[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security]  Re: ghostscript CVE for multiple NULL dereferences in JBIG2 decoder
From:       Oden Eriksson <oeriksson () mandriva ! com>
Date:       2009-10-29 11:18:21
Message-ID: 200910291218.21686.oeriksson () mandriva ! com
[Download RAW message or body]

onsdagen den 28 oktober 2009 13.58.56 skrev  Mark J Cox:
> > The same PoC crashes xpdf. I'm not aware of any CVE id being assigned for
> > this issue other than the one for Adobe Reader.
> 
> So I've deliberately not allocated one because we generally do not
> consider a crash of a user application like a PDF reader to be a security
> issue.  However CVE does have a few cases where CVE names were allocated
> for such cases, so if any vendor here is going to treat this as a security
> issue let me know and I'll allocate a name for tracking purposes.
> 
> Thanks, Mark
> 

I was actually planning to but as currently done in cooker where jbig2dec is 
broken out in a new jbig2dec-0.10 package (with the patch applied). This makes 
it easier for future borkiness. This was also done with jasper earlier for the 
same reason.

-- 
Regards // Oden Eriksson
[prev in list] [next in list] [prev in thread] [next in thread]