pdfkit uses vulnerable xpdf code and needs an update. See bug 185225 for a patch.
CC'ing maintainer and setting whiteboard status.
As I pointed out in the bug mentioned above, I believe pdfkit is still vulnerable to older xpdf issues, among them bug #114428.
Not maintained anymore upstream, does not compile with gcc 4.x, does not compile with stable freetype (bugs #131690, #172887, #188146 for example). It won't be easy to test a fix
pdfkit is scheduled for portage removal when we start to move ebuilds in from the gnustep overlay (including popplerkit, pdfkit replacement). So why not mask it now?
Packages depending on it are gnustep-apps/viewpdf (replaced by gnustep-apps/vindaloo), and gnustep-apps/gworkspace (in a conditional DEPEND for pdf support, replaced by a popplerkit DEPEND in the overlay)
another vote for masking the gnustep app, moving over apps from the overlay to the main tree is for me scheduled in the near future.
Ok, I masked gnustep-libs/pdfkit, gnustep-apps/viewpdf and gnustep-apps/gworkspace. I expect replacements to enter the tree in a week or two.
Fabian, any update on this?
We are waiting for ~ppc rekeywording of new gnustep-base packages (bug #189372), as gnustep-libs/popplerkit and gnustep-apps/gworkspace need these (and are also ~ppc)
After that, popplerkit (and vindaloo), and new gworkspace depending on popplerkit instead of pdfkit can get in the tree
OK, working gnustep-libs/popplerkit and gnustep-apps/vindaloo are in portage, as is gnustep-apps/gworkspace-0.8.6 (~arch for now)
We can now send a last-rites mail for pdfkit and viewpdf soon, with the usual 30 days before removal, or less?
Also, gworkspace is again available, but ~arch only for now (there was a stable version available)
hmm, maybe we should have a maskglsa for this one?
(In reply to comment #9)
> hmm, maybe we should have a maskglsa for this one?
policy says yes, and i agree with it. Request filed.
gnustep-libs/imagekits also has a bundled pdfkit (and installs its own copy)
It is scheduled for removal at the same time as pdfkit and viewpdf
(In reply to comment #11)
> gnustep-libs/imagekits also has a bundled pdfkit (and installs its own copy)
Thanks for letting us know.
All traces of pdfkit and imagekits removed, thanks Bernard.