Michael S. Gilbert
2009-Aug-01 14:15 UTC
[Secure-testing-team] [poppler] CVE-2009-0146/0147/0166
On Sat, 1 Aug 2009 11:58:57 +0200 Albert Astals Cid wrote:> CVE is the game of people that make money about bugs, most of the time they > don''t even warn us nor give us PDF to try to reproduce the problems so i > mostly ignore CVE. > > The only CVE i was informed of and we worked to solve was the one that > resulted in > http://cgit.freedesktop.org/poppler/poppler/commit/?h=poppler-0.10&id=763bfd27a50a9f8176fe112823839549e4498a39 > no idea if that''s the one you want or not.Thanks for the quick reply. I agree, there is not enough info in mitre''s CVE database to completely triage these particular CVEs. They are all related to the recent JBIG2 problems (that were addressed by that patch). However, my question is whether those specific issues were addressed as well or if there are still parts of the code that are affected. It seems that most distros just assume that everything was sufficiently addressed, but I want to check to make sure that this is the case. I don''t want to leave holes open. Thanks again, Mike