Debian Bug report logs - #639645
opu: package xpdf/3.02-1.4+lenny4

version graph

Package: release.debian.org; Maintainer for release.debian.org is Debian Release Team <debian-release@lists.debian.org>;

Reported by: Michael Gilbert <michael.s.gilbert@gmail.com>

Date: Sun, 28 Aug 2011 22:54:02 UTC

Severity: normal

Tags: confirmed, lenny

Fixed in version 5.0.10

Done: "Adam D. Barratt" <adam@adam-barratt.org.uk>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org>:
Bug#639642; Package release.debian.org. (Sun, 28 Aug 2011 22:54:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Michael Gilbert <michael.s.gilbert@gmail.com>:
New Bug report received and forwarded. Copy sent to Debian Release Team <debian-release@lists.debian.org>. (Sun, 28 Aug 2011 22:54:05 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Michael Gilbert <michael.s.gilbert@gmail.com>
To: submit@bugs.debian.org
Cc: jmw@debian.org
Subject: pu: package xpdf/3.02-12squeeze1 and xpdf/3.02-1.4+lenny4
Date: Sun, 28 Aug 2011 18:56:48 -0400
[Message part 1 (text/plain, inline)]
Package: release.debian.org
User: release.debian.org@packages.debian.org
Usertags: pu
Severity: normal

I've prepared proposed updates for the stable xpdf packages fixing a
few security issues.  See attached debdiffs.

Best wishes,
Mike
[xpdf-lenny.debdiff (application/octet-stream, attachment)]
[xpdf-squeeze.debdiff (application/octet-stream, attachment)]

Bug 639642 cloned as bug 639645. Request was from "Adam D. Barratt" <adam@adam-barratt.org.uk> to control@bugs.debian.org. (Sun, 28 Aug 2011 23:30:09 GMT) Full text and rfc822 format available.

Added tag(s) lenny. Request was from "Adam D. Barratt" <adam@adam-barratt.org.uk> to control@bugs.debian.org. (Sun, 28 Aug 2011 23:30:12 GMT) Full text and rfc822 format available.

Changed Bug title to 'opu: package xpdf/3.02-1.4+lenny4' from 'pu: package xpdf/3.02-12squeeze1 and xpdf/3.02-1.4+lenny4' Request was from "Adam D. Barratt" <adam@adam-barratt.org.uk> to control@bugs.debian.org. (Sun, 28 Aug 2011 23:30:14 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org>:
Bug#639645; Package release.debian.org. (Sat, 17 Sep 2011 18:45:16 GMT) Full text and rfc822 format available.

Acknowledgement sent to Michael Gilbert <michael.s.gilbert@gmail.com>:
Extra info received and forwarded to list. Copy sent to Debian Release Team <debian-release@lists.debian.org>. (Sat, 17 Sep 2011 18:45:16 GMT) Full text and rfc822 format available.

Message #16 received at 639645@bugs.debian.org (full text, mbox):

From: Michael Gilbert <michael.s.gilbert@gmail.com>
To: 639645@bugs.debian.org
Subject: re: opu: package xpdf/3.02-1.4+lenny4
Date: Sat, 17 Sep 2011 14:50:01 -0400
[Message part 1 (text/plain, inline)]
I've decided that it's too risky to disable t1lib in lenny as the
version of freetype there has some known issues.

Attached is a new debdiff for this proposed-update.

Best wishes,
Mike
[xpdf-lenny.debdiff (application/octet-stream, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org>:
Bug#639645; Package release.debian.org. (Sat, 24 Sep 2011 12:27:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to "Adam D. Barratt" <adam@adam-barratt.org.uk>:
Extra info received and forwarded to list. Copy sent to Debian Release Team <debian-release@lists.debian.org>. (Sat, 24 Sep 2011 12:27:13 GMT) Full text and rfc822 format available.

Message #21 received at 639645@bugs.debian.org (full text, mbox):

From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
To: Michael Gilbert <michael.s.gilbert@gmail.com>, 639645@bugs.debian.org
Subject: Re: Bug#639645: opu: package xpdf/3.02-1.4+lenny4
Date: Sat, 24 Sep 2011 13:24:03 +0100
[Apologies for the delay in getting back to you on this]

On Sat, 2011-09-17 at 14:50 -0400, Michael Gilbert wrote: 
> I've decided that it's too risky to disable t1lib in lenny as the
> version of freetype there has some known issues.

What's the feasibility of fixing the issues in freetype?

> Attached is a new debdiff for this proposed-update.

-       dh_installchangelogs -pxpdf-common CHANGES
+       dh_installchangelogs -pxpdf-common CHANGES debian/NEWS.Debian

If the file's named "debian/NEWS", dh_installchangelogs should just
dtrt.  In any case, I'm not entirely convinced that a NEWS file is the
right location to be making a statement that seems in danger of
approaching "this package isn't getting security support in lenny".

Regards,

Adam





Information forwarded to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org>:
Bug#639645; Package release.debian.org. (Sat, 24 Sep 2011 21:45:11 GMT) Full text and rfc822 format available.

Acknowledgement sent to Michael Gilbert <michael.s.gilbert@gmail.com>:
Extra info received and forwarded to list. Copy sent to Debian Release Team <debian-release@lists.debian.org>. (Sat, 24 Sep 2011 21:45:11 GMT) Full text and rfc822 format available.

Message #26 received at 639645@bugs.debian.org (full text, mbox):

From: Michael Gilbert <michael.s.gilbert@gmail.com>
To: 639645@bugs.debian.org
Subject: Re: Bug#639645: opu: package xpdf/3.02-1.4+lenny4
Date: Sat, 24 Sep 2011 17:50:55 -0400
Adam D. Barratt wrote:

> [Apologies for the delay in getting back to you on this]
> 
> On Sat, 2011-09-17 at 14:50 -0400, Michael Gilbert wrote: 
> > I've decided that it's too risky to disable t1lib in lenny as the
> > version of freetype there has some known issues.
> 
> What's the feasibility of fixing the issues in freetype?

So, they're (in my opinion minor) font rendering issues, but I imagine
there will be many complaints if those do get broken in any way.  That
being the fact, those changes are rolled up into various upstream
commits that I haven't really sat down to figure out, and backporting
them to lenny seems a rather tedious for little gain.

> > Attached is a new debdiff for this proposed-update.
> 
> -       dh_installchangelogs -pxpdf-common CHANGES
> +       dh_installchangelogs -pxpdf-common CHANGES debian/NEWS.Debian
> 
> If the file's named "debian/NEWS", dh_installchangelogs should just
> dtrt.  

If I recall, it didn't seem to do the right thing, which is why I
added that, but I'll recheck.

> In any case, I'm not entirely convinced that a NEWS file is the
> right location to be making a statement that seems in danger of
> approaching "this package isn't getting security support in lenny".

So, an EOL could be declared on t1lib, but there are many dependencies
on it.  So, I saw the news file as more of a tool to educate the user
on what to do to disable t1lib if they actually see these issues as
concerns.  Another possibility would be to set t1lib=no in the default
xpdfrc (which disables it) with instructions in NEWS.Debian on how to
reenable it.

Best wishes,
Mike




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org>:
Bug#639645; Package release.debian.org. (Thu, 29 Sep 2011 01:15:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Michael Gilbert <michael.s.gilbert@gmail.com>:
Extra info received and forwarded to list. Copy sent to Debian Release Team <debian-release@lists.debian.org>. (Thu, 29 Sep 2011 01:15:03 GMT) Full text and rfc822 format available.

Message #31 received at 639645@bugs.debian.org (full text, mbox):

From: Michael Gilbert <michael.s.gilbert@gmail.com>
To: 639645@bugs.debian.org
Subject: Re: Bug#639645: opu: package xpdf/3.02-1.4+lenny4
Date: Wed, 28 Sep 2011 21:19:57 -0400
Michael Gilbert wrote:
> > In any case, I'm not entirely convinced that a NEWS file is the
> > right location to be making a statement that seems in danger of
> > approaching "this package isn't getting security support in lenny".
> 
> So, an EOL could be declared on t1lib, but there are many dependencies
> on it.  So, I saw the news file as more of a tool to educate the user
> on what to do to disable t1lib if they actually see these issues as
> concerns.  Another possibility would be to set t1lib=no in the default
> xpdfrc (which disables it) with instructions in NEWS.Debian on how to
> reenable it.

Any thoughts on what the right thing to do is here?  Whatever the
decision, that's what I'll implement, and I would really like to get
this into the upcoming lenny proposed-update.

Thanks,
Mike




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org>:
Bug#639645; Package release.debian.org. (Thu, 29 Sep 2011 13:15:06 GMT) Full text and rfc822 format available.

Message #34 received at 639645@bugs.debian.org (full text, mbox):

From: Philipp Kern <pkern@debian.org>
To: Michael Gilbert <michael.s.gilbert@gmail.com>, 639645@bugs.debian.org
Subject: Re: Bug#639645: opu: package xpdf/3.02-1.4+lenny4
Date: Thu, 29 Sep 2011 15:13:52 +0200
[Message part 1 (text/plain, inline)]
Hi,

On Wed, Sep 28, 2011 at 09:19:57PM -0400, Michael Gilbert wrote:
> Michael Gilbert wrote:
> > > In any case, I'm not entirely convinced that a NEWS file is the
> > > right location to be making a statement that seems in danger of
> > > approaching "this package isn't getting security support in lenny".
> > So, an EOL could be declared on t1lib, but there are many dependencies
> > on it.  So, I saw the news file as more of a tool to educate the user
> > on what to do to disable t1lib if they actually see these issues as
> > concerns.  Another possibility would be to set t1lib=no in the default
> > xpdfrc (which disables it) with instructions in NEWS.Debian on how to
> > reenable it.
> Any thoughts on what the right thing to do is here?  Whatever the
> decision, that's what I'll implement, and I would really like to get
> this into the upcoming lenny proposed-update.

it's certainly too late for the point release on this weekend.  The deadline
was Sunday.

That said, I really don't want to introduce behaviour changes due to security
updates in a point release.  Instead there should be a proper announcement
stating the pros and cons of re-enabling t1 support for those who need it, if
it's going to be deactivated by default.  Point releases are supposed to be
non-breaking bugfixes, it should not be needed to read the announcement for
them.  For security updates there are often important information in the
announcement, like the dropped support for some Java VM variants in DSA 2311-1.

So if you feel that this is important enough to disable the functionality and
that the functionality is used widely enough that it warrants that the users
ought to be informed about the regression, please make sure that an
announcement is made to the proper venue, which is -security-announce.  

Kind regards,
Philipp Kern
-- 
 .''`.  Philipp Kern                        Debian Developer
: :' :  http://philkern.de                         Stable Release Manager
`. `'   xmpp:phil@0x539.de                         Wanna-Build Admin
  `-    finger pkern/key@db.debian.org
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org>:
Bug#639645; Package release.debian.org. (Sun, 15 Jan 2012 17:24:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to "Adam D. Barratt" <adam@adam-barratt.org.uk>:
Extra info received and forwarded to list. Copy sent to Debian Release Team <debian-release@lists.debian.org>. (Sun, 15 Jan 2012 17:24:03 GMT) Full text and rfc822 format available.

Message #39 received at 639645@bugs.debian.org (full text, mbox):

From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
To: Michael Gilbert <michael.s.gilbert@gmail.com>, 639645@bugs.debian.org
Subject: Re: Bug#639645: opu: package xpdf/3.02-1.4+lenny4
Date: Sun, 15 Jan 2012 17:21:03 +0000
On Sat, 2011-09-17 at 14:50 -0400, Michael Gilbert wrote:
> I've decided that it's too risky to disable t1lib in lenny as the
> version of freetype there has some known issues.
> 
> Attached is a new debdiff for this proposed-update.

+xpdf (3.02-1.4+lenny4) oldstable-proposed-updates; urgency=low
+
+  * Fix cve-2011-2902: insecure tempfile usage in zxpdf.
+  * Add NEWS.Debian with information about a set of unfixed t1lib issues
+    (cve-2011-0764, cve-2011-1552, cve-2011-1553, and cve-2011-1554).

DSA 2388 appears to have resolved all of those issues, so I guess we
could look at an update containing just the insecure tempfile change?

Regards,

Adam





Information forwarded to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org>:
Bug#639645; Package release.debian.org. (Mon, 16 Jan 2012 14:09:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to Michael Gilbert <michael.s.gilbert@gmail.com>:
Extra info received and forwarded to list. Copy sent to Debian Release Team <debian-release@lists.debian.org>. (Mon, 16 Jan 2012 14:09:06 GMT) Full text and rfc822 format available.

Message #44 received at 639645@bugs.debian.org (full text, mbox):

From: Michael Gilbert <michael.s.gilbert@gmail.com>
To: "Adam D. Barratt" <adam@adam-barratt.org.uk>
Cc: 639645@bugs.debian.org
Subject: Re: Bug#639645: opu: package xpdf/3.02-1.4+lenny4
Date: Mon, 16 Jan 2012 09:06:29 -0500
On Sun, Jan 15, 2012 at 12:21 PM, Adam D. Barratt wrote:
> On Sat, 2011-09-17 at 14:50 -0400, Michael Gilbert wrote:
>> I've decided that it's too risky to disable t1lib in lenny as the
>> version of freetype there has some known issues.
>>
>> Attached is a new debdiff for this proposed-update.
>
> +xpdf (3.02-1.4+lenny4) oldstable-proposed-updates; urgency=low
> +
> +  * Fix cve-2011-2902: insecure tempfile usage in zxpdf.
> +  * Add NEWS.Debian with information about a set of unfixed t1lib issues
> +    (cve-2011-0764, cve-2011-1552, cve-2011-1553, and cve-2011-1554).
>
> DSA 2388 appears to have resolved all of those issues, so I guess we
> could look at an update containing just the insecure tempfile change?

Yes, that's correct.  I'll ready a new package.

Best wishes,
Mike




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org>:
Bug#639645; Package release.debian.org. (Mon, 16 Jan 2012 15:51:07 GMT) Full text and rfc822 format available.

Acknowledgement sent to Michael Gilbert <michael.s.gilbert@gmail.com>:
Extra info received and forwarded to list. Copy sent to Debian Release Team <debian-release@lists.debian.org>. (Mon, 16 Jan 2012 15:51:07 GMT) Full text and rfc822 format available.

Message #49 received at 639645@bugs.debian.org (full text, mbox):

From: Michael Gilbert <michael.s.gilbert@gmail.com>
To: 639645@bugs.debian.org
Subject: Re: Bug#639645: opu: package xpdf/3.02-1.4+lenny4
Date: Mon, 16 Jan 2012 10:48:07 -0500
[Message part 1 (text/plain, inline)]
On Mon, Jan 16, 2012 at 9:06 AM, Michael Gilbert wrote:
>> DSA 2388 appears to have resolved all of those issues, so I guess we
>> could look at an update containing just the insecure tempfile change?
>
> Yes, that's correct.  I'll ready a new package.

Please review the attached patch that addresses this issue.

Thanks,
Mike
[xpdf-lenny.debdiff (application/octet-stream, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org>:
Bug#639645; Package release.debian.org. (Mon, 16 Jan 2012 19:03:10 GMT) Full text and rfc822 format available.

Acknowledgement sent to "Adam D. Barratt" <adam@adam-barratt.org.uk>:
Extra info received and forwarded to list. Copy sent to Debian Release Team <debian-release@lists.debian.org>. (Mon, 16 Jan 2012 19:03:10 GMT) Full text and rfc822 format available.

Message #54 received at 639645@bugs.debian.org (full text, mbox):

From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
To: Michael Gilbert <michael.s.gilbert@gmail.com>, 639645@bugs.debian.org
Subject: Re: Bug#639645: opu: package xpdf/3.02-1.4+lenny4
Date: Mon, 16 Jan 2012 18:59:23 +0000
tag 639645 + confirmed
thanks

On Mon, 2012-01-16 at 10:48 -0500, Michael Gilbert wrote:
> On Mon, Jan 16, 2012 at 9:06 AM, Michael Gilbert wrote:
> >> DSA 2388 appears to have resolved all of those issues, so I guess we
> >> could look at an update containing just the insecure tempfile change?
> >
> > Yes, that's correct.  I'll ready a new package.
> 
> Please review the attached patch that addresses this issue.

Thanks.  Please go ahead.

Regards,

Adam





Added tag(s) confirmed. Request was from "Adam D. Barratt" <adam@adam-barratt.org.uk> to control@bugs.debian.org. (Mon, 16 Jan 2012 19:03:13 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org>:
Bug#639645; Package release.debian.org. (Tue, 07 Feb 2012 23:06:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to "Adam D. Barratt" <adam@adam-barratt.org.uk>:
Extra info received and forwarded to list. Copy sent to Debian Release Team <debian-release@lists.debian.org>. (Tue, 07 Feb 2012 23:06:04 GMT) Full text and rfc822 format available.

Message #61 received at 639645@bugs.debian.org (full text, mbox):

From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
To: 639645@bugs.debian.org
Cc: Michael Gilbert <michael.s.gilbert@gmail.com>
Subject: Re: Bug#639645: opu: package xpdf/3.02-1.4+lenny4
Date: Tue, 07 Feb 2012 23:02:40 +0000
tag 639645 + pending
thanks

On Mon, 2012-01-16 at 18:59 +0000, Adam D. Barratt wrote:
> On Mon, 2012-01-16 at 10:48 -0500, Michael Gilbert wrote:
> > On Mon, Jan 16, 2012 at 9:06 AM, Michael Gilbert wrote:
> > >> DSA 2388 appears to have resolved all of those issues, so I guess we
> > >> could look at an update containing just the insecure tempfile change?
> > >
> > > Yes, that's correct.  I'll ready a new package.
> > 
> > Please review the attached patch that addresses this issue.
> 
> Thanks.  Please go ahead.

This finally got uploaded, and has just been accepted; thanks.

Regards,

Adam





Added tag(s) pending. Request was from "Adam D. Barratt" <adam@adam-barratt.org.uk> to control@bugs.debian.org. (Tue, 07 Feb 2012 23:06:05 GMT) Full text and rfc822 format available.

Reply sent to "Adam D. Barratt" <adam@adam-barratt.org.uk>:
You have taken responsibility. (Sat, 10 Mar 2012 12:28:41 GMT) Full text and rfc822 format available.

Notification sent to Michael Gilbert <michael.s.gilbert@gmail.com>:
Bug acknowledged by developer. (Sat, 10 Mar 2012 12:28:45 GMT) Full text and rfc822 format available.

Message #68 received at 639645-done@bugs.debian.org (full text, mbox):

From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
To: 639645-done@bugs.debian.org
Cc: 644149-done@bugs.debian.org, 656104-done@bugs.debian.org
Subject: Closing 5.0.10 bugs
Date: Sat, 10 Mar 2012 12:23:07 +0000
Version: 5.0.10

The packages corresponding to these bugs have now been included in the
5.0.10 point release.  I'm therefore closing the bugs.

Regards,

Adam





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 08 Apr 2012 07:35:08 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Apr 19 20:07:43 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.