Re: [Swftools-common] XPDF vulnerability

[Matthias Kramm]

On Mon, Oct 18, 2010 at 06:28:42PM -0700, David Schissler <address@hidden> 
wrote:
> From what I understand on the matter, poppler was affected by the
> vulnerability as well.  It apparently has something to do with
> something going very far back before the fork happened between those
> two projects.

Poppler still uses a lot of xpdf code. Of course, they also did a
lot of changes, and added a lot of features, but even so, I believe 
the (yet unreleased) development version of xpdf is still ahead 
of poppler in terms of PDF support.

I'd personally have preferred for xpdf never to get split, because
Poppler seems to do a better job at fixing security issues, but Derek
(the xpdf author) does a better job at building support for new PDF
features.

> I'm unsure if this vulnerability means that a malformed
> PDF would cause pdf2swf to start executing the stack.

The poppler logs only talk of crashes, but it's presumably
possible to exploit those.

Btw. I ported their fixes to the swftools git, and I'm also going to 
compile a new version shortly.

> Do you have any plans for being able to dynamically link against
> vanilla poppler or xpdf?

I want to be able to dynamically link against Poppler at some
point. Some people already contributed code towards that. We'll
get there.

> That would be necessary to get your project included in Fedora.

I've been thinking about the Fedora and Debian issues. Another option for 
swftools to get re-included would be to split the project in two, one 
("swftools")
for all the tools that actually have something to do with SWF/Flash, like
wav2swf, swfc, as3compile etc., and one for all the document conversion
tools like swfrender, gfx2gfx, pdf2swf, pdf2pdf etc.
Obviously, there's some overlap, but xpdf would only be needed in the
latter project.

Matthias