All of lore.kernel.org
 help / color / mirror / Atom feed
* [Printing-architecture] XPdf bundling in pdftoopvp as well
@ 2012-03-02 12:04 Tim Waugh
  2012-03-02 12:12 ` Till Kamppeter
  2012-03-02 12:38 ` Koji Otani
  0 siblings, 2 replies; 6+ messages in thread
From: Tim Waugh @ 2012-03-02 12:04 UTC (permalink / raw)
  To: Open Printing

[-- Attachment #1: Type: text/plain, Size: 333 bytes --]

It looks like the same issue also affects pdftoopvp, although
mysteriously the Glyph & Cog copyright notices seem to be absent.

I found a security issue in the first file I looked at.

Please can everyone stop bundling bits of xpdf and poppler, both of
which regularly have security issues discovered?

Thanks,
Tim.
*/


[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 482 bytes --]

^ permalink raw reply	[flat|nested] 6+ messages in thread
* Re: [Printing-architecture] XPdf bundling in pdftoopvp as well
  2012-03-02 12:04 [Printing-architecture] XPdf bundling in pdftoopvp as well Tim Waugh
@ 2012-03-02 12:12 ` Till Kamppeter
  2012-03-02 12:38 ` Koji Otani
  1 sibling, 0 replies; 6+ messages in thread
From: Till Kamppeter @ 2012-03-02 12:12 UTC (permalink / raw)
  To: printing-architecture, Koji Otani

Keeping Otani-san CCed ...

    Till

On 03/02/2012 01:04 PM, Tim Waugh wrote:
> It looks like the same issue also affects pdftoopvp, although
> mysteriously the Glyph&  Cog copyright notices seem to be absent.
>
> I found a security issue in the first file I looked at.
>
> Please can everyone stop bundling bits of xpdf and poppler, both of
> which regularly have security issues discovered?
>
> Thanks,
> Tim.
> */
>
>
>
>
> _______________________________________________
> Printing-architecture mailing list
> Printing-architecture@lists.linux-foundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/printing-architecture


^ permalink raw reply	[flat|nested] 6+ messages in thread
* Re: [Printing-architecture] XPdf bundling in pdftoopvp as well
  2012-03-02 12:04 [Printing-architecture] XPdf bundling in pdftoopvp as well Tim Waugh
  2012-03-02 12:12 ` Till Kamppeter
@ 2012-03-02 12:38 ` Koji Otani
  2012-03-05 12:09   ` Tim Waugh
  1 sibling, 1 reply; 6+ messages in thread
From: Koji Otani @ 2012-03-02 12:38 UTC (permalink / raw)
  To: twaugh; +Cc: printing-architecture

From: Tim Waugh <twaugh@redhat.com>
Subject: [Printing-architecture] XPdf bundling in pdftoopvp as well
Date: Fri, 02 Mar 2012 12:04:15 +0000
Message-ID: <1330689855.32498.25.camel@rubik>

twaugh> It looks like the same issue also affects pdftoopvp, although
twaugh> mysteriously the Glyph & Cog copyright notices seem to be absent.
twaugh> 

If you say about OPVPOutputdev.cc, pdftoopvp uses SplashOutputdev 
as a template to make a driver of poppler.  

twaugh> I found a security issue in the first file I looked at.
twaugh> 
twaugh> Please can everyone stop bundling bits of xpdf and poppler, both of
twaugh> which regularly have security issues discovered?
twaugh> 
twaugh> Thanks,
twaugh> Tim.
twaugh> */
twaugh> 

----
Koji Otani

^ permalink raw reply	[flat|nested] 6+ messages in thread
* Re: [Printing-architecture] XPdf bundling in pdftoopvp as well
  2012-03-02 12:38 ` Koji Otani
@ 2012-03-05 12:09   ` Tim Waugh
  2012-03-06  5:46     ` Koji Otani
  0 siblings, 1 reply; 6+ messages in thread
From: Tim Waugh @ 2012-03-05 12:09 UTC (permalink / raw)
  To: Koji Otani; +Cc: printing-architecture

[-- Attachment #1: Type: text/plain, Size: 921 bytes --]

On Fri, 2012-03-02 at 21:38 +0900, Koji Otani wrote:
> From: Tim Waugh <twaugh@redhat.com>
> Subject: [Printing-architecture] XPdf bundling in pdftoopvp as well
> Date: Fri, 02 Mar 2012 12:04:15 +0000
> Message-ID: <1330689855.32498.25.camel@rubik>
> 
> twaugh> It looks like the same issue also affects pdftoopvp, although
> twaugh> mysteriously the Glyph & Cog copyright notices seem to be absent.
> twaugh> 
> 
> If you say about OPVPOutputdev.cc, pdftoopvp uses SplashOutputdev 
> as a template to make a driver of poppler.  

I do; and there is an overflow in it.

I haven't even looked at pdftoopvp/oprs/*Splash*.cxx, but I expect those
also have vulnerabilities of one form or another.

If this code really must be duplicated (and I hope that is not the
case), there *must* be a plan in place to make sure that security fixes
in poppler and XPdf get checked for in cups-filters.

Tim.
*/


[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 482 bytes --]

^ permalink raw reply	[flat|nested] 6+ messages in thread
* Re: [Printing-architecture] XPdf bundling in pdftoopvp as well
  2012-03-05 12:09   ` Tim Waugh
@ 2012-03-06  5:46     ` Koji Otani
  2012-03-07  9:50       ` Tim Waugh
  0 siblings, 1 reply; 6+ messages in thread
From: Koji Otani @ 2012-03-06  5:46 UTC (permalink / raw)
  To: twaugh; +Cc: printing-architecture

From: Tim Waugh <twaugh@redhat.com>
Subject: Re: [Printing-architecture] XPdf bundling in pdftoopvp as well
Date: Mon, 05 Mar 2012 12:09:38 +0000
Message-ID: <1330949378.9812.3.camel@rubik>

twaugh> On Fri, 2012-03-02 at 21:38 +0900, Koji Otani wrote:
twaugh> > From: Tim Waugh <twaugh@redhat.com>
twaugh> > Subject: [Printing-architecture] XPdf bundling in pdftoopvp as well
twaugh> > Date: Fri, 02 Mar 2012 12:04:15 +0000
twaugh> > Message-ID: <1330689855.32498.25.camel@rubik>
twaugh> > 
twaugh> > twaugh> It looks like the same issue also affects pdftoopvp, although
twaugh> > twaugh> mysteriously the Glyph & Cog copyright notices seem to be absent.
twaugh> > twaugh> 
twaugh> > 
twaugh> > If you say about OPVPOutputdev.cc, pdftoopvp uses SplashOutputdev 
twaugh> > as a template to make a driver of poppler.  
twaugh> 

driver --> device

twaugh> I do; and there is an overflow in it.
twaugh> 
twaugh> I haven't even looked at pdftoopvp/oprs/*Splash*.cxx, but I expect those
twaugh> also have vulnerabilities of one form or another.
twaugh> 

oprs/*Splash*.cxx are not copied from poppler while they use poppler data.
There may have vulnerabilities, but it's not because of copying from
poppler. We should fix them in pdftoopvp.

---------
Koji Otani


^ permalink raw reply	[flat|nested] 6+ messages in thread
* Re: [Printing-architecture] XPdf bundling in pdftoopvp as well
  2012-03-06  5:46     ` Koji Otani
@ 2012-03-07  9:50       ` Tim Waugh
  0 siblings, 0 replies; 6+ messages in thread
From: Tim Waugh @ 2012-03-07  9:50 UTC (permalink / raw)
  To: Koji Otani; +Cc: printing-architecture

[-- Attachment #1: Type: text/plain, Size: 473 bytes --]

On Tue, 2012-03-06 at 14:46 +0900, Koji Otani wrote:
> oprs/*Splash*.cxx are not copied from poppler while they use poppler data.
> There may have vulnerabilities, but it's not because of copying from
> poppler. We should fix them in pdftoopvp.

OK, that's good.  I haven't audited them so I don't know whether they
have any security issues.  I just want to make sure that duplication
from xpdf/poppler is kept to a minimum, or even avoided entirely.

Tim.
*/


[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 482 bytes --]

^ permalink raw reply	[flat|nested] 6+ messages in thread
end of thread, other threads:[~2012-03-07  9:50 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2012-03-02 12:04 [Printing-architecture] XPdf bundling in pdftoopvp as well Tim Waugh
2012-03-02 12:12 ` Till Kamppeter
2012-03-02 12:38 ` Koji Otani
2012-03-05 12:09   ` Tim Waugh
2012-03-06  5:46     ` Koji Otani
2012-03-07  9:50       ` Tim Waugh

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.