Debian Bug report logs - #286984
tetex-bin: Vulnerable to CAN-2004-1125

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Martin Pitt <mpitt@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Cc: team@security.debian.org

Subject: tetex-bin: Vulnerable to CAN-2004-1125

Date: Thu, 23 Dec 2004 13:54:00 +0100

[Message part 1 (text/plain, inline)]

Package: tetex-bin
Version: 2.0.2-23
Severity: grave
Tags: security patch
Justification: user security hole

Hi teTeX maintainers!

Recently CAN-2004-1125 has been discovered in xpdf. Since tetex-bin
contains verbatim xpdf code (sigh), this package is affected as well.

You can get the Ubuntu security update patch from

  http://patches.ubuntu.com/patches/tetex-bin.CAN-2004-1125.diff

Thanks,

Martin

-- System Information:
Debian Release: 3.1
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.6.9
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)

Versions of packages tetex-bin depends on:
ii  debconf                   1.4.30.10      Debian configuration management sy
ii  debianutils               2.8.4          Miscellaneous utilities specific t
ii  dpkg                      1.10.25        Package maintenance system for Deb
ii  ed                        0.2-20         The classic unix line editor
ii  libc6                     2.3.2.ds1-18   GNU C Library: Shared libraries an
ii  libgcc1                   1:3.4.2-2      GCC support library
ii  libice6                   4.3.0.dfsg.1-8 Inter-Client Exchange library
ii  libkpathsea3              2.0.2-23       path search library for teTeX (run
ii  libpaper1                 1.1.14-3       Library for handling paper charact
ii  libpng12-0                1.2.8rel-1     PNG library - runtime
ii  libsm6                    4.3.0.dfsg.1-8 X Window System Session Management
ii  libstdc++5                1:3.3.4-13     The GNU Standard C++ Library v3
ii  libt1-5                   5.0.2-3        Type 1 font rasterizer library - r
ii  libwww0                   5.4.0-9        The W3C WWW library
ii  libx11-6                  4.3.0.dfsg.1-8 X Window System protocol client li
ii  libxaw7                   4.3.0.dfsg.1-8 X Athena widget set library
ii  libxext6                  4.3.0.dfsg.1-8 X Window System miscellaneous exte
ii  libxmu6                   4.3.0.dfsg.1-8 X Window System miscellaneous util
ii  libxt6                    4.3.0.dfsg.1-8 X Toolkit Intrinsics
ii  mime-support              3.28-1         MIME files 'mime.types' & 'mailcap
ii  perl                      5.8.4-3        Larry Wall's Practical Extraction 
ii  sed                       4.1.2-8        The GNU sed stream editor
ii  tetex-base                2.0.2c-3       Basic library files of teTeX
ii  ucf                       1.13           Update Configuration File: preserv
ii  zlib1g                    1:1.2.2-3      compression library - runtime

-- debconf information excluded

-- 
Martin Pitt                       http://www.piware.de
Ubuntu Developer            http://www.ubuntulinux.org
Debian GNU/Linux Developer       http://www.debian.org

[signature.asc (application/pgp-signature, inline)]

Message #10 received at 286984@bugs.debian.org (full text, mbox, reply):

From: Hilmar Preusse <hille42@web.de>

To: Martin Pitt <mpitt@debian.org>, 286984@bugs.debian.org

Subject: Re: Bug#286984: tetex-bin: Vulnerable to CAN-2004-1125

Date: Thu, 23 Dec 2004 15:37:00 +0100

On 23.12.04 Martin Pitt (mpitt@debian.org) wrote:

Hi,

> Recently CAN-2004-1125 has been discovered in xpdf. Since tetex-bin
> contains verbatim xpdf code (sigh), this package is affected as well.
> 
Time got get a fix for #252104...

> You can get the Ubuntu security update patch from
> 
>   http://patches.ubuntu.com/patches/tetex-bin.CAN-2004-1125.diff
> 
, which is not much more than
ftp://ftp.foolabs.com/pub/xpdf/xpdf-3.00pl2.patch + the Debian/Ubuntu
specific stuff. The original report e.g. on
http://www.auscert.org.au/render.html?it=4651 .

Thanks for the report! Hmm, xpdf 1.0 contains exactly the same
vulnerable code. I guess there will be another tetex for stable soon.

Regards,
  Hilmar
-- 
sigmentation fault

Message #15 received at 286984@bugs.debian.org (full text, mbox, reply):

From: Frank Küster <frank@debian.org>

To: 286984@bugs.debian.org

Subject: Re: Bug#286984: tetex-bin: Vulnerable to CAN-2004-1125

Date: Thu, 23 Dec 2004 17:09:29 +0100

Hilmar Preusse <hille42@web.de> schrieb:

> Thanks for the report! Hmm, xpdf 1.0 contains exactly the same
> vulnerable code. 

I must be blind (or you looked at something different: I looked at the
code in tetex-bin_1.0.7+20011202-7.3, which does not contain xpdf-1.0,
but 0.92). I couldn't find it in these sources; the vulnerable part after

    // get the mask

is missing.

TIA, Frank
-- 
Frank Küster
Inst. f. Biochemie der Univ. Zürich
Debian Developer

Message #20 received at 286984@bugs.debian.org (full text, mbox, reply):

From: Martin Pitt <mpitt@debian.org>

To: 286984@bugs.debian.org

Subject: Re: Bug#286984: tetex-bin: Vulnerable to CAN-2004-1125

Date: Thu, 23 Dec 2004 17:28:49 +0100

[Message part 1 (text/plain, inline)]

Hi Hilmar!

Hilmar Preusse [2004-12-23 15:37 +0100]:
> > You can get the Ubuntu security update patch from
> > 
> >   http://patches.ubuntu.com/patches/tetex-bin.CAN-2004-1125.diff
> > 
> , which is not much more than
> ftp://ftp.foolabs.com/pub/xpdf/xpdf-3.00pl2.patch + the Debian/Ubuntu
> specific stuff. 

Right; to the contrary, it is even a bit shorter than the original
patch. I included it more or less only for the sake of completeness
:-)

> The original report e.g. on
> http://www.auscert.org.au/render.html?it=4651 .
> 
> Thanks for the report! Hmm, xpdf 1.0 contains exactly the same
> vulnerable code. I guess there will be another tetex for stable soon.

I did not look into that. If stable is affected, too, then can you
please keep track of the release tags?

Merry Christmas!

Martin

-- 
Martin Pitt                       http://www.piware.de
Ubuntu Developer            http://www.ubuntulinux.org
Debian GNU/Linux Developer       http://www.debian.org

[signature.asc (application/pgp-signature, inline)]

Message #25 received at 286984@bugs.debian.org (full text, mbox, reply):

From: Frank Küster <frank@debian.org>

To: Martin Pitt <mpitt@debian.org>

Cc: 286984@bugs.debian.org, team@security.debian.org

Subject: Re: Bug#286984: tetex-bin: Vulnerable to CAN-2004-1125

Date: Thu, 23 Dec 2004 17:27:46 +0100

Martin Pitt <mpitt@debian.org> wrote:

> Package: tetex-bin
> Version: 2.0.2-23
> Severity: grave
> Tags: security patch
> Justification: user security hole
>
> Hi teTeX maintainers!
>
> Recently CAN-2004-1125 has been discovered in xpdf. Since tetex-bin
> contains verbatim xpdf code (sigh), this package is affected as well.

Thank you. Have you filed bugs against the other packages that are known
to use xpdf code, too? By the way, the idefense URL in your changelog
has been truncated; it needs a trailing "&type=vulnerabilities" to
work. 

Regards, Frank

-- 
Frank Küster
Inst. f. Biochemie der Univ. Zürich
Debian Developer

Message #30 received at 286984-close@bugs.debian.org (full text, mbox, reply):

From: Frank Küster <frank@debian.org>

To: 286984-close@bugs.debian.org

Subject: Bug#286984: fixed in tetex-bin 2.0.2-25

Date: Thu, 23 Dec 2004 12:02:30 -0500

Source: tetex-bin
Source-Version: 2.0.2-25

We believe that the bug you reported is fixed in the latest version of
tetex-bin, which is due to be installed in the Debian FTP archive:

libkpathsea-dev_2.0.2-25_i386.deb
  to pool/main/t/tetex-bin/libkpathsea-dev_2.0.2-25_i386.deb
libkpathsea3_2.0.2-25_i386.deb
  to pool/main/t/tetex-bin/libkpathsea3_2.0.2-25_i386.deb
tetex-bin_2.0.2-25.diff.gz
  to pool/main/t/tetex-bin/tetex-bin_2.0.2-25.diff.gz
tetex-bin_2.0.2-25.dsc
  to pool/main/t/tetex-bin/tetex-bin_2.0.2-25.dsc
tetex-bin_2.0.2-25_i386.deb
  to pool/main/t/tetex-bin/tetex-bin_2.0.2-25_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 286984@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Frank K�ster <frank@debian.org> (supplier of updated tetex-bin package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Thu, 23 Dec 2004 16:31:38 +0100
Source: tetex-bin
Binary: libkpathsea3 tetex-bin libkpathsea-dev
Architecture: source i386
Version: 2.0.2-25
Distribution: unstable
Urgency: high
Maintainer: teTeX maintainers <debian-tetex-maint@lists.debian.org>
Changed-By: Frank K�ster <frank@debian.org>
Description: 
 libkpathsea-dev - path search library for teTeX (devel part)
 libkpathsea3 - path search library for teTeX (runtime part)
 tetex-bin  - The teTeX binary files
Closes: 196987 286370 286984
Changes: 
 tetex-bin (2.0.2-25) unstable; urgency=high
 .
   * SECURITY UPDATE:
     - Added debian/patches/patch-CAN-2004-1125 to fix a buffer overflow in
       PDF reading code that was taken from xpdf (closes: #286984). Thanks to
       Martin Pitt <martin.pitt@canonical.com>, see
       http://www.idefense.com/application/poi/display?id=172 [frank]
     - Fixed insecure tempfile creation, thanks to Javier
       Fernández-Sanguino Peña <jfs@computer.org> (closes: #286370) [frank]
   * Fixed clean target, again providing clean sources [frank]
   * Added Suggests: rubber; together with lacheck this (closes: #196987)
     [frank]
Files: 
 c0c67fb28b68a60e3fb4919c98dc63de 1044 tex optional tetex-bin_2.0.2-25.dsc
 22234075b7454394cb95b40dcf393988 183001 tex optional tetex-bin_2.0.2-25.diff.gz
 579513f95eb9ca5ff56fa653be3ca3e9 3934886 tex optional tetex-bin_2.0.2-25_i386.deb
 312583a749bf035cf6386d1831c9859e 58066 libs optional libkpathsea3_2.0.2-25_i386.deb
 8fba153ada4da2fcc994baa435928223 66208 libdevel optional libkpathsea-dev_2.0.2-25_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFByvXw+xs9YyJS+hoRAmuLAKCcIBS3Pz9GfaC+0kDjJTuu/Y8ePwCfVqy+
cLlZTys6TjtpkkNWFYNFWuo=
=AFY5
-----END PGP SIGNATURE-----

Message #35 received at 286984@bugs.debian.org (full text, mbox, reply):

From: Martin Pitt <martin.pitt@canonical.com>

To: Frank Küster <frank@debian.org>

Cc: 286984@bugs.debian.org, team@security.debian.org

Subject: Re: Bug#286984: tetex-bin: Vulnerable to CAN-2004-1125

Date: Thu, 23 Dec 2004 18:16:46 +0100

[Message part 1 (text/plain, inline)]

Hi Frank!

Frank Küster [2004-12-23 17:27 +0100]:
> Thank you. Have you filed bugs against the other packages that are known
> to use xpdf code, too? 

Only against xpdf proper and CUPS. I did not fix any other packages. I
included a short list of possibly affected packages in #286983, but I
do not have the time to evaluate them all (sorry).

> By the way, the idefense URL in your changelog has been truncated;
> it needs a trailing "&type=vulnerabilities" to work. 

Hmm, I tried to remove it and it still worked. However, I did not
notice that the URL got rewritten. The following works and is a bit
shorter:

  http://www.idefense.com/application/poi/display?id=172

Martin

-- 
Martin Pitt                       http://www.piware.de
Ubuntu Developer            http://www.ubuntulinux.org
Debian GNU/Linux Developer       http://www.debian.org

[signature.asc (application/pgp-signature, inline)]

Message #40 received at 286984@bugs.debian.org (full text, mbox, reply):

From: Hilmar Preusse <hille42@web.de>

To: 286984@bugs.debian.org, 286984-submitter@bugs.debian.org

Subject: Re: Bug#286984: tetex-bin: Vulnerable to CAN-2004-1125

Date: Sun, 26 Dec 2004 22:44:30 +0100

On 23.12.04 Frank Küster (frank@debian.org) wrote:
> Hilmar Preusse <hille42@web.de> schrieb:

Hi,

> > Thanks for the report! Hmm, xpdf 1.0 contains exactly the same
> > vulnerable code. 
> 
> I must be blind (or you looked at something different: I looked at
> the code in tetex-bin_1.0.7+20011202-7.3, which does not contain
> xpdf-1.0, but 0.92). I couldn't find it in these sources; the
> vulnerable part after
> 
>     // get the mask
> 
> is missing.
> 
Yes, you're right. Sorry! I had a look at the source code of xpdf
1.00, cause I believed this is the version contained in teTeX 1.0.7.
The first part of your patch doesn't fit into xpdf 0.92, however the
second part does. I'm not sure if this part is still part of the CAN.

Regards,
  Hilmar
-- 
sigmentation fault

Message #52 received at 286984@bugs.debian.org (full text, mbox, reply):

From: Frank Küster <frank@debian.org>

To: Hilmar Preusse <hille42@web.de>

Cc: 286984@bugs.debian.org, 286984-submitter@bugs.debian.org, Debian Security Team <team@security.debian.org>

Subject: tetex-bin in woody (was: Bug#286984: tetex-bin: Vulnerable to CAN-2004-1125)

Date: Mon, 27 Dec 2004 10:42:24 +0100

Hi Martin, hi security team (probably also Martin),

Hilmar Preusse <hille42@web.de> wrote:

> The first part of your patch doesn't fit into xpdf 0.92, however the
> second part does. I'm not sure if this part is still part of the CAN.

Indeed, I missed that. I had thought that the patch to GfxState.cc is
just to get a decent error message, and that the real security patch is
just in Gfx.cc. I missed that also in GfxState.cc, the patch changes
nCompsA (which is called nComps in tetex-bin_1.0.7's sources).

Still it seems to me as if there is no exploit in 1.0.7, but I would
like to hear comments about this from you. As stated before, the patched
code in Gfx.cc, the main point of vulnerability, simply doesn't
exist. The original code in GfxState.cc looks quite similar:

  nComps = obj2.getInt();
  obj2.free();
+  if (nCompsA > gfxColorMaxComps) {
+    error(-1, "ICCBased color space with too many (%d > %d) components",
+        nCompsA, gfxColorMaxComps);
+    nCompsA = gfxColorMaxComps;
+  }
  if (dict->lookup("Alternate", &obj2)->isNull() ||
      !(alt = GfxColorSpace::parse(&obj2))) {
    switch (nComps) {
    case 1:
      alt = new GfxDeviceGrayColorSpace();
      break;
    case 3:
      alt = new GfxDeviceRGBColorSpace();
      break;
    case 4:
      alt = new GfxDeviceCMYKColorSpace();
      break;
    default:
      error(-1, "Bad ICCBased color space - invalid N");
      obj2.free();
      obj1.free();
      return NULL;
    }
  }

Here, without the patch, nComps would not be set to its maximum value,
but everything above 4 is treated as an error. I'm confused whether
"return NULL" means an error as in Perl or success as in shell?  nComps
is also used outside this function, however.

Regards, Frank
-- 
Frank Küster
Inst. f. Biochemie der Univ. Zürich
Debian Developer

Message #60 received at 286984@bugs.debian.org (full text, mbox, reply):

From: Frank Küster <frank@debian.org>

To: Martin Schulze <joey@infodrom.org>

Cc: Debian Security Team <team@security.debian.org>, 286984@bugs.debian.org

Subject: Re: CAN-2004-1125: Arbitrary code execution in tetex-bin

Date: Tue, 28 Dec 2004 10:24:16 +0100

Martin Schulze <joey@infodrom.org> schrieb:

> Moin Frank
>
> an iDEFENSE researcher noticed another buffer overflow in Xpdf that
> could lead to the execution of arbitrary code in Xpdf.  Similar
> code is also present in tetex-bin.  Hence, we'll need to roll an
> update. 

This has been reported by Martin Pitt from Ubuntu as #286984, which has
been Cc'ed to team@s.d.o. Didn't you get the mail?

> I'm attaching the patch we're using for fixing woody.

The patch was empty. 

> Please
>  . update the package in sid

Done

>  . mention the CVE id from the subject in the changelog
>  . tell me the version number of the fixed package


tetex-bin (2.0.2-25) unstable; urgency=high

  * SECURITY UPDATE: 
    - Added debian/patches/patch-CAN-2004-1125 to fix a buffer overflow in
      PDF reading code that was taken from xpdf (closes: #286984). Thanks to
      Martin Pitt <martin.pitt@canonical.com>, see
      http://www.idefense.com/application/poi/display?id=172 [frank]
    - Fixed insecure tempfile creation, thanks to Javier
      Fernández-Sanguino Peña <jfs@computer.org> (closes: #286370) [frank]

>  . no need to upload into sarge directly, except the version in
>    sid is not meant to go into testing

I have done that, and reopened the bug with tag "sarge" in order to
track its progress into testing.

By the way, is there a way for an "ordinary maintainer" like me to get
information about security problems in a timely manner? Like some
announce list that can easily be filtered? The iDEFENSE advisory says
beneath "timeline":

12/21/2004  Coordinated public disclosure

So I guess some "not-so-public" people knew it before; and the bug was
reported 2 days later. If we didn't have Ubuntu, I would probably not
have known about this until today. And I guess if the Debian Security
team took the time to inform all maintainers of affected packages (and
to figure out who, from a list of uploaders, is in fact currently
active), you wouldn't have any time left to do coding and testing work. 

Regards, Frank
-- 
Frank Küster
Inst. f. Biochemie der Univ. Zürich
Debian Developer

Message #65 received at 286984@bugs.debian.org (full text, mbox, reply):

From: Frank Küster <frank@debian.org>

To: Martin Pitt <martin.pitt@canonical.com>

Cc: 286984@bugs.debian.org, team@security.debian.org

Subject: Re: Bug#286984: tetex-bin: Vulnerable to CAN-2004-1125

Date: Tue, 28 Dec 2004 19:21:19 +0100

Martin Pitt <martin.pitt@canonical.com> schrieb:

> Hi Frank!
>
> Frank Küster [2004-12-23 17:27 +0100]:
>> Thank you. Have you filed bugs against the other packages that are known
>> to use xpdf code, too? 
>
> Only against xpdf proper and CUPS. I did not fix any other packages. I
> included a short list of possibly affected packages in #286983, but I
> do not have the time to evaluate them all (sorry).

pdftohtml also counts under "possibly others". I've just filed a bug
against it, with patch.

Regards, Frank
-- 
Frank Küster
Inst. f. Biochemie der Univ. Zürich
Debian Developer

Message #70 received at 286984@bugs.debian.org (full text, mbox, reply):

From: Martin Schulze <joey@infodrom.org>

To: Frank Küster <frank@debian.org>

Cc: Debian Security Team <team@security.debian.org>, 286984@bugs.debian.org

Subject: Re: CAN-2004-1125: Arbitrary code execution in tetex-bin

Date: Wed, 29 Dec 2004 20:52:33 +0100

Frank Küster wrote:
> Martin Schulze <joey@infodrom.org> schrieb:
> 
> > Moin Frank
> >
> > an iDEFENSE researcher noticed another buffer overflow in Xpdf that
> > could lead to the execution of arbitrary code in Xpdf.  Similar
> > code is also present in tetex-bin.  Hence, we'll need to roll an
> > update. 
> 
> This has been reported by Martin Pitt from Ubuntu as #286984, which has
> been Cc'ed to team@s.d.o. Didn't you get the mail?

I just saw it.

> > I'm attaching the patch we're using for fixing woody.
> 
> The patch was empty. 

Uh?  How did that happen?

> By the way, is there a way for an "ordinary maintainer" like me to get
> information about security problems in a timely manner? Like some
> announce list that can easily be filtered? The iDEFENSE advisory says
> beneath "timeline":
> 
> 12/21/2004  Coordinated public disclosure

My first trace of this is from December 21th as well.  iDEFENSE doesn't
coordinate and vendor refers to author in this case.  Since there was
some discussion, iDEFENSE may switch to using author or something in
the future.

Regards,

	Joey

-- 
Open source is important from a technical angle.             -- Linus Torvalds

Please always Cc to me when replying to me on the lists.

Message #75 received at 286984@bugs.debian.org (full text, mbox, reply):

From: Frank Küster <frank@debian.org>

To: Martin Schulze <joey@infodrom.org>

Cc: 286984@bugs.debian.org, Debian Security Team <team@security.debian.org>

Subject: Re: Bug#286984: CAN-2004-1125: Arbitrary code execution in tetex-bin

Date: Thu, 30 Dec 2004 11:12:56 +0100

Martin Schulze <joey@infodrom.org> schrieb:

> Frank Küster wrote:
>> Martin Schulze <joey@infodrom.org> schrieb:
>
>> > I'm attaching the patch we're using for fixing woody.
>> 
>> The patch was empty. 
>
> Uh?  How did that happen?

Don't know. I would still be interested.

TIA, Frank
-- 
Frank Küster
Inst. f. Biochemie der Univ. Zürich
Debian Developer

Message #80 received at 286984@bugs.debian.org (full text, mbox, reply):

From: Martin Schulze <joey@infodrom.org>

To: Frank Küster <frank@debian.org>

Cc: 286984@bugs.debian.org, Debian Security Team <team@security.debian.org>

Subject: Re: Bug#286984: CAN-2004-1125: Arbitrary code execution in tetex-bin

Date: Thu, 30 Dec 2004 12:09:32 +0100

Frank Küster wrote:
> Martin Schulze <joey@infodrom.org> schrieb:
> 
> > Frank Küster wrote:
> >> Martin Schulze <joey@infodrom.org> schrieb:
> >
> >> > I'm attaching the patch we're using for fixing woody.
> >> 
> >> The patch was empty. 
> >
> > Uh?  How did that happen?
> 
> Don't know. I would still be interested.

It's basically the same as in this bug report, but it's bogus
as you correctly pointed out, since the program flow will end
in the case statement that is able to detect wrong values of
nComps.

Regards,

	Joey

-- 
Ten years and still binary compatible.  -- XFree86

Message #85 received at 286984@bugs.debian.org (full text, mbox, reply):

From: Hilmar Preusse <hille42@web.de>

To: Martin Schulze <joey@infodrom.org>, 286984@bugs.debian.org

Subject: Re: Bug#286984: CAN-2004-1125: Arbitrary code execution in tetex-bin

Date: Fri, 31 Dec 2004 10:54:04 +0100

On 30.12.04 Martin Schulze (joey@infodrom.org) wrote:
> Frank Küster wrote:
> > Martin Schulze <joey@infodrom.org> schrieb:
> > > Frank Küster wrote:
> > >> Martin Schulze <joey@infodrom.org> schrieb:

Hi,

> > >> > I'm attaching the patch we're using for fixing woody.
> > >> 
> > >> The patch was empty. 
> > >
> > > Uh?  How did that happen?
> > 
> > Don't know. I would still be interested.
> 
> It's basically the same as in this bug report, but it's bogus
> as you correctly pointed out, since the program flow will end
> in the case statement that is able to detect wrong values of
> nComps.
> 
So why is the hunk then included in the patch for xpdf 1.0 (DSA
619-1)? Why is it part of 3.00pl2 at all?

Regards,
  Hilmar
-- 
sigmentation fault

Message #90 received at 286984@bugs.debian.org (full text, mbox, reply):

From: Martin Schulze <joey@infodrom.org>

To: Hilmar Preusse <hille42@web.de>

Cc: 286984@bugs.debian.org

Subject: Re: Bug#286984: CAN-2004-1125: Arbitrary code execution in tetex-bin

Date: Fri, 31 Dec 2004 13:19:36 +0100

Hilmar Preusse wrote:
> > > >> > I'm attaching the patch we're using for fixing woody.
> > > >> 
> > > >> The patch was empty. 
> > > >
> > > > Uh?  How did that happen?
> > > 
> > > Don't know. I would still be interested.
> > 
> > It's basically the same as in this bug report, but it's bogus
> > as you correctly pointed out, since the program flow will end
> > in the case statement that is able to detect wrong values of
> > nComps.
> > 
> So why is the hunk then included in the patch for xpdf 1.0 (DSA
> 619-1)? Why is it part of 3.00pl2 at all?

Because it's the upstream fix and doesn't harm.  Contrary to tetex-bin
this is only a minor part of the correction for cups and xpdf.  The
real vulnerability does not exist in tetex-bin, so there's no update
needed.

Regards,

	Joey

-- 
A mathematician is a machine for converting coffee into theorems.   Paul Erdös

Please always Cc to me when replying to me on the lists.

Message #99 received at 286984@bugs.debian.org (full text, mbox, reply):

From: Hilmar Preusse <hille42@web.de>

To: Martin Schulze <joey@infodrom.org>

Cc: 286984@bugs.debian.org

Subject: Re: Bug#286984: CAN-2004-1125: Arbitrary code execution in tetex-bin

Date: Tue, 4 Jan 2005 10:20:48 +0100

On 31.12.04 Martin Schulze (joey@infodrom.org) wrote:
> Hilmar Preusse wrote:

Hi,

> > So why is the hunk then included in the patch for xpdf 1.0 (DSA
> > 619-1)? Why is it part of 3.00pl2 at all?
> 
> Because it's the upstream fix and doesn't harm.  Contrary to
> tetex-bin this is only a minor part of the correction for cups and
> xpdf.  The real vulnerability does not exist in tetex-bin, so
> there's no update needed.
> 
Would you be so kind to close that bug then?

Thanks and Regards,
  Hilmar
-- 
sigmentation fault

Send a report that this bug log contains spam.