| <<<Back 1 day (to 2017/04/26) | 20170427 |
chrisl_x270 | My turn for kaput broadband - allegedly should back up in an hour or so..... | 09:16.17 |
kens | Ah I wondered where you were :-) | 09:16.31 |
| I looked at the security report, .rsdparams is badly broken, doesn't test its aprameters and wopn't work if one of them is null, which is allegedly permitted | 09:17.04 |
| I can't, however, reproduce the problem with %pipe% | 09:17.24 |
chrisl_x270 | That's to do with memory corruption | 09:17.41 |
kens | Hmm, so fixing the .rsdparams parameter checking should resolve it then ? | 09:18.00 |
chrisl_x270 | No, the .rsdparams thing happens after the "real" problem | 09:18.34 |
kens | Right that's what I thought, 2 different problems | 09:18.48 |
chrisl_x270 | Although, I'm a little wary about dicussing it here..... | 09:18.53 |
kens | Hence my circumspection | 09:19.04 |
| I'll leave the bug to you since you're working on it. | 09:19.19 |
chrisl_x270 | And I currently can't get to that other channel, so.... | 09:19.37 |
kens | But when you fix .rsdparams, note the fact that it pulls params directly from an 'op' assuming its a dict, even though its allowed to be a null object. I had to rearrange the flow | 09:20.03 |
| Also as Tavis mentioned, there's similar problems with .eqproc | 09:20.15 |
| I was going to suggest adding this to the agenda, I think we should have an audit of all the non-standard operators | 09:20.43 |
chrisl_x270 | Yeh, suspicious that the "real" problem may be related to .eqproc. | 09:21.13 |
kens | I suspect people (probably including me) have been careless in validating parameters for internal use operators | 09:21.53 |
chrisl_x270 | I was wanting to get that truetype issue squared away before I continue with the security issue. | 09:23.48 |
kens | Not a problem, I hadn't realised you already had filled out a report for it, until you mentioned it by email | 09:24.16 |
| Otherwise I wouldn't have looked at it at all | 09:24.25 |
chrisl_x270 | The truetype thing is actually a broken font, not our parsing - which is interesting | 09:25.16 |
kens | It certainly is. | 09:25.32 |
chrisl_x270 | format 4 cmaps are not allowed to have only one segment - they *must* have at least two | 09:25.49 |
kens | Ah, I wonder if other parsers are ignoring that | 09:26.01 |
chrisl_x270 | Freetype works totally differently to ours: it finds GIDs on demand, rather than building a cmap table | 09:27.00 |
kens | Hmm, well that might explain it | 09:27.15 |
| Yet another enterprise class piece of software producing crap PDF files..... | 09:27.43 |
chrisl_x270 | So as long as the file only uses characters codes within the segment, it's fine. | 09:27.46 |
kens | Interestingly, the fotns don't claim to be subsets | 09:28.40 |
chrisl_x270 | At least one of them is clearly custom, so I could believe that was complete. | 09:29.14 |
kens | Well there's Arial and ArialMT in there and they don't work either | 09:29.31 |
| Sorry Arial-BoldMT and ArialMT | 09:29.49 |
| Embedded, not subset | 09:29.59 |
| I don't believe the originals of those are wrong. | 09:30.13 |
| Also ArialMT has FirstChar=0 LastChar=71 | 09:30.50 |
| Looks like a subset to me | 09:30.55 |
chrisl_x270 | I'm fairly sure that they genuinely use well formed format 4 cmaps. I'd guess the subsetting code was written by someone who knows almost nothing about PDF nor TTF | 09:31.41 |
kens | Yep, broke the font while subsetting it, and didn't mark it as a subset. Excellent software | 09:32.04 |
chrisl_x270 | I've never heard of "Infor ERP AS".... | 09:33.31 |
kens | Nope, but they seem like an enterprise class software company | 09:34.02 |
| Or claim to be at least :-) | 09:34.08 |
| http://www.infor.com/solutions/erp/ | 09:34.24 |
chrisl_x270 | s/enterprise/remedial | 09:34.28 |
kens | They probably out-sourced the PDF production module for their reporting software to the cheapest bidder. Who munged something together until it worked in Acrobat | 09:35.17 |
chrisl_x270 | And, to be fair, almost everywhere else: since almost every other widely available PDF reader probably uses Freetype | 09:35.57 |
kens | True, but that's no excuse for breaking the font, or failing to declare that its a subset | 09:36.24 |
chrisl_x270 | Speaking of corporate idiocy: I just got an email from Virgin Media with instructions on troubleshooting your broadband connection. | 09:37.25 |
kens | Well tha't sgoing to work well, since you currently have no braodband | 09:37.45 |
| How did they expect you to receive the email ? | 09:37.53 |
chrisl_x270 | "Try these three steps. Still not working? More help at http://......" FFS | 09:37.55 |
kens | :-) | 09:38.06 |
| Open this crate with the crowbar contained within | 09:38.15 |
chrisl_x270 | Yeh.... to be fair, it was sent for future reference, not the present problem. | 09:38.49 |
kens | Ah I remember this Infor file now. | 09:39.15 |
chrisl_x270 | But still, referring you to a web page... jeez | 09:39.15 |
kens | Positions text horizontally by using 'Td' to do a newline, but with a 0 vertical component | 09:39.42 |
| And it even uses TJ to draw the text, no Tj, so they could just have put the spacing in the array.... | 09:40.52 |
| LOL ad does vertical movement by showing an empty string with TJ, but preceding it with a Td with a 0 horizontal component. | 09:41.54 |
| Clearly whoever wrote this had no clue about PDF. I would suggest it also translates from a simple line printer style of data | 09:42.19 |
chrisl_x270 | I have to say, this broadband outage couldn't have happened at a worse time: I have a horrid cold, and have practically lost my voice. Made talking to a call centre a bit challenging | 09:43.19 |
kens | You should have ued web chat, oh wait..... :-) | 09:43.39 |
chrisl_x270 | Was thinking of smoke signals...... | 09:44.09 |
| Well, as it's going to be (hopefully) ~40 minutes before I have internet again, I think I'll go and get some fresh air and some shopping. | 09:47.43 |
| Back in a half hour or so | 09:48.01 |
kens | have fun | 09:48.05 |
deekej | Hello folks, is https://bugs.ghostscript.com/show_bug.cgi?id=697799 private on purpose? | 14:21.50 |
| it's referenced from here: https://bugs.ghostscript.com/show_bug.cgi?id=697808 | 14:22.05 |
kens | Yes, both are private, because security | 14:22.19 |
deekej | kens: OK, I just wanted to make sure, thanks :) | 14:22.41 |
kens | THe specimen files are the same though, which is why the second is a duplicate | 14:22.51 |
| We're thinking of a better way to try and deal with security issues on bugzilla, its due for discussion at our next face to face meeting | 14:23.28 |
deekej | kens: is there any way for me to get notification when the security fix for it is released? | 14:23.39 |
kens | You could add yourself to the 697808 bug report | 14:24.00 |
deekej | ah, so that would work? ok, thanks | 14:24.22 |
kens | You won't see private comments or attachments, but I can't thinkof any reason why we'd not make the commit message public | 14:24.28 |
| As I said, we're actively thinking about coming up with a procedure for these kinds of reports | 14:25.06 |
deekej | well, in RH bugzilla, when you close something as duplicate, you will not get notifications about the original bug | 14:25.51 |
kens | No, that's true | 14:26.00 |
| I'm pretty certain you won't get notifications for 697799 now | 14:26.19 |
deekej | yeah, I was just wondering if 697799 becomes resolved, if I will get notification about it in 697808 as well ;) | 14:26.56 |
kens | I think, as far as we are concerned (and Bugzilla too) once its marked as a duplicate, it is resolved already, hence no more notifications | 14:27.31 |
| SO you'd have to add yourself to the report which is the original, rather than the duplicate. You'll get notifications from that one then. | 14:28.03 |
deekej | I'm not sure if I can add myself to the original bug, since it's private :) | 14:28.30 |
kens | Oh, well I can add you | 14:28.39 |
deekej | but that might be against your security policies, or not? | 14:28.57 |
| I'm not part of Artifex | 14:29.04 |
kens | I know but I think we can probably trust you :) | 14:29.14 |
deekej | okay, thank you :) | 14:29.23 |
kens | You're already on the CC list for 697808 | 14:29.25 |
| Possibly the 'duplicate' adde dyou, let me look | 14:29.40 |
deekej | (yes, I added there myself few moments ago :)) | 14:29.49 |
kens | Yeah it was you adding yourself | 14:30.23 |
| Hmm, Robin_Watts ping ? | 14:30.42 |
Robin_Watts | pong? | 14:31.00 |
kens | Can you remove ddekej's email address form the logs ? | 14:31.12 |
| deekej that is | 14:31.17 |
Robin_Watts | ok. | 14:31.24 |
kens | Just in case of email harvesters | 14:31.28 |
Robin_Watts | deekej: Our best thought so far is to introduce a new product for BZ for security bugs, which will be private by default. | 14:38.39 |
kens | We might set up a 'security' product for security reports, and then have a 'security' group that people would nbeed to be part of to see them | 14:38.42 |
deekej | I see. I think we have something similar here as well (utilizing the BZ groups). | 14:39.22 |
kens | COUld be, I can't see anything much better using Bugzilla | 14:39.48 |
| But like I said, we will think about it. We do recognise what we're doing now is ad-hoc and not really satisfacotry | 14:40.09 |
ray_laptop | does anybody know of a viewer app that can open the output of tiffscaled4 ? | 20:43.31 |
| (1-bit per component CMYK) | 20:44.21 |
| oh, duh. nm mupdf does :-) | 20:45.24 |
| Forward 1 day (to 2017/04/28)>>> | |