bug#27519: Podofo security bugs

bug#27519: Podofo security bugs

[Leo Famulari]

[-- Attachment #1: Type: text/plain, Size: 363 bytes --]

There were some bugs with security implications reported in Podofo
recently:

http://seclists.org/oss-sec/2017/q2/0
http://seclists.org/oss-sec/2017/q2/1
http://seclists.org/oss-sec/2017/q2/2

I noticed some fixes committed to the Podofo SVN repo:

https://sourceforge.net/p/podofo/mailman/podofo-svn/?viewmonth=201706

We need to try to cherry-pick these fixes.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

bug#27519: Podofo security bugs

[Leo Famulari]

[-- Attachment #1: Type: text/plain, Size: 523 bytes --]

We have since packaged a new release of PoDoFo (0.9.6) which apparently
fixed many bugs.

The PoDoFo team does not write changelogs or any sort of release
announcement file. Their SVN repo includes several commits like "Fix
CVE-XXX" followed by "Really fix CVE-XXX".

Since PoDoFo is not widely used in Guix (only by calibre and Scribus),
I'm not going to dig in to whether or not these bugs are really fixed or
not in the current Guix package.

At this point, this bug report is not helping us much, so I am closing
it :)

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]