[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1011333: /usr/bin/pdftosrc: CVE-2021-27548 - null-pointer deference in XFAScanner::scanNode used by pdftosrc

Hi Hilmar,

On Fri, May 20, 2022 at 03:57:46PM +0200, Hilmar Preuße wrote:
> Am 20.05.2022 um 11:16 teilte Neil Williams mit:
> 
> Hello Neil,
> 
> > texlive-binaries in unstable, experimental and bookworm embeds
> > xpdfreader 4.03 and the code is exposed via the pdftosrc binary.
> > 
> > The PoC file from the CVE triggers a segmentation fault in pdftosrc.
> > pdftosrc from bullseye (correctly) reports a broken PDF without
> > crashing as texlive-binaries in bullseye embeds xpdfreader 4.02.
> > 
> I could simply copy the appropriate commit from upstream [1] and put it into
> our package. The package still builds and it seems to solve the issue (see
> below). I'd do another upload to experimental and upload TL 2022 (containing
> the fix) to unstable in about 2 weeks.
> 
> Would the time frame be OK for you?

FWIW, this sound reasonable and just defer the fix to be fixed with
the new upstream version when landing in unstable.

Regards,
Salvatore
Reply to: