Partial fix for CVE-2015-4495/pdf.js in Jessie?
Moritz Mühlenhoff
jmm at inutil.org
Wed Aug 12 17:49:52 UTC 2015
On Wed, Aug 12, 2015 at 07:38:52PM +0200, David Prévot wrote:
> Hi,
>
> Le 12/08/2015 10:43, David Prévot a écrit :
>
> > According to MFSA 2015-78 [1], the fix for CVE-2015-4495 is in two
> > parts. Would it make sense to backport the “Remove PlayPreview
> > registration from PDF Viewer” fix in pdf.js for Jessie (providing the
> > xul-ext-pdf.js standalone package, allowing one to override the shipped
> > version of pdf.js by this one)?
>
> There is another problem: xul-ext-pdf.js in Jessie (with or without this
> patch), is now broken with the latest iceweasel 38.
>
> I can think of at least two options:
> 1) update pdf.js in Jessie to the version currently in Sid (as we need
> to do via pu for some xul-ext-* package each time a new iceweasel or
> icedove major version is upladed to stable). The version in Sid
> (soon to migrate into Stretch) does contain the fix;
> 2) drop the xul-ext-pdf.js binary package from the pdf.js source,
> eventually with the proposed patch in case it is relevant for the
> libjs-pdf binary package.
What is the use case of xul-ext-pdf.js, TTBOMK there is no other browser
in Debian capable of running Xul extensions other than Iceweasel?
Cheers,
Moritz
More information about the pkg-mozilla-maintainers
mailing list