Re: [Podofo-users] Fwd: Re: CVE confusion, also in Debian (was: Re: Next PoDoFo Release 0.9.6)
Hello Mattia, hello Dominik, hello all: > On 13 July 2018 at 18:14 Matthew Brincke wrote: > > > Hello Mattia, hello Dominik, hello all, > > On 13 July 2018 at 14:30 Mattia Rizzolo wrote: > > > > ... snip ... > > > On Fri, Jul 13, 2018 at 08:17:31AM +0200, Dominik Seichter via > > > Podofo-users wrote: > > > Nonetheless, we should concentrate on fixing CVEs in a follow-up release. > > > If > > > fixes are ready, I can provide another release 0.9.7 in short time. > > > > On Thu, Jul 12, 2018 at 3:16 PM, Matthew Brincke > > > > wrote: ... snip ... > > > > I also was unsure about you (Mattia) possibly being on vacation. > > > > Alas, I'm not able to go on vacation long enough for anybody to notice… > > :( > I feel sorry for you (and tired ;-( ) ... > Of course the last sentence is from me, not Mattia Rizzolo ... It could've been a web-mailer bug to not display that in the previous e-mail :-( ... > a future 0.9.6 (even last number) could be a stable/no known bugs release, > and the next one, 0.9.7 (odd last number) a development release like 0.9.5 ... > I'm sorry for having neglected to write that before so you (Dominik) couldn't > know I had hoped for that ... ;-) I have an idea: to put the security fixes in version 0.9.7 (maybe also other crash fixes) and announce the plan for 0.9.8 to release that with no known bugs, if that isn't putting feature development off too much in your opinion (from the history of PoDoFo until some time after the last release candidate). Best regards, mabri P.S. If I came across as too snarky in my previous email, please consider that as me venting and please accept my apology/pardon me, as I was really shocked seeing the release ... > > > > > -- > > regards, > > Mattia Rizzolo > > > Best regards, mabri -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Podofo-users mailing list Podofo-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/podofo-users
Re: [Podofo-users] Fwd: Re: CVE confusion, also in Debian (was: Re: Next PoDoFo Release 0.9.6)
Hello Mattia, hello Dominik, hello all, > On 13 July 2018 at 14:30 Mattia Rizzolo wrote: > > > On Fri, Jul 13, 2018 at 08:17:31AM +0200, Dominik Seichter via Podofo-users > wrote: > > I tagged the podofo-0.9.6 release already and also provided the tarball on > > sourceforge. There was no official announcement though, yet. > > Right, and I already stumbled on the first issue (that wasn't in the > rc1): https://sourceforge.net/p/podofo/mailman/message/36363656/ :) > > I still think we should release 0.9.6, as the status of 0.9.6 is not worse > > than 0.9.5 (PLEASE CORRECT ME IF I AM WRONG HERE!). PoDoFo 0.9.5 was released despite these 5 crashes: https://sourceforge.net/p/podofo/mailman/message/35640936/ which then got CVE IDs whereas in PoDoFo 0.9.6 there are 11 CVEs unfixed: CVE-2018-5783 [1], CVE-2018-6253 [2], CVE-2018-8002 [3], CVE-2018-11254 [4], CVE-2018-11255 [5], CVE-2018-11256 [6], CVE-2018-12982 [7] whose description is IMO incorrect (the actual bug is 1-2 levels up the stack, please see PoDoFo issue #22), CVE-2018-12983 [8] and three ones mistakenly declared fixed in the Debian libpodofo change log (see below). > > Nonetheless, we should concentrate on fixing CVEs in a follow-up release. If > > fixes are ready, I can provide another release 0.9.7 in short time. That sounds good. A security-update release would usually use a four-component version number, i.e. 0.9.6.1 here, no? On the other hand: I'd like to introduce other crash/exception fixes too (for PdfOutlineItem and podofocolor) ... > > I agree. I mean, it's a pity that there are known security > vulnerability, but at this point several months (year+ really) passed > and continue cherry-picking is not so great after a while. > Not to mention, I fear the CVEs are going to keep coming... > > On Thu, Jul 12, 2018 at 3:16 PM, Matthew Brincke wrote: > > > firstly I apologize (especially in case the delay in reaction > > > on my part is the reason PoDoFo 0.9.6 was released with CVEs > > > unfixed, for some of them see below in the original message) > > > for having been busy with another project and not squeezing > > > this in-between, > > I don't think you should apologize for any of this. Thank you. > > > I also was unsure about you (Mattia) possibly being on vacation. > > Alas, I'm not able to go on vacation long enough for anybody to notice… > :( I feel sorry for you (and tired ;-( ) ... > > > (in the Debian changelog they had been > > > mistakenly declared as fixed, and I didn't dare to send a 2nd > > > e-mail or a bug report: I now fear this was wrong of me, so I > > > apologize). > > Apart from the situation in wheezy (which can't be changed anymore), I > believe everything is fine now - at least in debian's git (pending the > fix for the thing above). Please correct me if I'm wrong. It's not just "the situation in wheezy": CVE-2017-738[123] are still unfixed in 0.9.6 (upstream tag RELEASE_0_9_6) and therefore also in Debian unstable (@Mattia: please don't upload until at least these 3 are fixed, I can do that, possibly already this weekend, @Dominik: any objections?) and experimental (the rc1). In short: I'd like it more if 0.9.6 was the -rc2 for it ;-) ... because then a future 0.9.6 (even last number) could be a stable/no known bugs release, and the next one, 0.9.7 (odd last number) a development release like 0.9.5 ... I'm sorry for having neglected to write that before so you (Dominik) couldn't know I had hoped for that ... ;-) I'm also rueful for having put off fixing bugs until you (Dominik) made sure no further ones could go in 0.9.6 by tagging it, of course. I actually feel punished by having been surprised by it (there was not even a warning by private e-mail some days in advance, even if no public one was made). > > -- > regards, > Mattia Rizzolo > Best regards, mabri [1] https://security-tracker.debian.org/tracker/CVE-2018-5783 [2] https://security-tracker.debian.org/tracker/CVE-2018-6253 [3] https://security-tracker.debian.org/tracker/CVE-2018-8002 [4] https://security-tracker.debian.org/tracker/CVE-2018-11254 [5] https://security-tracker.debian.org/tracker/CVE-2018-11255 [6] https://security-tracker.debian.org/tracker/CVE-2018-11256 [7] https://security-tracker.debian.org/tracker/CVE-2018-12982 [8] https://security-tracker.debian.org/tracker/CVE-2018-12983 -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Podofo-users mailing list Podofo-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/podofo-users
Re: [Podofo-users] Fwd: Re: CVE confusion, also in Debian (was: Re: Next PoDoFo Release 0.9.6)
On Fri, Jul 13, 2018 at 08:17:31AM +0200, Dominik Seichter via Podofo-users wrote: > I tagged the podofo-0.9.6 release already and also provided the tarball on > sourceforge. There was no official announcement though, yet. Right, and I already stumbled on the first issue (that wasn't in the rc1): https://sourceforge.net/p/podofo/mailman/message/36363656/ :) > I still think we should release 0.9.6, as the status of 0.9.6 is not worse > than 0.9.5 (PLEASE CORRECT ME IF I AM WRONG HERE!). > Nontheless, we should concentrate on fixing CVEs in a follow-up release. If > fixes are ready, I can provide another relase 0.9.7 in short time. I agree. I mean, it's a pity that there are known security vulnerability, but at this point several months (year+ really) passed and continue cherry-picking is not so great after a while. Not to mention, I fear the CVEs are going to keep coming... > On Thu, Jul 12, 2018 at 3:16 PM, Matthew Brincke wrote: > > firstly I apologize (especially in case the delay in reaction > > on my part is the reason PoDoFo 0.9.6 was released with CVEs > > unfixed, for some of them see below in the original message) > > for having been busy with another project and not squeezing > > this in-between, I don't think you should apologize for any of this. > > I also was unsure about you (Mattia) possibly being on vacation. Alas, I'm not able to go on vacation long enough for anybody to notice… :( > > (in the Debian changelog they had been > > mistakenly declared as fixed, and I didn't dare to send a 2nd > > e-mail or a bug report: I now fear this was wrong of me, so I > > apologize). Apart from the situation in wheezy (which can't be changed anymore), I believe everything is fine now - at least in debian's git (pending the fix for the thing above). Please correct me if I'm wrong. -- regards, Mattia Rizzolo GPG Key: 66AE 2B4A FCCF 3F52 DA18 4D18 4B04 3FCD B944 4540 .''`. more about me: https://mapreri.org : :' : Launchpad user: https://launchpad.net/~mapreri `. `'` Debian QA page: https://qa.debian.org/developer.php?login=mattia `- signature.asc Description: PGP signature -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ Podofo-users mailing list Podofo-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/podofo-users
Re: [Podofo-users] Windows build on Podofo 0.9.5
Hello Patrice, hello all, > On 13 July 2018 at 10:48 Patrice Guérin wrote: > > Hello, > > My name is Patrice and I'm new with Podofo. > I was able to build Podofo 0.9.5 on Linux Debian 7 without problem but it's > a little bit more complicated on Windows with Visual Studio 2013. > I've build the dependent libraries (jpeg9c, png1634, tiff 4.0.9, freetype > 2.9, zlib 1.2.11) without any major problem. > The libraries includes and libs are all stored in a 'root' directory which > is accessed through an environment variable EXTERN_DEV ; the resulting > architecture is (I just show zlib > > > EXTERN_DEV (k:/extern_dev actually but can be changed) > > |- zlib > > |- 1.2.11 > > |- include > > |- lib > Podofo reside on a different disk and directory than dependent libraries. > When creating the cmake project targetting Visual Studio 2013, I've filled > the required paths to include and library in this way > > > ZLIB_INCLUDE_DIR=$(EXTERN_DEV)/zlib/1.2.11/include > > ZLIB_LIBRARY_DEBUG=$(EXTERN_DEV)/zlib/1.2.11/lib/zdll.lib > > ZLIB_LIBRARY_RELEASE=$(EXTERN_DEV)/zlib/1.2.11/lib/zdll.lib > > ... I'm no expert in cmake, but IIRC environment variables are accessed as $ENV{NAME_OF_VARIABLE}, so in your case $ENV{EXTERN_DEV}. > The configuration process find all the dependencies expressed with > $(EXTERN_DEV) but the generation process prepends each include directories > with the Podofo source code path, so include files are not found : > It may also help to declare the cmake variables with their type FILEPATH: e.g. for the first one: ZLIB_INCLUDE_DIR:FILEPATH=$ENV{EXTERN_DEV} > > H:\Src\podofo-0.9.5\build\vs2013; > > H:\Src\podofo-0.9.5; > > H:\Src\podofo-0.9.5\$(EXTERN_DEV)\libjpeg\9c\include; > > H:\Src\podofo-0.9.5\$(EXTERN_DEV)\libtiff\4.0.9\include; > > H:\Src\podofo-0.9.5\$(EXTERN_DEV)\libpng\1.6.34\include; > > H:\Src\podofo-0.9.5\$(EXTERN_DEV)\zlib\1.2.11\include; > > H:\Src\podofo-0.9.5\src; > > H:\Src\podofo-0.9.5\$(EXTERN_DEV)\freetype\2.9\include\config; > > H:\Src\podofo-0.9.5\$(EXTERN_DEV)\freetype\2.9\include; > > H:\Src\podofo-0.9.5\vcincludes; > > %(AdditionalIncludeDirectories) > The library files used for linking are expressed correctly. It looks like as if the environment variable wasn't expanded in these paths. If my guesses above don't help, I recommend looking for a CMake function which explicitly resolves file paths to absolute path form (to call where ZLIB_INCLUDE_DIR etc. are defined). Then even CMake functionality which doesn't resolve environment variables should handle them correctly. > > Is there a way to correct this without modifying the VS solution by hand ? With my suggestions (I haven't tested them, I don't use Windows, sorry) it should only be necessary to have CMake automatically generate the VS solution again after a change of the environment variable. > > Thank you in advance > Kind regards, > Patrice. I hope my suggestions help you. Best regards, Matthew -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Podofo-users mailing list Podofo-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/podofo-users
Re: [Podofo-users] Windows build on Podofo 0.9.5
Hello Dmitry, It's the way I do, except that all the dependent library paths are expressed relative to the environment variable not with absolute paths. In the case of moving libraries elsewhere, I've just to change the env variable and re-generate the VS solution. In the case of absolute paths, I've to modify at least 12 (+9 if using SSL/idn) paths before re-generating the VS solution. Kind regards, Patrice. Dmitry Salychev a écrit : Hello, Patrice. Your configuration seems a bit complicated to me. Why not to specify all of the required paths using CMake GUI and generate a VS project? Regards, Dmitry -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Podofo-users mailing list Podofo-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/podofo-users
Re: [Podofo-users] Windows build on Podofo 0.9.5
Hello, Patrice. Your configuration seems a bit complicated to me. Why not to specify all of the required paths using CMake GUI and generate a VS project? Regards, Dmitry -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Podofo-users mailing list Podofo-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/podofo-users
[Podofo-users] Windows build on Podofo 0.9.5
Hello, My name is Patrice and I'm new with Podofo. I was able to build Podofo 0.9.5 on Linux Debian 7 without problem but it's a little bit more complicated on Windows with Visual Studio 2013. I've build the dependent libraries (jpeg9c, png1634, tiff 4.0.9, freetype 2.9, zlib 1.2.11) without any major problem. The libraries includes and libs are all stored in a 'root' directory which is accessed through an environment variable EXTERN_DEV ; the resulting architecture is (I just show zlib EXTERN_DEV (k:/extern_dev actually but can be changed) |- zlib |- 1.2.11 |- include |- lib Podofo reside on a different disk and directory than dependent libraries. When creating the cmake project targetting Visual Studio 2013, I've filled the required paths to include and library in this way ZLIB_INCLUDE_DIR=$(EXTERN_DEV)/zlib/1.2.11/include ZLIB_LIBRARY_DEBUG=$(EXTERN_DEV)/zlib/1.2.11/lib/zdll.lib ZLIB_LIBRARY_RELEASE=$(EXTERN_DEV)/zlib/1.2.11/lib/zdll.lib ... The configuration process find all the dependencies expressed with $(EXTERN_DEV) but the generation process prepends each include directories with the Podofo source code path, so include files are not found : H:\Src\podofo-0.9.5\build\vs2013; H:\Src\podofo-0.9.5; H:\Src\podofo-0.9.5\$(EXTERN_DEV)\libjpeg\9c\include; H:\Src\podofo-0.9.5\$(EXTERN_DEV)\libtiff\4.0.9\include; H:\Src\podofo-0.9.5\$(EXTERN_DEV)\libpng\1.6.34\include; H:\Src\podofo-0.9.5\$(EXTERN_DEV)\zlib\1.2.11\include; H:\Src\podofo-0.9.5\src; H:\Src\podofo-0.9.5\$(EXTERN_DEV)\freetype\2.9\include\config; H:\Src\podofo-0.9.5\$(EXTERN_DEV)\freetype\2.9\include; H:\Src\podofo-0.9.5\vcincludes; %(AdditionalIncludeDirectories) The library files used for linking are expressed correctly. Is there a way to correct this without modifying the VS solution by hand ? Thank you in advance Kind regards, Patrice. -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ Podofo-users mailing list Podofo-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/podofo-users