[poppler] CVE-2009-0146/0147/0166

Albert Astals Cid aacid at kde.org
Sat Aug 1 07:18:30 PDT 2009


A Dissabte, 1 d'agost de 2009, Michael S. Gilbert va escriure:
> On Sat, 1 Aug 2009 11:58:57 +0200 Albert Astals Cid wrote:
> > CVE is the game of people that make money about bugs, most of the time
> > they don't even warn us nor give us PDF to try to reproduce the problems
> > so i mostly ignore CVE.
> >
> > The only CVE i was informed of and we worked to solve was the one that
> > resulted in
> > http://cgit.freedesktop.org/poppler/poppler/commit/?h=poppler-0.10&id=763
> >bfd27a50a9f8176fe112823839549e4498a39 no idea if that's the one you want
> > or not.
>
> Thanks for the quick reply.  I agree, there is not enough info in
> mitre's CVE database to completely triage these particular CVEs.  They
> are all related to the recent JBIG2 problems (that were addressed by
> that patch).  However, my question is whether those specific issues
> were addressed as well or if there are still parts of the code that are
> affected.  It seems that most distros just assume that everything was
> sufficiently addressed, but I want to check to make sure that this is
> the case.  I don't want to leave holes open.

If you ask if there are problems with JBIG2 files, the answer is yes, JBIG2 
decoding is very complex, if you know about how it works i'll be happy to send 
you some files that fail.

Albert

>
> Thanks again,
> Mike
> _______________________________________________
> poppler mailing list
> poppler at lists.freedesktop.org
> http://lists.freedesktop.org/mailman/listinfo/poppler



More information about the poppler mailing list