Hi all involved
I started looking into the rather long list of CVEs for libpodofo.
They are all various crashes, null pointer references or other similar problems.
Quite a few of them were marked as "minor issue" for jessie so I was just about to do the same when I realized that DLA-929-1 had been issued for some of (all but one that I looked into) them.
I have marked CVE-2017-7994 as no-dsa (minor issue) for wheezy as it was marked as such for jessie. I think this classification is ok as this one is of class DoS. Please let me know what your opinion is.
In wheezy there are at least two larger piece of software that uses libpodofo:
- scribus
- calibre-bin
My guess is that scribus never reads pdf files. I may be wrong there however. So I'm ruling scribus out from being a problem.
Calibre can convert from pdfs so that may be a problem. Both looks like desktop software.
I would like to get an understanding on the criteria used to mark CVE-2017-5886, CVE-2017-5854, CVE-2017-5853, CVE-2017-5852 and CVE-2015-8981 as no-dsa in jessie and why it was decided to fix it in wheezy. Because they were just of DoS class (and are we sure all of them are that)?
As I see it I do not think it is worth fixing problems that are of class DoS.
So I have re-read the CVEs and most of the ones that were marked as no-dsa in jessie are of that type. However there are some that were classified as unspecified impact. Is it so that someone have concluded that they are just of DoS type and not something worse, like arbitrary code execution?
I just want to understand so I can look further into the other issues in libpodofo and mark them accordingly.
Best regards
// Ola
--
--- Inguza Technology AB --- MSc in Information Technology ----
\ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 /
---------------------------------------------------------------