Hi Moritz, On Mi 12 Dez 2018 11:46:32 CET, Moritz Mühlenhoff wrote:
On Thu, Nov 08, 2018 at 10:51:37AM +0000, Mike Gabriel wrote:Hi Moritz, On Di 06 Nov 2018 17:14:35 CET, Moritz Mühlenhoff wrote: > On Fri, Sep 28, 2018 at 08:32:25PM +0200, Markus Koschany wrote: > > Package: poppler > > X-Debbugs-CC: t...@security.debian.org > > Severity: important > > Tags: security > > > > Hi, > > > > The following vulnerability was published for poppler. > > > > CVE-2018-16646[0]:> > | In Poppler 0.68.0, the Parser::getObj() function in Parser.cc may cause> > | infinite recursion via a crafted file. A remote attacker can leverage > > | this for a DoS attack. > > For jessie the wrong patches got applied. They are based on MR 67, which > didn't get merged in favour of the patch from MR 91. > > On a more general notice: This bug has virtually no security impact, it's > hard too see why this change was made for an LTS release to begin with, > but at least wait until it's applied/fixed in unstable before backporting. Not security, but functionality.Of which there have been hundreds of other since the version in jessie was released, anyway let's not digress, the point of my followup is to notify you of regression in the security fix for CVE-2018-16646. I've just added links to the relevant upstream commits to the security tracker. These seem also needed in jessie. Cheers, Moritz
Thanks for letting me know. Regresion fix upload to jessie is on its way... Mike -- DAS-NETZWERKTEAM mike gabriel, herweg 7, 24357 fleckeby mobile: +49 (1520) 1976 148 landline: +49 (4354) 8390 139 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: mike.gabr...@das-netzwerkteam.de, http://das-netzwerkteam.de
pgpflAkaDgoWd.pgp
Description: Digitale PGP-Signatur
