Mercurial > hgrepos > Python2 > PyMuPDF
annotate mupdf-source/thirdparty/lcms2/SECURITY.md @ 45:b74429b0f5c4 v1.26.5+1
+++++ v1.26.5+1
| author | Franz Glasner <fzglas.hg@dom66.de> |
|---|---|
| date | Sat, 11 Oct 2025 17:17:13 +0200 |
| parents | b50eed0cc0ef |
| children |
| rev | line source |
|---|---|
|
2
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
1 # Security Policy |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
2 |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
3 ## Supported Versions |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
4 |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
5 Security updates are applied only to the latest release. |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
6 |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
7 ## Reporting a Vulnerability |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
8 |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
9 LittleCMS is located deep in the Linux dependency tree. So, security issues are real and should be addressed. The proposed process is quite simple, if you detect a potential security issue and you are able to create a patch, please send us the patch to analyse. We have an extensive test bed of apps and utilities using lcms, so we can check if all those goes fine. If you don’t want to create a patch and only want to report the vulnerability, thats ok too. and we will be very gratefull. Just contact us. |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
10 |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
11 **Please avoid public advisories if possible, as doing that, hints how to use the flaw for malicious use**. |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
12 |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
13 Please don’t make noise to gain popularity, this can result in bad karma to you. Any CVE without reliable proof will be promptly disputed. |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
14 |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
15 Please don’t use untrusted patches from 3rd parties. We had an incident years ago with so called “security experts” trying to add a back door by using a crafted patch. |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
16 |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
17 Credits to vulnerability busters will be given on each release |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
18 |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
19 After the patch proves to be harmless, I will send to the mailing list a signed mail with the patch attached. |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
20 That is, you got a patch from upstream that upstream claims to be reasonably tested. I will apply the same checks that I do before a normal release. |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
21 Please understand that this is a lot of work, and obviously it can fail as well, so the “no guarantee” clause of MIT license applies. If you choose to |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
22 redistribute such patches, please make sure to include the mail, or at least the MIT license. By including the MIT license you prevent to get in legal trouble. |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
23 |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
24 ## Using GitHub security advisory |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
25 |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
26 Please disclose it at our [security advisory](https://github.com/mm2/Little-CMS/security/advisories/new). |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
27 |