[Secure-testing-team] [Secure-testing-commits] r6759 - data/CVE
Nico Golde
debian-secure-testing+ml at ngolde.de
Tue Oct 2 10:12:53 UTC 2007
Hi,
* Florian Weimer <fw at deneb.enyo.de> [2007-10-02 09:13]:
> > CVE-2007-5049
> > REJECTED
> > - {DTSA-62-1}
> > - - poppler 0.5.4-6.2 (medium; bug #443903)
> > - - gpdf <removed>
> > - - xpdf 3.02-1.2 (medium; bug #443906)
> > - - kdegraphics 4:3.5.7-4 (medium; bug #444015)
> > - - koffice 1:1.6.3-3 (medium; bug #444014)
> > - - pdftohtml <removed>
> > - - tetex-bin 3.0-12
> > - NOTE: pdftex links to poppler since 3.0-12, thus marking as fixed
> > - - cupsys <not-affected> (unimportant; bug #436099)
> > - NOTE: cups uses xpdf-utils
> > - - pdfkit.framework 0.8-4
> > - NOTE: links to poppler since 0.8-4, thus marking as fixed
> > - - libextractor 0.5.12-1
> > - NOTE: libextractor uses internal pdf decoder since 0.5.12-1, thus marking as fixed
>
> Why does this entry feature different version information than
> CVE-2007-3387, when it's allegedly a duplicate?
The reason is that we are not really sure about this. Before
mitre said it is a duplicate they ecplicitly state that it
is different to CVE-2007-3387.
The patches for this issue are also.
The first patch published was:
ftp://ftp.kde.org/pub/kde/security_patches/post-3.5.7-kdegraphics-CVE-2007-3387.diff
The second patch:
http://cgit.freedesktop.org/poppler/poppler/diff/?id=c240daefe660ac3456dc0c5f5dc82aa53ebc3313&id2=1ba884b6b98ac8d755c9adc9f23a7a68d8b17b54
I asked the poppler guys what's up with the other CVE and
they said noone told it to them but it looks plausible.
I then mailed mitre about the exact difference and this
ended up marking it as a duplicate. Noone really knows if it
is, confusing is the different patches and we decided a fix
using the second patch does not hurt here.
Kind regards
Nico
--
Nico Golde - http://ngolde.de - nion at jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20071002/a66a1656/attachment.pgp
More information about the Secure-testing-team
mailing list