[Secure-testing-team] [poppler] CVE-2009-0146/0147/0166
Michael S. Gilbert
michael.s.gilbert at gmail.com
Sat Aug 1 14:15:39 UTC 2009
On Sat, 1 Aug 2009 11:58:57 +0200 Albert Astals Cid wrote:
> CVE is the game of people that make money about bugs, most of the time they
> don't even warn us nor give us PDF to try to reproduce the problems so i
> mostly ignore CVE.
>
> The only CVE i was informed of and we worked to solve was the one that
> resulted in
> http://cgit.freedesktop.org/poppler/poppler/commit/?h=poppler-0.10&id=763bfd27a50a9f8176fe112823839549e4498a39
> no idea if that's the one you want or not.
Thanks for the quick reply. I agree, there is not enough info in
mitre's CVE database to completely triage these particular CVEs. They
are all related to the recent JBIG2 problems (that were addressed by
that patch). However, my question is whether those specific issues
were addressed as well or if there are still parts of the code that are
affected. It seems that most distros just assume that everything was
sufficiently addressed, but I want to check to make sure that this is
the case. I don't want to leave holes open.
Thanks again,
Mike
More information about the Secure-testing-team
mailing list