Control: severity -1 minor Hi Jason,
On Sat, May 20, 2017 at 07:39:02AM -0500, Jason Crain wrote: > On Sat, May 20, 2017 at 10:30:17AM +0200, Salvatore Bonaccorso wrote: > > the following vulnerability was published for poppler. > > > > CVE-2017-9083[0]: > > | poppler 0.54.0, as used in Evince and other products, has a NULL > > | pointer dereference in the JPXStream::readUByte function in > > | JPXStream.cc. For example, the perf_test utility will crash > > | (segmentation fault) when parsing an invalid PDF file. > > Does this apply to Debian's poppler? I think uses openjpeg instead of > the internal JPX decoder. I think you are right. While checking, I looked at the source only, not realizing that it's not relevant for the built binary packages due to your note. I changed the severity, and in the security-tracker it is now marked as 'unimportant', which is the tag used when a source is affected, but the issue does not affect the built binary packages. Thanks a lot for checking the bugreport! Salvatore

