[Secure-testing-commits] r11898 - in data: CVE DSA
Michael S. Gilbert
michael.s.gilbert at gmail.com
Fri May 15 18:56:39 UTC 2009
On Fri, 15 May 2009 20:26:01 +0200, Giuseppe Iuculano wrote:
> Michael S. Gilbert ha scritto:
> > i've checked the code for xpdf 3.02-1.4+lenny1, and found that the
> > patch for CVE-2009-0195 has actually not yet been applied. can you
> > double-check this and revert this commit if you agree? thanks.
>
> Please explain. I've backported all checks in JBIG2 symbol dictionary added in
> upstream xpdf-3.02pl3.patch. What is the patch not yet been applied?
like i said, i checked xpdf 3.02-1.4+lenny1 (the version that was
uploaded in DSA-1790), and the changes in xpdf-3.02pl3.patch are
indeed not applied.
for example if the patch set were applied, then line 425 of
xpdf/JBIG2Stream.cc should say:
if (table[0].rangeLen != jbig2HuffmanEOT) {
but it does not. it says:
i = 0;
which is what the diff says that the code should look like before the
patch set were applied.
i see that these changes were made in your debdiff, but it doesn't look
like they got rolled into the version that got uploaded...
mike
More information about the Secure-testing-commits
mailing list