Debian Bug report logs - #316546
tetex-bin: Please use libpoppler instead of a copy of xpdf code

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Frank Küster <frank@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: tetex-bin: Please use libpoppler instead of a copy of xpdf code

Date: Fri, 01 Jul 2005 19:14:44 +0200

Package: tetex-bin
Version: 3.0-4
Severity: normal

pdftex uses code from xpdf to parse PDF files.  The code is copied to
the source tree and statically linked, and the different versions of
xpdf code proved to be a security nightmare.

Now that we have libpoppler in testing and unstable, we should really
try whether pdftex (and maybe also other programs?) can be compiled and
used with dynamic linking against libpoppler.

Does anybody on the list feel like trying this?

TIA, Frank


-- System Information:
Debian Release: 3.1
Architecture: i386 (i686)
Kernel: Linux 2.6.8-2-386
Locale: LANG=de_DE@euro, LC_CTYPE=de_DE@euro (charmap=ISO-8859-15)

Versions of packages tetex-bin depends on:
ii  debconf [debconf-2.0]    1.4.30.13       Debian configuration management sy
ii  debianutils              2.8.4           Miscellaneous utilities specific t
ii  dpkg                     1.10.28         Package maintenance system for Deb
ii  ed                       0.2-20          The classic unix line editor
ii  libc6                    2.3.2.ds1-22    GNU C Library: Shared libraries an
ii  libgcc1                  1:3.4.3-13      GCC support library
ii  libice6                  4.3.0.dfsg.1-14 Inter-Client Exchange library
ii  libkpathsea4             3.0-4           path search library for teTeX (run
ii  libpaper1                1.1.14-3        Library for handling paper charact
ii  libpng12-0               1.2.8rel-1      PNG library - runtime
ii  libsm6                   4.3.0.dfsg.1-14 X Window System Session Management
ii  libstdc++5               1:3.3.5-13      The GNU Standard C++ Library v3
ii  libt1-5                  5.0.2-3         Type 1 font rasterizer library - r
ii  libx11-6                 4.3.0.dfsg.1-14 X Window System protocol client li
ii  libxaw7                  4.3.0.dfsg.1-14 X Athena widget set library
ii  libxext6                 4.3.0.dfsg.1-14 X Window System miscellaneous exte
ii  libxmu6                  4.3.0.dfsg.1-14 X Window System miscellaneous util
ii  libxpm4                  4.3.0.dfsg.1-14 X pixmap library
ii  libxt6                   4.3.0.dfsg.1-14 X Toolkit Intrinsics
ii  mime-support             3.28-1          MIME files 'mime.types' & 'mailcap
ii  perl                     5.8.4-8         Larry Wall's Practical Extraction 
ii  sed                      4.1.2-8         The GNU sed stream editor
ii  tetex-base               3.0-3.4         Basic library files of teTeX
ii  ucf                      1.17            Update Configuration File: preserv
ii  xlibs                    4.3.0.dfsg.1-14 X Keyboard Extension (XKB) configu
ii  zlib1g                   1:1.2.2-4       compression library - runtime

-- debconf information:
  tetex-bin/updmap-failed:
  tetex-bin/hyphen: french[=patois], ngerman[=naustrian-neue_Rechtschreibung]
  tetex-bin/oldcfg: true
* tetex-bin/upd_map: true
  tetex-bin/cnf_name:
* tetex-bin/fmtutil: true
* tetex-bin/use_debconf: false
  tetex-bin/fmtutil-failed:
* tetex-bin/groupname: users
* tetex-bin/userperm: false
* tetex-bin/groupperm: true
* tetex-bin/lsr-perms: true

-- 
Frank Küster
Inst. f. Biochemie der Univ. Zürich
Debian Developer

Message #10 received at 316546@bugs.debian.org (full text, mbox, reply):

From: Martin Pitt <mpitt@debian.org>

To: 316546@bugs.debian.org

Cc: control@bugs.debian.org

Subject: Re: tetex-bin: Please use libpoppler instead of a copy of xpdf code

Date: Mon, 12 Dec 2005 10:35:50 +0100

[Message part 1 (text/plain, inline)]

tag 316546 patch
thanks

Hi Frank!

After really getting annoyed by the current xpdf security update, I
finally gave this a shot. Surprisingly, building tetex-bin against
poppler was much easier than I thought. The code changes are minimal,
most of the effort is required to convince tetex-bin's build system to
ignore the internal xpdf copy.

I put the debdiff at

  http://patches.ubuntu.com/patches/tetex-bin.poppler.diff

It is a bit messy since it removes all of the existing xpdf patches
(so it might not apply cleanly since you might have slightly different
patches), but it should be easy enough to adapt it.

So, now the only thing left to do is to build xpdf-reader against
poppler. :)

Thanks,

Martin

-- 
Martin Pitt        http://www.piware.de
Ubuntu Developer   http://www.ubuntu.com
Debian Developer   http://www.debian.org

In a world without walls and fences, who needs Windows and Gates?

[signature.asc (application/pgp-signature, inline)]

Message #17 received at 316546-close@bugs.debian.org (full text, mbox, reply):

From: Frank Küster <frank@debian.org>

To: 316546-close@bugs.debian.org

Subject: Bug#316546: fixed in tetex-bin 3.0-12

Date: Tue, 13 Dec 2005 09:47:09 -0800

Source: tetex-bin
Source-Version: 3.0-12

We believe that the bug you reported is fixed in the latest version of
tetex-bin, which is due to be installed in the Debian FTP archive:

libkpathsea4-dev_3.0-12_i386.deb
  to pool/main/t/tetex-bin/libkpathsea4-dev_3.0-12_i386.deb
libkpathsea4_3.0-12_i386.deb
  to pool/main/t/tetex-bin/libkpathsea4_3.0-12_i386.deb
tetex-bin_3.0-12.diff.gz
  to pool/main/t/tetex-bin/tetex-bin_3.0-12.diff.gz
tetex-bin_3.0-12.dsc
  to pool/main/t/tetex-bin/tetex-bin_3.0-12.dsc
tetex-bin_3.0-12_i386.deb
  to pool/main/t/tetex-bin/tetex-bin_3.0-12_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 316546@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Frank Küster <frank@debian.org> (supplier of updated tetex-bin package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Tue, 13 Dec 2005 17:32:37 +0100
Source: tetex-bin
Binary: tetex-bin libkpathsea4-dev libkpathsea4
Architecture: source i386
Version: 3.0-12
Distribution: unstable
Urgency: low
Maintainer: teTeX maintainers <debian-tetex-maint@lists.debian.org>
Changed-By: Frank Küster <frank@debian.org>
Description: 
 libkpathsea4 - path search library for teTeX (runtime part)
 libkpathsea4-dev - path search library for teTeX (devel part)
 tetex-bin  - The teTeX binary files
Closes: 316546
Changes: 
 tetex-bin (3.0-12) unstable; urgency=low
 .
   * Because of the frequent security issues with xpdf, we do no longer use
     the included xpdf code, but libpoppler instead. Many thanks to Martin Pitt
     <martin.pitt@canonical.com> for the patch (closes: #316546) [frank]
   * Add debian/patches/patch-poppler to build the two files that require xpdf
     (texk/web2c/pdftexdir/{pdftosrc.cc,pdftoepdf.cc}) against poppler:
     - Adapt include file paths.
     - s/GString/GooString/ (poppler change to not conflict with glib).
     - Adapt GlobalParams() constructor.
     - web2c/pdftexdir/depend.mk: Removed, and re-generated with 'make depend'
       to get rid of all the zlib and xpdf references to the shipped sources.
     - configure.in: Set needs_libxpdf=no even when building with pdftex, to
       avoid trying to build the internal xpdf copy.
     - configure: Stripped down changes generated by running autoconf 2.13.
   * Removed xpdf security patches, they are not necessary any more.
   * debian/control: Build-Depend on libpoppler-dev.
   * debian/rules.in:
     - Build with XXCFLAGS='-I/usr/include/poppler' and LDFLAGS='-lpoppler'.
     - Remove libs/xpdf and libs/zlib before building, just to make sure that
       we really don't use it.
     - Clean debian/latex.info on clean to be able to build the
       source package after building binaries.
   * Add a build-dependency on libjpeg62-dev - pdfetex was linked against
     it even in older versions, but apparently the development library is
     no longer pulled in by other build-deps.
Files: 
 4ab87b04767675ad325e94918308f026 1043 tex optional tetex-bin_3.0-12.dsc
 349f0e6813c120388015254814ba14d4 129932 tex optional tetex-bin_3.0-12.diff.gz
 0a5eaad332054b37229325468a259df6 3491262 tex optional tetex-bin_3.0-12_i386.deb
 96bc99ded4769efc05b906864a0f8b09 74672 libs optional libkpathsea4_3.0-12_i386.deb
 54ff10bc8d6eabdd37e52d4ea1ef08f9 70024 libdevel optional libkpathsea4-dev_3.0-12_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFDnwUi+xs9YyJS+hoRArGKAJwKs7YViItn1/ECZmwa/xgen0fsUACeLI4f
oRvZdvC9yIHm/Lgx9EK5nMI=
=RrpQ
-----END PGP SIGNATURE-----

Message #22 received at 316546@bugs.debian.org (full text, mbox, reply):

From: Frank Küster <frank@kuesterei.ch>

To: Martin Pitt <martin.pitt@canonical.com>

Cc: 316546@bugs.debian.org

Subject: libpoppler patch for tetex-bin, poppler security issues

Date: Wed, 28 Dec 2005 21:14:31 +0100

Hello Martin,

I found a problem with the patch you provided for using libpoppler to
compile tetex: Because of the LDFLAGS added to the make all call in
debian/rules, each and every binary was linked against libpoppler...

I have fixed this; the make call in debian/rules is restored to its old
version, and the updated patch is available at 

http://svn.debian.org/wsvn/pkg-tetex/tetex-bin/trunk/debian/patches/patch-poppler?op=file&rev=0&sc=0

This is already uploaded as tetex-bin_3.0-13.

One more question: Did you also contact xpdf's and poppler's upstream
about the changes we made compared to the original xpdf patches?  I
don't know how fast poppler synchronizes with xpdf, therefore I think
one should tell the poppler people directly, to be on the safe side.

Regards, Frank
-- 
Frank Küster
Inst. f. Biochemie der Univ. Zürich
Debian Developer

Send a report that this bug log contains spam.