Hi,
On Thu, 2017-05-18 at 22:58 +0200, Mattia Rizzolo wrote:
> To my count, this leaves out:
> https://security-tracker.debian.org/tracker/CVE-2017-8787
Fixed with revision 1851:
http://sourceforge.net/p/podofo/code/1851
> https://security-tracker.debian.org/tracker/CVE-2017-8378
This c
On Mon, May 08, 2017 at 07:27:34PM +0200, zyx wrote:
> I looked on other bunch of the CVEs and here's the result:
I've uploaded to Debian unstable most of the patches.
To my count, this leaves out:
https://security-tracker.debian.org/tracker/CVE-2017-8787
https://security-tracker.debian.org/track
On Thu, 2017-03-02 at 17:31 +0100, Agostino Sarubbo wrote:
> Please consider the following:
Hi,
I looked on other bunch of the CVEs and here's the result:
CVE-2017-5855 - fixed with revision 1843.
http://sourceforge.net/p/podofo/code/1843
CVE-2017-6840 - fixed with revision 1844+revision
On Fri, Apr 28, 2017 at 07:21:38PM +0200, zyx wrote:
> I made a little walk-through of the CVEs and
> https://security-tracker.debian.org/tracker/CVE-2017-6846
> references reproducer for CVE-2017-6845, it should be
> https://blogs.gentoo.org/ago/2017/03/02/podofo-null-pointer-dereference-in-graphi
On Mon, 2017-03-13 at 13:39 +0100, Mattia Rizzolo wrote:
> I find the Debian view for security issues particularly nice to look
> at:
> https://security-tracker.debian.org/tracker/source-package/libpodofo
Hi,
I made a little walk-through of the CVEs and
https://security-tracker.debian.org
On Fri, 2017-04-07 at 19:39 +, Mark Rogers wrote:
> I’ve been doing some patching over the past couple of days and have
> patches for most of the CVEs.
Hi,
okay, I'll wait for your changes then.
> I think the patch in r1835 fixes the case where pObj == pObj-
> >GetParent() but I don’t
Hi
I’ve been doing some patching over the past couple of days and have patches for
most of the CVEs.
I think the patch in r1835 fixes the case where pObj == pObj->GetParent() but I
don’t think it fixes cases where pObj == pObj->GetParent()->GetParent() or
pObj->GetParent() == pObj->GetParent()
On Thu, 2017-03-02 at 17:31 +0100, Agostino Sarubbo wrote:
>
Hi,
I tried on couple of CVE-s, using trunk at revision 1834. I chose to
behave in a non-forgiving way, but feel free to discuss those
"solutions" here, if you can think of anything better.
CVE-2017-5852 - fixed with revisio
On Thu, Mar 30, 2017 at 01:49:16PM +0200, zyx wrote:
> Right. It had been just a coincidence that two people here reported one
> same issue and I happen to fix it without the reference (also because I
> didn't use Agostino's reference, but that other person's).
I think it would be greatly apprecia
On Thu, 2017-03-30 at 11:06 +, Mark Rogers wrote:
> Is there any way to use SourceForge tickets just for security bugs?
Hi,
if the folks are not used to issue tracker then having "only for
certain type of issues" would not work, I'm afraid. Not talking that
you cannot teach outer audie
Is there any way to use SourceForge tickets just for security bugs?
It looks like some CVEs have been fixed, some CVE patches rejected, but there’s
no way from the mailing list to tell which CVEs have been fixed because most of
the mailing list and commit messages don’t reference the CVEs.
At t
On Mon, Mar 13, 2017 at 01:39:00PM +0100, Mattia Rizzolo wrote:
> On Thu, Mar 02, 2017 at 05:31:34PM +0100, Agostino Sarubbo wrote:
> > Please consider the following:
> >
> > …
>
> All of these now have CVEs associated.
And apparently the Debian release team is considering these severe
enough to
On Thu, Mar 02, 2017 at 05:31:34PM +0100, Agostino Sarubbo wrote:
> Please consider the following:
>
> …
All of these now have CVEs associated.
I find the Debian view for security issues particularly nice to look at:
https://security-tracker.debian.org/tracker/source-package/libpodofo
--
regar
Please consider the following:
https://blogs.gentoo.org/ago/2017/03/02/podofo-invalid-memory-read-in-colorchangergetcolorfromstack-colorchanger-cpp/
https://blogs.gentoo.org/ago/2017/03/02/podofo-null-pointer-dereference-in-graphicsstacktgraphicsstackelementtgraphicsstackelement-graphicsstack-h/
h
14 matches
Mail list logo