[Pkg-pascal-devel] pasdoc CVE-2017-17527

[Michalis Kamburelis]

2017-12-15 10:42 GMT+01:00 Paul Gevers <elbrus at debian.org>:
> Hi Michalis,
>
> [off-list on purpose, you may quote me on-line]
>
> On 15-12-17 10:12, Michalis Kamburelis wrote:
>> 1. delphi_gui/xxx is not actively maintained, and it was never
>> included in PasDoc releases (official ones from
>> pasdoc.sourceforge.net, or the Debian packages). I guess that the
>> author of this CVE just searched the web, found this line:
>> https://github.com/pasdoc/pasdoc/blob/f524996a72c48ebf3af0450e7b7f900a6d3de8fb/source/delphi_gui/WWWBrowserRunnerDM.pas#L63
>> ... and reported it.
>
> FYI, this statement is not true. It is in Debian source:
> https://sources.debian.org/src/pasdoc/0.14.0-1/source/delphi_gui/WWWBrowserRunnerDM.pas/?hl=63#L63
>

(Answering publicly, to publicly correct my mistake :) ).

You're right of course. I meant that delphi_gui was never part of a
*binary* release --- like the zip or tar.gz with precompiled binaries
from pasdoc.sourceforge.net, or the binary Debian package. They only
contain pasdoc_gui, built using Lazarus from the source/gui/ ,without
using source/delphi_gui/ code.

Indeed, source releases (Debian source package, or source releases on
pasdoc.sourceforge.net (
https://sourceforge.net/projects/pasdoc/files/PasDoc%20Source/ ))
contain the delphi_gui source code, as they include everything from
our GitHub repository. If someone would use a source release (or just
get the code from GitHub), (s)he could compile delphi_gui.

(Probably -- as it was not tested for a long time, as I don't own
Delphi, it's possible that delphi_gui doesn't even compile anymore...)
That's probably a good reason to just remove it from the GitHub
repository. It was kept to encourage Delphi developers (who don't use
Lazarus) to play around with the pasdoc code. But it's pointless if
I'm not sure does it even still compile in latest Delphi.

Regards,
Michalis