On Sun, Oct 07, 2012 at 03:30:08PM -0400, Michael Gilbert wrote: > > #622877 > > #640515 > > #606885 > > Not major i.e. release-critiical issues.
I didn't claim /those/ where release-critical issues. Apart from that, broken printing (landscape), quiet aborts for password-protected PDF and apparently random segfaults are bugs which disqualify xpdf for production use, like computer pools. > Those are this bug, and Ubuntu developers are responsible for their > system preferring poppler's globalparams and pretty much breaking > everything. They need to find their own solution, and they did for > 12.10. I listed this example because the actual problem is explained there. > Saying there are potential security issues without evidence is blowing > the problem out of proportion. If there is real evidence that there > is a problem, I will certainly look at it, but guesses are not > sufficient. It /is/ a problem to have a package which builds (by chance) an invalid binary (passing wrong struct to library functions, luckily a bigger one!). I and many others consider this definitely a security problem. There may be no security problem with the current Debian release as I write this (I don't know), but one may appear at any time, for example with any poppler upgrade, even for unchanged xpdf, and the new poppler package being perfectly valid. After passing a wrong struct to a function, the behaviour is undefined. Additionally, when the struct is not all zeroes (it isn't), the real-world chance of real-world nasty behaviour goes significantly up and malicious abuse is generally real-world possible. > Also, the patch attached to this report is far too large. Agreed. And it really fix the code-duplication problem. > Any patch > should address the known problems specifically Disagreed. There is /no/ fixing of specific bugs related to the GlobalParams problem. They all exist only because the Debian xpdf package links poppler (and breaks the build). Which can't be done correctly without a /huge/ amount of work, because poppler has moved too far from its origins. Here's my patch: Change the xpdf package so it doesn't try to link poppler anymore. Please do us the favor. The lenny version worked just fine. And really, it's a threat to keep an invalid build. I also wouldn't mind helping getting a poppler-less xpdf package in good shape for wheezy. -- Have a nice day Jens Stimpfle -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
