From http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0791 "Multiple integer overflows in Xpdf 2.x and 3.x and Poppler 0.x, as used in the pdftops filter in CUPS 1.1.17, 1.1.22, and 1.3.7, GPdf, and kdegraphics KPDF, allow remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted PDF file that triggers a heap-based buffer overflow, possibly related to (1) Decrypt.cxx, (2) FoFiTrueType.cxx, (3) gmem.c, (4) JBIG2Stream.cxx, and (5) PSOutputDev.cxx in pdftops/. NOTE: the JBIG2Stream.cxx vector may overlap CVE-2009-1179."
Created attachment 32641 [details] [review] Patch against poppler 0.10.1 This patch was written by Bin Li <bili@novell.com>
0.10.1 is old, we are at 0.12.3 already and that CVE was already fixed, what's the point of this report?
Ok, I didn't see any mention of CVE-2009-0791 in the git log or the release notes. Can you point me to where I could have found out this CVE was already fixed? The point of the patch is to share a downstream patch that, if the bug wasn't already apparently fixed, might be useful for fixing it in master.
There is no mention, i don't care much about CVE, i just fix the code and that's all. In my opinion CVEs are just a way to make money about bugs in programs. Of course you could have had a look at the code, but you preferred me to loose my time instead of you losing it. And hoping a patch of a release that is 15 months old will still apply is in my opinion hoping too much :D Sharing is good, but not 15 months after.
Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.