[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Please hint poppler 0.4.5-5.1

On Mon, Jan 22, 2007 at 08:06:29AM +0100, Ondřej Surý wrote:
>    * SECURITY UPDATE: Denial of Service.
>    * New patch, 108_CVE-2007-0104; limits recursion depth of the parsing tree to
>      100 to avoid infinite loop with crafted documents; CVE-2007-0104; from
>      Ubuntu's 0.4.2-0ubuntu6.8; originally taken from koffice security update;

On Mon, Jan 22, 2007 at 07:46:45AM +0000, Neil McGovern wrote:
> For info, we do have this tracked as fixed in 0.4.5-5.1 but:

> Notes:
>   hardly a security issue; if someone sends someone a crafted PDF file
>   triggering such an endless loop the user will simply abort kpdf and
>   never look at that file again, this is only denial of service by a
>   _very_ far stretch of imagination. I suppose KDE Security only issued
>   an update for it because the shared underlying code was part of the
>   Month of Apple Bugs and they wanted to debunk claims of code
>   injection.  Check the other usual suspects.

> I'd suggest a minimum 5 day wait.

Agreed, unblocked and set to 5-day wait.

Thanks,
-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
vorlon@debian.org                                   http://www.debian.org/
Reply to: