GNU bug report logs - #27519
Podofo security bugs

Previous Next

Package: guix;

Reported by: Leo Famulari <leo <at> famulari.name>

Date: Wed, 28 Jun 2017 15:50:02 UTC

Severity: normal

Tags: security

Done: Leo Famulari <leo <at> famulari.name>

Bug is archived. No further changes may be made.

To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 27519 in the body.
You can then email your comments to 27519 AT debbugs.gnu.org in the normal way.

Toggle the display of automated, internal messages from the tracker.

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to bug-guix <at> gnu.org:
bug#27519; Package guix. (Wed, 28 Jun 2017 15:50:02 GMT) Full text and rfc822 format available.
Acknowledgement sent to Leo Famulari <leo <at> famulari.name>:
New bug report received and forwarded. Copy sent to bug-guix <at> gnu.org. (Wed, 28 Jun 2017 15:50:02 GMT) Full text and rfc822 format available.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Leo Famulari <leo <at> famulari.name>
To: bug-guix <at> gnu.org
Subject: Podofo security bugs
Date: Wed, 28 Jun 2017 11:49:23 -0400

[Message part 1 (text/plain, inline)]
There were some bugs with security implications reported in Podofo
recently:

http://seclists.org/oss-sec/2017/q2/0
http://seclists.org/oss-sec/2017/q2/1
http://seclists.org/oss-sec/2017/q2/2

I noticed some fixes committed to the Podofo SVN repo:

https://sourceforge.net/p/podofo/mailman/podofo-svn/?viewmonth=201706

We need to try to cherry-pick these fixes.

[signature.asc (application/pgp-signature, inline)]
Added tag(s) security. Request was from ludo <at> gnu.org (Ludovic Courtès) to control <at> debbugs.gnu.org. (Thu, 27 Jul 2017 12:26:01 GMT) Full text and rfc822 format available.
Reply sent to Leo Famulari <leo <at> famulari.name>:
You have taken responsibility. (Mon, 04 Feb 2019 23:35:02 GMT) Full text and rfc822 format available.
Notification sent to Leo Famulari <leo <at> famulari.name>:
bug acknowledged by developer. (Mon, 04 Feb 2019 23:35:02 GMT) Full text and rfc822 format available.

Message #12 received at 27519-done <at> debbugs.gnu.org (full text, mbox):

From: Leo Famulari <leo <at> famulari.name>
To: 27519-done <at> debbugs.gnu.org
Subject: Re: Podofo security bugs
Date: Tue, 5 Feb 2019 00:34:01 +0100

[Message part 1 (text/plain, inline)]
We have since packaged a new release of PoDoFo (0.9.6) which apparently
fixed many bugs.

The PoDoFo team does not write changelogs or any sort of release
announcement file. Their SVN repo includes several commits like "Fix
CVE-XXX" followed by "Really fix CVE-XXX".

Since PoDoFo is not widely used in Guix (only by calibre and Scribus),
I'm not going to dig in to whether or not these bugs are really fixed or
not in the current Guix package.

At this point, this bug report is not helping us much, so I am closing
it :)

[signature.asc (application/pgp-signature, inline)]
bug archived. Request was from Debbugs Internal Request <help-debbugs <at> gnu.org> to internal_control <at> debbugs.gnu.org. (Tue, 05 Mar 2019 12:24:05 GMT) Full text and rfc822 format available.
This bug report was last modified 5 years and 54 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.