oss-sec mailing list archives

Re: Re: [CVE assignment notification] CVE-2012-2142 poppler, xpdf: Insufficient sanitization of escape sequences in the error message {AKA request for feedback if CVE to be marked as disputed / rejected}

From: Michael Gilbert <mgilbert () debian org>
Date: Mon, 12 Aug 2013 19:08:12 -0400

On Mon, Aug 12, 2013 at 4:22 PM, Kurt Seifried wrote:

I assume we'll SPLIT this? In past some xpdf/poppler issues have been
merged circa 2010, but after that they appear to have been usually
treated as separate:

http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=poppler
http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=xpdf


It's the same codebase, just slightly diverged, so I would argue no.
In fact Debian's xpdf is unaffected once poppler is fixed since it
links against it (and the issue is in poppler's Error.cc).  I believe
Gentoo does the same.

Best wishes,
Mike

Current thread:

[CVE assignment notification] CVE-2012-2142 poppler, xpdf: Insufficient sanitization of escape sequences in the error message {AKA request for feedback if CVE to be marked as disputed / rejected} Jan Lieskovsky (Aug 09)
- Re: [CVE assignment notification] CVE-2012-2142 poppler, xpdf: Insufficient sanitization of escape sequences in the error message {AKA request for feedback if CVE to be marked as disputed / rejected} Jan Lieskovsky (Aug 09)
  - Re: [CVE assignment notification] CVE-2012-2142 poppler, xpdf: Insufficient sanitization of escape sequences in the error message {AKA request for feedback if CVE to be marked as disputed / rejected} mancha (Aug 10)
    - Re: Re: [CVE assignment notification] CVE-2012-2142 poppler, xpdf: Insufficient sanitization of escape sequences in the error message {AKA request for feedback if CVE to be marked as disputed / rejected} Kurt Seifried (Aug 12)
    - Re: Re: [CVE assignment notification] CVE-2012-2142 poppler, xpdf: Insufficient sanitization of escape sequences in the error message {AKA request for feedback if CVE to be marked as disputed / rejected} Michael Gilbert (Aug 12)