Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Mon, 12 Aug 2013 19:08:12 -0400
From: Michael Gilbert <mgilbert@...ian.org>
To: oss-security@...ts.openwall.com, Kurt Seifried <kseifried@...hat.com>
Cc: Assign a CVE Identifier <cve-assign@...re.org>
Subject: Re: Re: [CVE assignment notification] CVE-2012-2142
 poppler, xpdf: Insufficient sanitization of escape sequences in the error
 message {AKA request for feedback if CVE to be marked as disputed / rejected}

On Mon, Aug 12, 2013 at 4:22 PM, Kurt Seifried wrote:
> I assume we'll SPLIT this? In past some xpdf/poppler issues have been
> merged circa 2010, but after that they appear to have been usually
> treated as separate:
>
> http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=poppler
> http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=xpdf

It's the same codebase, just slightly diverged, so I would argue no.
In fact Debian's xpdf is unaffected once poppler is fixed since it
links against it (and the issue is in poppler's Error.cc).  I believe
Gentoo does the same.

Best wishes,
Mike

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.