2 for it ;-) ... because then a future 0.9.6 (even last number) could be a stable/no known bugs release, and the next one, 0.9.7 (odd last number) a development release like 0.9.5 ... I'm sorry for having neglected to write that before so you (Dominik) couldn't know I had hoped for that ... ;-) I'm also rueful for having put off fixing bugs until you (Dominik) made sure no further ones could go in 0.9.6 by tagging it, of course. I actually feel punished by having been surprised by it (there was not even a warning by private e-mail some days in advance, even if no public one was made). > > -- > regards, > Mattia Rizzolo > Best regards, mabri [1] https://security-tracker.debian.org/tracker/CVE-2018-5783 [2] https://security-tracker.debian.org/tracker/CVE-2018-6253 [3] https://security-tracker.debian.org/tracker/CVE-2018-8002 [4] https://security-tracker.debian.org/tracker/CVE-2018-11254 [5] https://security-tracker.debian.org/tracker/CVE-2018-11255 [6] https://security-tracker.debian.org/tracker/CVE-2018-11256 [7] https://security-tracker.debian.org/tracker/CVE-2018-12982 [8] https://security-tracker.debian.org/tracker/CVE-2018-12983 ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Podofo-users mailing list Podofo-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/podofo-users
