Code Monkey home page Code Monkey logo

Comments (4)

diegomon avatar diegomon commented on September 27, 2024

@kermitt2 @lfoppiano There's this CVE https://nvd.nist.gov/vuln/detail/CVE-2019-9878?cpeVersion=2.2 I asked Derek of Xpdf and told me that it was fixed in version 4.0.1. The last version is 4.0.2 and pdf-alto uses 4.0.0 if I'm not wrong. Is it possible to rebuild pdf-alto with this fixes of the new version and include the binaries in Grobid to avoid this security issues?

from pdfalto.

attritionorg avatar attritionorg commented on September 27, 2024

@diegomon Can you point to where it shows that 4.01 fixes this issue? Looking at the changelog I see 7 different vulns, all with CVE-2018 assignments, but no mention of this issue. I think the solution was probably 4.01.01 instead, and suspect this may have been fixed based on wording and the fix coming a day after this bug report:

4.01.01 (2019-mar-14)

Fixed a missing array bounds check in PSOutputDev. [Thanks to
Loginsoft for the bug report.]
Fixed a problem parsing large real numbers. [Thanks to Loginsoft for
the bug report.]

If anyone could confirm that would be great!

from pdfalto.

diegomon avatar diegomon commented on September 27, 2024

@attritionorg This is the answer of Derek of xpdf when I asked about the CVE

The relevant change was this (in two places):

  •     if (cs->indexHigh < 0) {

  •       goto err3;

  •     }
  • Derek

On Wed, 22 Apr 2020 06:47:17 +0000, Diego Moncayo
[email protected] wrote:

Sorry, I see you included the version. The thing is I checked version
4.02 and the code mentioned in CVE-2019-9878 was still there.

On 22.04.20, 00:16, "Derek B. Noonburg" [email protected] wrote:

Hi Diego,

CVE-2019-9878 is a duplicate of CVE-2018-18455, which was fixed

in Xpdf 4.01.

- Derek


On Tue, 21 Apr 2020 14:08:13 +0000, Diego Moncayo
<[email protected]> wrote:

> Hello.
>
> Any plans to solve this CVE?
> https://nvd.nist.gov/vuln/detail/CVE-2019-9878?cpeVersion=2.2
>
> Although it is pdf-alto but it points to xpdf as the source of
> the vulnerability.
>
> Best regards
> Diego Moncayo

from pdfalto.

kermitt2 avatar kermitt2 commented on September 27, 2024

Updated to xpdf-4.03, which solves this issue.

from pdfalto.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.