* [Printing-architecture] XPdf bundling in pdftoopvp as well
@ 2012-03-02 12:04 Tim Waugh
2012-03-02 12:12 ` Till Kamppeter
2012-03-02 12:38 ` Koji Otani
0 siblings, 2 replies; 6+ messages in thread
From: Tim Waugh @ 2012-03-02 12:04 UTC (permalink / raw)
To: Open Printing
[-- Attachment #1: Type: text/plain, Size: 333 bytes --]
It looks like the same issue also affects pdftoopvp, although
mysteriously the Glyph & Cog copyright notices seem to be absent.
I found a security issue in the first file I looked at.
Please can everyone stop bundling bits of xpdf and poppler, both of
which regularly have security issues discovered?
Thanks,
Tim.
*/
[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 482 bytes --]
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [Printing-architecture] XPdf bundling in pdftoopvp as well
2012-03-02 12:04 [Printing-architecture] XPdf bundling in pdftoopvp as well Tim Waugh
@ 2012-03-02 12:12 ` Till Kamppeter
2012-03-02 12:38 ` Koji Otani
1 sibling, 0 replies; 6+ messages in thread
From: Till Kamppeter @ 2012-03-02 12:12 UTC (permalink / raw)
To: printing-architecture, Koji Otani
Keeping Otani-san CCed ...
Till
On 03/02/2012 01:04 PM, Tim Waugh wrote:
> It looks like the same issue also affects pdftoopvp, although
> mysteriously the Glyph& Cog copyright notices seem to be absent.
>
> I found a security issue in the first file I looked at.
>
> Please can everyone stop bundling bits of xpdf and poppler, both of
> which regularly have security issues discovered?
>
> Thanks,
> Tim.
> */
>
>
>
>
> _______________________________________________
> Printing-architecture mailing list
> Printing-architecture@lists.linux-foundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/printing-architecture
^ permalink raw reply [flat|nested] 6+ messages in thread* Re: [Printing-architecture] XPdf bundling in pdftoopvp as well
2012-03-02 12:04 [Printing-architecture] XPdf bundling in pdftoopvp as well Tim Waugh
2012-03-02 12:12 ` Till Kamppeter
@ 2012-03-02 12:38 ` Koji Otani
2012-03-05 12:09 ` Tim Waugh
1 sibling, 1 reply; 6+ messages in thread
From: Koji Otani @ 2012-03-02 12:38 UTC (permalink / raw)
To: twaugh; +Cc: printing-architecture
From: Tim Waugh <twaugh@redhat.com>
Subject: [Printing-architecture] XPdf bundling in pdftoopvp as well
Date: Fri, 02 Mar 2012 12:04:15 +0000
Message-ID: <1330689855.32498.25.camel@rubik>
twaugh> It looks like the same issue also affects pdftoopvp, although
twaugh> mysteriously the Glyph & Cog copyright notices seem to be absent.
twaugh>
If you say about OPVPOutputdev.cc, pdftoopvp uses SplashOutputdev
as a template to make a driver of poppler.
twaugh> I found a security issue in the first file I looked at.
twaugh>
twaugh> Please can everyone stop bundling bits of xpdf and poppler, both of
twaugh> which regularly have security issues discovered?
twaugh>
twaugh> Thanks,
twaugh> Tim.
twaugh> */
twaugh>
----
Koji Otani
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [Printing-architecture] XPdf bundling in pdftoopvp as well
2012-03-02 12:38 ` Koji Otani
@ 2012-03-05 12:09 ` Tim Waugh
2012-03-06 5:46 ` Koji Otani
0 siblings, 1 reply; 6+ messages in thread
From: Tim Waugh @ 2012-03-05 12:09 UTC (permalink / raw)
To: Koji Otani; +Cc: printing-architecture
[-- Attachment #1: Type: text/plain, Size: 921 bytes --]
On Fri, 2012-03-02 at 21:38 +0900, Koji Otani wrote:
> From: Tim Waugh <twaugh@redhat.com>
> Subject: [Printing-architecture] XPdf bundling in pdftoopvp as well
> Date: Fri, 02 Mar 2012 12:04:15 +0000
> Message-ID: <1330689855.32498.25.camel@rubik>
>
> twaugh> It looks like the same issue also affects pdftoopvp, although
> twaugh> mysteriously the Glyph & Cog copyright notices seem to be absent.
> twaugh>
>
> If you say about OPVPOutputdev.cc, pdftoopvp uses SplashOutputdev
> as a template to make a driver of poppler.
I do; and there is an overflow in it.
I haven't even looked at pdftoopvp/oprs/*Splash*.cxx, but I expect those
also have vulnerabilities of one form or another.
If this code really must be duplicated (and I hope that is not the
case), there *must* be a plan in place to make sure that security fixes
in poppler and XPdf get checked for in cups-filters.
Tim.
*/
[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 482 bytes --]
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [Printing-architecture] XPdf bundling in pdftoopvp as well
2012-03-05 12:09 ` Tim Waugh
@ 2012-03-06 5:46 ` Koji Otani
2012-03-07 9:50 ` Tim Waugh
0 siblings, 1 reply; 6+ messages in thread
From: Koji Otani @ 2012-03-06 5:46 UTC (permalink / raw)
To: twaugh; +Cc: printing-architecture
From: Tim Waugh <twaugh@redhat.com>
Subject: Re: [Printing-architecture] XPdf bundling in pdftoopvp as well
Date: Mon, 05 Mar 2012 12:09:38 +0000
Message-ID: <1330949378.9812.3.camel@rubik>
twaugh> On Fri, 2012-03-02 at 21:38 +0900, Koji Otani wrote:
twaugh> > From: Tim Waugh <twaugh@redhat.com>
twaugh> > Subject: [Printing-architecture] XPdf bundling in pdftoopvp as well
twaugh> > Date: Fri, 02 Mar 2012 12:04:15 +0000
twaugh> > Message-ID: <1330689855.32498.25.camel@rubik>
twaugh> >
twaugh> > twaugh> It looks like the same issue also affects pdftoopvp, although
twaugh> > twaugh> mysteriously the Glyph & Cog copyright notices seem to be absent.
twaugh> > twaugh>
twaugh> >
twaugh> > If you say about OPVPOutputdev.cc, pdftoopvp uses SplashOutputdev
twaugh> > as a template to make a driver of poppler.
twaugh>
driver --> device
twaugh> I do; and there is an overflow in it.
twaugh>
twaugh> I haven't even looked at pdftoopvp/oprs/*Splash*.cxx, but I expect those
twaugh> also have vulnerabilities of one form or another.
twaugh>
oprs/*Splash*.cxx are not copied from poppler while they use poppler data.
There may have vulnerabilities, but it's not because of copying from
poppler. We should fix them in pdftoopvp.
---------
Koji Otani
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2012-03-07 9:50 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2012-03-02 12:04 [Printing-architecture] XPdf bundling in pdftoopvp as well Tim Waugh
2012-03-02 12:12 ` Till Kamppeter
2012-03-02 12:38 ` Koji Otani
2012-03-05 12:09 ` Tim Waugh
2012-03-06 5:46 ` Koji Otani
2012-03-07 9:50 ` Tim Waugh
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.