Re: gpdf: remove? security hole open for this long?
* Junichi Uekawa <dancer@netfort.gr.jp> [2006-07-21 23:49]:
> I think having a security hole for more than a year is a reason to remove
> gpdf.
>
> evince seems to be a replacement, gpdf is deprecated.
It should imho get orphaned first. BCCing the MIA people - what's up
there anyway? Hasn't mechanix been inactive for ages?
Oh, gpdf was uploaded in March. And it mentions some security fixes.
Can someone check if those address #334454?
gpdf (2.10.0-3) unstable; urgency=high
* More security team provided patches:
- patch to fix buffer overflow [splash/Splash.cc,
debian/patches/007_CVE-2006-0301.patch]
- upstream patch by Derek Noonburg to fix several
vulnerabilities [goo/gmem.c, splash/SplashXPathScanner.cc,
xpdf/JBIG2Stream.cc, xpdf/Stream.h, 008_security_upstream.patch]
-- Filip Van Raemdonck <mechanix@debian.org> Sat, 18 Mar 2006 10:59:54 +0200
gpdf (2.10.0-2) unstable; urgency=high
* Patch provided by Security Team:
Added more precautionary checks by Dirk M▒ller
[xpdf/Stream.cc, xpdf/JBIG2Stream.cc]
Fixes CVE-2005-3191 CVE-2005-3192 CVE-2005-3624 CVE-2005-3625
CVE-2005-3626 CVE-2005-3627 CVE-2005-3628
(Closes: #342286)
-- Filip Van Raemdonck <mechanix@debian.org> Sun, 15 Jan 2006 11:18:36 +0100
gpdf (2.10.0-1) unstable; urgency=high
* Security related upload for CAN-2005-3191 CAN-2005-3192.
[xpdf/JPXStream.cc, xpdf/Stream.cc, xpdf/Stream.h, xpdf/JBIG2Stream.cc]
* Acknowledge NMUs. (Closes: #291244, #321521)
* New upstream version. (Closes: #323281)
-- Filip Van Raemdonck <mechanix@debian.org> Mon, 12 Dec 2005 21:47:51 +0100
--
Martin Michlmayr
http://www.cyrius.com/
Reply to: