Control: tags -1 fixed-upstream Hello Mattia, hello all,
> On 04 February 2018 at 20:57 Mattia Rizzolo wrote: > > > Control: forwarded -1 > https://sourceforge.net/p/podofo/mailman/message/36215539/ > > On Sun, Feb 04, 2018 at 01:24:53AM +0100, Matthias Brinke wrote: >> CVE-2018-5295 from the security-tracker.debian.org: >> In PoDoFo 0.9.5, there is an integer overflow in >> the PdfXRefStreamParserObject::ParseStream function >> (base/PdfXRefStreamParserObject.cpp). Remote attackers >> could leverage this vulnerability to cause a denial-of-service >> via a crafted pdf file. > > Right. > For cross-reference, this is being dealt upstream by this thread that > started the 6th of Jan: > https://sourceforge.net/p/podofo/mailman/message/36180168/ >> I've implemented a patch to fix this vulnerability, it is attached >> and tested > > Thank you! you're welcome, > I've forwarded it upstream, see the first url above. the patch has been accepted (committed in svn r1889 [1]), based on that I've set this bug to "fixed-upstream" (above). I plan to fix CVE-2018-5309 next, even though there was a bit of disagreement about that upstream [2]. > > -- > regards, > Mattia Rizzolo > Best regards, Matthias Brinke [1] https://sourceforge.net/p/podofo/code/1889/ [2] https://sourceforge.net/p/podofo/mailman/message/36189599/
