[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: gpdf: remove? security hole open for this long?

* Junichi Uekawa <dancer@netfort.gr.jp> [2006-07-21 23:49]:
> I think having a security hole for more than a year is a reason to remove
> gpdf. 
> evince seems to be a replacement, gpdf is deprecated.

It should imho get orphaned first.  BCCing the MIA people - what's up
there anyway?  Hasn't mechanix been inactive for ages?

Oh, gpdf was uploaded in March.  And it mentions some security fixes.
Can someone check if those address #334454?

gpdf (2.10.0-3) unstable; urgency=high

  * More security team provided patches:
    - patch to fix buffer overflow [splash/Splash.cc,
    - upstream patch by Derek Noonburg to fix several
      vulnerabilities [goo/gmem.c, splash/SplashXPathScanner.cc,
      xpdf/JBIG2Stream.cc, xpdf/Stream.h, 008_security_upstream.patch]

 -- Filip Van Raemdonck <mechanix@debian.org>  Sat, 18 Mar 2006 10:59:54 +0200

gpdf (2.10.0-2) unstable; urgency=high

  * Patch provided by Security Team:
    Added more precautionary checks by Dirk M▒ller
    [xpdf/Stream.cc, xpdf/JBIG2Stream.cc]
    Fixes CVE-2005-3191 CVE-2005-3192 CVE-2005-3624 CVE-2005-3625
          CVE-2005-3626 CVE-2005-3627 CVE-2005-3628
    (Closes: #342286)

 -- Filip Van Raemdonck <mechanix@debian.org>  Sun, 15 Jan 2006 11:18:36 +0100

gpdf (2.10.0-1) unstable; urgency=high

  * Security related upload for CAN-2005-3191 CAN-2005-3192.
    [xpdf/JPXStream.cc, xpdf/Stream.cc, xpdf/Stream.h, xpdf/JBIG2Stream.cc]
  * Acknowledge NMUs. (Closes: #291244, #321521)
  * New upstream version. (Closes: #323281)

 -- Filip Van Raemdonck <mechanix@debian.org>  Mon, 12 Dec 2005 21:47:51 +0100

Martin Michlmayr

Reply to: