Partial fix for CVE-2015-4495/pdf.js in Jessie?

David Prévot david at tilapin.org
Wed Aug 12 17:38:52 UTC 2015


Hi,

Le 12/08/2015 10:43, David Prévot a écrit :

> According to MFSA 2015-78 [1], the fix for CVE-2015-4495 is in two
> parts. Would it make sense to backport the “Remove PlayPreview
> registration from PDF Viewer” fix in pdf.js for Jessie (providing the
> xul-ext-pdf.js standalone package, allowing one to override the shipped
> version of pdf.js by this one)?

There is another problem: xul-ext-pdf.js in Jessie (with or without this
patch), is now broken with the latest iceweasel 38.

I can think of at least two options:
1) update pdf.js in Jessie to the version currently in Sid (as we need
   to do via pu for some xul-ext-* package each time a new iceweasel or
   icedove major version is upladed to stable). The version in Sid
   (soon to migrate into Stretch) does contain the fix;
2) drop the xul-ext-pdf.js binary package from the pdf.js source,
   eventually with the proposed patch in case it is relevant for the
   libjs-pdf binary package.

Regards

David

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-mozilla-maintainers/attachments/20150812/347d9c44/attachment.sig>


More information about the pkg-mozilla-maintainers mailing list