Hi, Alle sabato 2 marzo 2013, Salvatore Bonaccorso ha scritto: > the following vulnerabilities were published for poppler. > > CVE-2013-1788[0]: > invalid memory issues > > CVE-2013-1789[1]: > crash in broken documents > > CVE-2013-1790[2]: > uninitialized memory read
Ouch... > Patches are referenced in the Red Hat Bugzilla to the relevant > commits. > > If you fix the vulnerabilities please also make sure to include the > CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. > > Could you check which Debian package versions are affected? (not for > all issues, all patches might be relevant). At least for the > unitialized memory read issiue the code seems present in stable. > > For further information see: > > [0] http://security-tracker.debian.org/tracker/CVE-2013-1788 > [1] http://security-tracker.debian.org/tracker/CVE-2013-1789 > [2] http://security-tracker.debian.org/tracker/CVE-2013-1790 > > Please adjust the affected versions in the BTS as needed. Would it be possible to have all the test cases references by the CVEs? (You can email them to me directly, of course.) Some of the commits mentioned in the Red Hat bugs refer to code paths not in any of the versions in Debian stable/testing/unstable/experimental, so I need to check all the issues one by one. Thanks, -- Pino Toscano
signature.asc
Description: This is a digitally signed message part.
