[poppler] Do we need to remove the internal DCT and JPX decoders
Albert Astals Cid
aacid at kde.org
Thu May 18 22:30:11 UTC 2017
El dimecres, 17 de maig de 2017, a les 22:15:59 CEST, jose.aliste at gmail.com va
> On Wed, May 17, 2017 at 6:13 PM, Albert Astals Cid <aacid at kde.org> wrote:
> > El dimarts, 16 de maig de 2017, a les 19:40:31 CEST, jose.aliste at gmail.com
> > va
> > escriure:
> > > Hey List,
> > >
> > > very recently, Thalos(CISCO) has encountered some overflows that could
> > > potentially lead to security risks. One of this is in the DCT decoder
> > > and
> > > the other in the JPX decoder. The question is what to do? Do we fix
> > > these
> > > overflows or just remove the decoders from poppler since they are not
> > being
> > > mantained. One of the problems is that Ubuntu is compiled by default to
> > use
> > > the JPX decoder while most distributions do include libjpeg support.
> > >
> > > The bugs as I understand are still private, so if any of the developers
> > of
> > > poppler wants to see the reports, please contact me directly (off list)
> > and
> > > I will send it to you together with a minimal pdf sample.
> > Right now we "almost silently" fall back to the unsupported code, yes we
> > put a
> > warning at the very end of the configure/cmake process but i guess hardly
> > anyone reads those.
> > My suggestion would be change the configure/cmake process so it behaves
> > like
> > this (process explained for libjpeg but same would apply for libopenjpeg)
> > * You have libjpeg -> all is good
> > * You don't have it, configure fails
> > * Unless you pass one of these two options
> > * --dct-decoder=unmaintained
> > * --dct-decoder=none
> > Which would give you either the unmaintained decoder or none at all.
> > At least this way we can totally pass the blame for distros for using
> > either
> > the unmaintained or the none flags.
> > I am suggesting this instead of removing it because for some controlled
> > reasons it may be actually better to be able to use the unmaintained
> > decoders
> > than nothing (e.g. you're running pdftotext inside a virtual machine,
> > doesn't
> > matter if you get "rooted" inside the virtual machine).
> > I like this idea. I have only one concern about how to manage the
> "security" bugs that will have here (like the two from CISCO). Do we
> simply reply that these are unmantained and that if any distribution is
> using this code, it's up to them to fix it and provide patches?
Sounds about right to me.
> > Cheers,
> > Albert
> > > Kind regards
> > >
> > > José
> > _______________________________________________
> > poppler mailing list
> > poppler at lists.freedesktop.org
> > https://lists.freedesktop.org/mailman/listinfo/poppler
More information about the poppler