[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Resolve various xpdf TODOs

Moritz Muehlenhoff jmm at debian.org
Fri Mar 16 18:40:54 UTC 2018 

Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
4b681c52 by Moritz Muehlenhoff at 2018-03-16T19:39:29+01:00
Resolve various xpdf TODOs

The code has diverged quite a bit and an older version of poppler
correctly sanitises all the cases, so drop the TODO. It's not
relevant to us anyway since we use xpdf based on poppler only.

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -1304,42 +1304,42 @@ CVE-2018-8107 (The JPXStream::close function in JPXStream.cc in xpdf 4.00 allows
 	- xpdf <unfixed> (unimportant)
 	NOTE: https://forum.xpdfreader.com/viewtopic.php?f=3&t=654&p=819#p819
 	NOTE: src:xpdf switched to use system poppler libary in 3.02-3
-	TODO: check, poppler
+	NOTE: Reproducer correctly detected as broken with jessie's poppler build
 CVE-2018-8106 (The JPXStream::readTilePartData function in JPXStream.cc in xpdf 4.00 ...)
 	- xpdf <unfixed> (unimportant)
 	NOTE: https://forum.xpdfreader.com/viewtopic.php?f=3&t=654&p=819#p819
 	NOTE: src:xpdf switched to use system poppler libary in 3.02-3
-	TODO: check, poppler
+	NOTE: Reproducer correctly detected as broken with jessie's poppler build
 CVE-2018-8105 (The JPXStream::fillReadBuf function in JPXStream.cc in xpdf 4.00 allows ...)
 	- xpdf <unfixed> (unimportant)
 	NOTE: https://forum.xpdfreader.com/viewtopic.php?f=3&t=654&p=819#p819
 	NOTE: src:xpdf switched to use system poppler libary in 3.02-3
-	TODO: check, poppler
+	NOTE: Reproducer correctly detected as broken with jessie's poppler build
 CVE-2018-8104 (The BufStream::lookChar function in Stream.cc in xpdf 4.00 allows ...)
 	- xpdf <unfixed> (unimportant)
 	NOTE: https://forum.xpdfreader.com/viewtopic.php?f=3&t=654&p=819#p819
 	NOTE: src:xpdf switched to use system poppler libary in 3.02-3
-	TODO: check, poppler
+	NOTE: Reproducer correctly detected as broken with jessie's poppler build
 CVE-2018-8103 (The JBIG2Stream::readGenericBitmap function in JBIG2Stream.cc in xpdf ...)
 	- xpdf <unfixed> (unimportant)
 	NOTE: https://forum.xpdfreader.com/viewtopic.php?f=3&t=654&p=819#p819
 	NOTE: src:xpdf switched to use system poppler libary in 3.02-3
-	TODO: check, poppler
+	NOTE: Reproducer correctly detected as broken with jessie's poppler build
 CVE-2018-8102 (The JBIG2MMRDecoder::getBlackCode function in JBIG2Stream.cc in xpdf ...)
 	- xpdf <unfixed> (unimportant)
 	NOTE: https://forum.xpdfreader.com/viewtopic.php?f=3&t=654&p=819#p819
 	NOTE: src:xpdf switched to use system poppler libary in 3.02-3
-	TODO: check, poppler
+	NOTE: Reproducer correctly detected as broken with jessie's poppler build
 CVE-2018-8101 (The JPXStream::inverseTransformLevel function in JPXStream.cc in xpdf ...)
 	- xpdf <unfixed> (unimportant)
 	NOTE: https://forum.xpdfreader.com/viewtopic.php?f=3&t=654&p=819#p819
 	NOTE: src:xpdf switched to use system poppler libary in 3.02-3
-	TODO: check, poppler
+	NOTE: Reproducer correctly detected as broken with jessie's poppler build
 CVE-2018-8100 (The JPXStream::readTilePart function in JPXStream.cc in xpdf 4.00 ...)
 	- xpdf <unfixed> (unimportant)
 	NOTE: https://forum.xpdfreader.com/viewtopic.php?f=3&t=654&p=819#p819
 	NOTE: src:xpdf switched to use system poppler libary in 3.02-3
-	TODO: check, poppler
+	NOTE: Reproducer correctly detected as broken with jessie's poppler build
 CVE-2018-8099 (Incorrect returning of an error code in the index.c:read_entry() ...)
 	- libgit2 <unfixed> (bug #892962)
 	NOTE: https://github.com/libgit2/libgit2/commit/58a6fe94cb851f71214dbefac3f9bffee437d6fe
@@ -3159,20 +3159,22 @@ CVE-2018-7455 (An out-of-bounds read in JPXStream::readTilePart in JPXStream.cc 
 	- xpdf <unfixed> (unimportant)
 	NOTE: https://forum.xpdfreader.com/viewtopic.php?f=3&t=654&p=819#p819
 	NOTE: src:xpdf switched to use system poppler libary in 3.02-3
-	TODO: check, poppler
+	NOTE: Reproducer correctly detected as broken with jessie's poppler build
 CVE-2018-7454 (A NULL pointer dereference in XFAForm::scanFields in XFAForm.cc in xpdf ...)
 	- xpdf <unfixed> (unimportant)
 	NOTE: https://forum.xpdfreader.com/viewtopic.php?f=3&t=613
-	TODO: check, poppler
+	NOTE: src:xpdf switched to use system poppler libary in 3.02-3
+	NOTE: Reproducer correctly detected as broken with jessie's poppler build
 CVE-2018-7453 (Infinite recursion in AcroForm::scanField in AcroForm.cc in xpdf 4.00 ...)
 	- xpdf <unfixed> (unimportant)
 	NOTE: https://forum.xpdfreader.com/viewtopic.php?p=814#p814
-	TODO: check, poppler
+	NOTE: src:xpdf switched to use system poppler libary in 3.02-3
+	NOTE: Reproducer correctly detected as broken with jessie's poppler build
 CVE-2018-7452 (A NULL pointer dereference in JPXStream::fillReadBuf in JPXStream.cc in ...)
 	- xpdf <unfixed> (unimportant)
 	NOTE: https://forum.xpdfreader.com/viewtopic.php?f=3&t=613
 	NOTE: src:xpdf switched to use system poppler libary in 3.02-3
-	TODO: check, poppler
+	NOTE: Reproducer correctly detected as broken with jessie's poppler build
 CVE-2018-7451
 	RESERVED
 CVE-2018-7450



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/4b681c52405870f51f0c441f6167f75b0042fb95

---
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/4b681c52405870f51f0c441f6167f75b0042fb95
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/secure-testing-commits/attachments/20180316/49b02d86/attachment-0001.html>

More information about the Secure-testing-commits mailing list