tetex-bin still vulnerable to CAN-2004-0888 (CAN-2005-0206)
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
tetex-bin (Debian) |
Fix Released
|
Unknown
|
|||
tetex-bin (Ubuntu) |
Invalid
|
High
|
Martin Pitt |
Bug Description
Automatically imported from Debian bug report #300182 http://
Debian Bug Importer (debzilla) wrote : | #1 |
Debian Bug Importer (debzilla) wrote : | #2 |
Message-ID: <20050318091619
Date: Fri, 18 Mar 2005 10:16:19 +0100
From: Hilmar Preusse <email address hidden>
To: Debian Bug Tracking System <email address hidden>
Subject: tetex-bin still vulnerable to CAN-2004-0888 (CAN-2005-0206)
--69pVuxX8awAiJ7fD
Content-Type: multipart/mixed; boundary=
Content-
--i9LlY+UWpKt15+FH
Content-Type: text/plain; charset=us-ascii
Content-
Content-
Package: tetex-bin
Version: 2.0.2-26
Severity: critical
Tags: security
Hi all,
As recently discovered the patch, which fixed CAN-2004-0888, seems to
be broken on all 64bit platforms (tested only on ia64 though).[1]
Attched are two patches, which should fix that. They are simply
stolen from the RedHat BTS.[2]
H.
[1] e.g.: http://
[2] https:/
--=20
sigmentation fault
--i9LlY+UWpKt15+FH
Content-Type: text/plain; charset=us-ascii
Content-
@@ -186,6 +192,11 @@
}
if (start >= pagesSize) {
pagesSize += 32;
+ if (pagesSize*
+ pagesSize*
+ error(-1, "Invalid 'pagesSize' parameter.");
+ goto err3;
+ }
--i9LlY+UWpKt15+FH
Content-Type: text/plain; charset=us-ascii
Content-
Content-
--- XRef.cc.orig 2004-09-17 23:54:38.000000000 -0700
+++ XRef.cc 2004-09-25 17:59:36.000000000 -0700
@@ -76,6 +76,12 @@
=20
// trailer is ok - read the xref table
} else {
+ if (size*(
+ error(-1, "Invalid 'size' inside xref table.");
+ ok =3D gFalse;
+ errCode =3D errDamaged;
+ return;
+ }
entries =3D (XRefEntry *)gmalloc(size * sizeof(XRefEntry));
for (i =3D 0; i < size; ++i) {
@@ -267,6 +273,10 @@
// table size
if (first + n > size) {
newSize =3D size + 256;
+ if (newSize*
+ error(-1, "Invalid 'newSize'");
+ goto err2;
+ }
entries =3D (XRefEntry *)grealloc(entries, newSize * sizeof(XRefEntr=
y));
for (i =3D size; i < newSize; ++i) {
entries[i].offset =3D 0xffffffff;
@@ -410,6 +420,10 @@
if (!strncmp(p, "obj", 3)) {
if (num >=3D size) {
newSize =3D (num + 1 + 255) & ~255;
+ if (newSize*
) {
+ error(-1, "Invalid 'obj' parameters.");
+ return gFalse;
+ }
entries =3D (XRefEntry *)
for (i =3D size; i < newSize; ++i) {
@@ -431,6 +445,11 @@
} else if (!strncmp(p, "endstream", 9)) {
if (streamEndsLen =3D=3D streamEndsSize) {
streamEndsSize +=3D 64;
+ if (streamEndsSize
e) {
+ error(-1, "Invalid 'endstream' par...
In Debian Bug tracker #300182, Frank Küster (frank-debian) wrote : Re: xpdf vulnerability? | #3 |
Micah Anderson <email address hidden> wrote:
> Unfortunately, it takes some deep digging sometimes.
Thank you very much for that work.
> I searched Redhat's Bugzilla, and found this:
> https:/
[...]
> Can you determine if tetex-bin, pdftohtml and xpdf have this in Sarge?
As for tetex-bin, I *think* it is not vulnerable. But I really want
others to check this, since I don't know much about types in C++, or C++
anyway. Here comes my analysis:
1. The original patch for xpdf, as issued by xpdf upstream, and
according to the above URL used by RH for tetex, does the following:
+ if (size*sizeof(
+ error(-1, "Invalid 'size' inside xref table.");
+ ok = gFalse;
+ errCode = errDamaged;
+ return;
+ }
This is a kind of silly way to do it, and relies on the compiler not
optimizing away the construct. Joey has indicated this to me, and
suggested a different patch, which I used:
+ if (size < 0 || size >= INT_MAX/
+ error(-1, "Invalid 'size' inside xref table.");
+ ok = gFalse;
+ errCode = errDamaged;
+ return;
+ }
The 64bit problem now happens on the left hand side of the original
patch, quoting from the above URL:
,----
| won't succeed, because the left side of the condition is evaluated as
| 64bit integer by default. (all the arithmetic in the expression is
| done in the widest integer type, which is 64bit, because of
| sizeof(XRefEntry), even if "size" is 32bit so the explicit casting in
| the numerator of the fraction has to be added).
`----
Therefore, if size would overflow a 32bit integer, but not a 64bit
integer, it will still not trigger the condition. Later on in the
code,
,----
| In case of memory allocation:
|
| entries = (XRefEntry *)gmalloc(size * sizeof(XRefEntry));
|
| it's truncated to 32bits as prototype of gmalloc is:
|
| void *gmalloc(int);
|
| so the overflow check won't detect the overflow presented by bad5.pdf
| and leads to segfault,
`----
So the question is whether our changed patch is vulnerable to this:
+ if (size < 0 || size >= INT_MAX/
The value of INT_MAX, as defined in /usr/include/
depend on the architecture (just compared the values on my i386
against merulo (ia64)). Therefore this will *always* check whether
size times sizeof(XRefEntry) fits into a (32bit) int, as needed for
gmalloc, and all is well.
Am I wrong? If not, then tetex-bin has no problem, also not in
woody. And then also pdftohmtl is okay, because I used the same patch
for pdftohml back then.
xpdf seems safe, too. The code is different, of course, beeing 3.0
and not 1.something, but at least there are safe checks in it:
,---- XRef.cc
| if (newSize >= INT_MAX/
| error(-1, "Invalid 'obj' parameters'");
| goto err1;
| }
|
| entries = (XRefEntry *)grealloc(entries, newSize * sizeof(XRefEntry));
| for (i = size; i < newSize; ++i) {
`----
Regards, Frank
--
Frank Küster
Inst. f. Biochemie der Univ. Zürich
Debian Develope...
Debian Bug Importer (debzilla) wrote : | #4 |
Message-ID: <email address hidden>
Date: Fri, 18 Mar 2005 15:53:49 +0100
From: =?iso-8859-
To: Micah Anderson <email address hidden>
Cc: debian-tetex-maint <email address hidden>,
<email address hidden>, <email address hidden>, <email address hidden>,
<email address hidden>, <email address hidden>
Subject: Re: xpdf vulnerability?
Micah Anderson <email address hidden> wrote:
> Unfortunately, it takes some deep digging sometimes.=20
Thank you very much for that work.
> I searched Redhat's Bugzilla, and found this:
> https:/
[...]
> Can you determine if tetex-bin, pdftohtml and xpdf have this in Sarge?
As for tetex-bin, I *think* it is not vulnerable. But I really want
others to check this, since I don't know much about types in C++, or C++
anyway. Here comes my analysis:
1. The original patch for xpdf, as issued by xpdf upstream, and
according to the above URL used by RH for tetex, does the following:
+ if (size*sizeof(
+ error(-1, "Invalid 'size' inside xref table.");
+ ok =3D gFalse;
+ errCode =3D errDamaged;
+ return;
+ }
This is a kind of silly way to do it, and relies on the compiler not
optimizing away the construct. Joey has indicated this to me, and
suggested a different patch, which I used:
+ if (size < 0 || size >=3D INT_MAX/
+ error(-1, "Invalid 'size' inside xref table.");
+ ok =3D gFalse;
+ errCode =3D errDamaged;
+ return;
+ }
The 64bit problem now happens on the left hand side of the original
patch, quoting from the above URL:
,----
| won't succeed, because the left side of the condition is evaluated as
| 64bit integer by default. (all the arithmetic in the expression is
| done in the widest integer type, which is 64bit, because of
| sizeof(XRefEntry), even if "size" is 32bit so the explicit casting in
| the numerator of the fraction has to be added).
`----
Therefore, if size would overflow a 32bit integer, but not a 64bit
integer, it will still not trigger the condition. Later on in the
code,=20
,----
| In case of memory allocation:
|=20
| entries =3D (XRefEntry *)gmalloc(size * sizeof(XRefEntry));
|=20
| it's truncated to 32bits as prototype of gmalloc is:
|=20
| void *gmalloc(int);
|=20
| so the overflow check won't detect the overflow presented by bad5.pdf
| and leads to segfault,
`----
So the question is whether our changed patch is vulnerable to this:
+ if (size < 0 || size >=3D INT_MAX/
The value of INT_MAX, as defined in /usr/include/
depend on the architecture (just compared the values on my i386
against merulo (ia64)). Therefore this will *always* check whether
size times sizeof(XRefEntry) fits into a (32bit) int, as needed for
gmalloc, and all is well.
Am I wrong? If not, then tetex-bin has no problem, also not in
woody. And then also pdftohmtl is okay, because I used the same patch
for pdftohml back then.
xpdf seems safe, too. The ...
In Debian Bug tracker #300182, Joey Hess (joeyh) wrote : Re: Bug#300182: tetex-bin still vulnerable to CAN-2004-0888 (CAN-2005-0206) | #5 |
Hilmar Preusse wrote:
> As recently discovered the patch, which fixed CAN-2004-0888, seems to
> be broken on all 64bit platforms (tested only on ia64 though).[1]
Note that CAN-2005-0206 has been assigned for this issue.
BTW, since you were able to track this one down, do you have any info
about the other packages (cupsys, xpdf, etc) that also has
CAN-2004-0888? Do they also need fixes, and do you have a patch for
them?
--
see shy jo
Debian Bug Importer (debzilla) wrote : | #6 |
Message-ID: <email address hidden>
Date: Fri, 18 Mar 2005 17:14:22 -0500
From: Joey Hess <email address hidden>
To: Hilmar Preusse <email address hidden>, <email address hidden>
Subject: Re: Bug#300182: tetex-bin still vulnerable to CAN-2004-0888 (CAN-2005-0206)
--VbJkn9YxBvnuCH5J
Content-Type: text/plain; charset=us-ascii
Content-
Content-
Hilmar Preusse wrote:
> As recently discovered the patch, which fixed CAN-2004-0888, seems to
> be broken on all 64bit platforms (tested only on ia64 though).[1]
Note that CAN-2005-0206 has been assigned for this issue.
BTW, since you were able to track this one down, do you have any info
about the other packages (cupsys, xpdf, etc) that also has
CAN-2004-0888? Do they also need fixes, and do you have a patch for
them?
--=20
see shy jo
--VbJkn9YxBvnuCH5J
Content-Type: application/
Content-
Content-
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)
iD8DBQFCO1K+
BrTNMgyXteo7q1F
=cNYr
-----END PGP SIGNATURE-----
--VbJkn9YxBvnuC
In Debian Bug tracker #300182, Frank Küster (frank-debian) wrote : | #7 |
Joey Hess <email address hidden> schrieb:
> Hilmar Preusse wrote:
>> As recently discovered the patch, which fixed CAN-2004-0888, seems to
>> be broken on all 64bit platforms (tested only on ia64 though).[1]
>
> Note that CAN-2005-0206 has been assigned for this issue.
>
> BTW, since you were able to track this one down, do you have any info
> about the other packages (cupsys, xpdf, etc) that also has
> CAN-2004-0888? Do they also need fixes, and do you have a patch for
> them?
Cupsys not. They don't use the code any more, instead they use system
calls to the programs in xpdf-utils.
Regards, Frank
--
Frank Küster
Inst. f. Biochemie der Univ. Zürich
Debian Developer
In Debian Bug tracker #300182, Frank Küster (frank-debian) wrote : | #8 |
Joey Hess <email address hidden> schrieb:
> Hilmar Preusse wrote:
>> As recently discovered the patch, which fixed CAN-2004-0888, seems to
>> be broken on all 64bit platforms (tested only on ia64 though).[1]
>
> Note that CAN-2005-0206 has been assigned for this issue.
>
> BTW, since you were able to track this one down, do you have any info
> about the other packages (cupsys, xpdf, etc) that also has
> CAN-2004-0888? Do they also need fixes, and do you have a patch for
> them?
Did you read my analysis I sent to the bug address? I think we are not
vulnerably, but I am not sure; I'd be glad if somebody else looked over
it and agreed with me...
Regards, Frank
--
Frank Küster
Inst. f. Biochemie der Univ. Zürich
Debian Developer
Debian Bug Importer (debzilla) wrote : | #9 |
Message-ID: <email address hidden>
Date: Sat, 19 Mar 2005 20:18:42 +0100
From: =?iso-8859-
To: Joey Hess <email address hidden>
Cc: <email address hidden>, Hilmar Preusse <email address hidden>
Subject: Re: Bug#300182: tetex-bin still vulnerable to CAN-2004-0888
(CAN-2005-0206)
Joey Hess <email address hidden> schrieb:
> Hilmar Preusse wrote:
>> As recently discovered the patch, which fixed CAN-2004-0888, seems to
>> be broken on all 64bit platforms (tested only on ia64 though).[1]
>
> Note that CAN-2005-0206 has been assigned for this issue.
>
> BTW, since you were able to track this one down, do you have any info
> about the other packages (cupsys, xpdf, etc) that also has
> CAN-2004-0888? Do they also need fixes, and do you have a patch for
> them?
Cupsys not. They don't use the code any more, instead they use system
calls to the programs in xpdf-utils.
Regards, Frank
--=20
Frank K=FCster
Inst. f. Biochemie der Univ. Z=FCrich
Debian Developer
Debian Bug Importer (debzilla) wrote : | #10 |
Message-ID: <email address hidden>
Date: Sat, 19 Mar 2005 20:46:17 +0100
From: =?iso-8859-
To: Joey Hess <email address hidden>
Cc: <email address hidden>, Hilmar Preusse <email address hidden>
Subject: Re: Bug#300182: tetex-bin still vulnerable to CAN-2004-0888
(CAN-2005-0206)
Joey Hess <email address hidden> schrieb:
> Hilmar Preusse wrote:
>> As recently discovered the patch, which fixed CAN-2004-0888, seems to
>> be broken on all 64bit platforms (tested only on ia64 though).[1]
>
> Note that CAN-2005-0206 has been assigned for this issue.
>
> BTW, since you were able to track this one down, do you have any info
> about the other packages (cupsys, xpdf, etc) that also has
> CAN-2004-0888? Do they also need fixes, and do you have a patch for
> them?
Did you read my analysis I sent to the bug address? I think we are not
vulnerably, but I am not sure; I'd be glad if somebody else looked over
it and agreed with me...
Regards, Frank
--=20
Frank K=FCster
Inst. f. Biochemie der Univ. Z=FCrich
Debian Developer
In Debian Bug tracker #300182, Martin Pitt (pitti) wrote : | #11 |
Hi!
Hilmar, where did you see patches like
+ if (pagesSize*
+ pagesSize*
in the current tetex-bin package? debian/
already has correct patches. Also, "advanced static code analysis"
shows that the wrong approach is not used:
~/tex/tetex-
./libs/
./libs/
./libs/
./libs/
./debian/
./debian/
./debian/
./debian/
./debian/
./debian/
./debian/
./debian/
At the time the patch was fixed, the new CAN number was not yet
assigned, so it does not appear in the changelog. So it would be nice
to add the CAN to the changelog.
This was the relevant upload (I think):
tetex-bin (2.0.2-24) unstable; urgency=high
* SECURITY UPDATE: more buffer overflows in xpdf library, thanks to
Martin Pitt <email address hidden> for the tetex-bin-specific patch, which
fixes more integer overflows discovered by Markus Meissner
<email address hidden>, thanks to him for discovering this.
* Added debian/
first fix included in the last upload, as well as the additional fixes
from this upload, which are:
[...]
Please close this bug.
Martin
--
Martin Pitt http://
Ubuntu Developer http://
Debian GNU/Linux Developer http://
Martin Pitt (pitti) wrote : | #12 |
This was already fixed ages ago, and does not affect any Ubuntu/Debian
distribution. Detailed analysis was sent to debbugs, will appear here soon.
Debian Bug Importer (debzilla) wrote : | #13 |
Message-ID: <email address hidden>
Date: Mon, 21 Mar 2005 10:09:36 +0100
From: Martin Pitt <email address hidden>
To: <email address hidden>
Subject: Re: tetex-bin still vulnerable to CAN-2004-0888 (CAN-2005-0206)
--k1lZvvs/B4yU6o8G
Content-Type: text/plain; charset=us-ascii
Content-
Content-
Hi!
Hilmar, where did you see patches like
+ if (pagesSize*
+ pagesSize*
in the current tetex-bin package? debian/
already has correct patches. Also, "advanced static code analysis"
shows that the wrong approach is not used:
~/tex/tetex-
=2E/libs/
of(Page *));
=2E/libs/
eof(Ref));
=2E/libs/
ize * sizeof(Page *));
=2E/libs/
gesSize * sizeof(Ref));
=2E/debian/
(Page *) ||
=2E/debian/
(Ref)) {
=2E/debian/
ize * sizeof(Page *));
=2E/debian/
Size * sizeof(Ref));
=2E/debian/
sizeof(Page *) ||
=2E/debian/
sizeof(Ref)) {
=2E/debian/
, pagesSize * sizeof(Page *));
=2E/debian/
Refs, pagesSize * sizeof(Ref));
At the time the patch was fixed, the new CAN number was not yet
assigned, so it does not appear in the changelog. So it would be nice
to add the CAN to the changelog.
This was the relevant upload (I think):
tetex-bin (2.0.2-24) unstable; urgency=3Dhigh
* SECURITY UPDATE: more buffer overflows in xpdf library, thanks to
Martin Pitt <email address hidden> for the tetex-bin-specific patch, which
fixes more integer overflows discovered by Markus Meissner
<email address hidden>, thanks to him for discovering this.
* Added debian/
first fix included in the last upload, as well as the additional fixes
from this upload, which are:
[...]
Please close this bug.
Martin
--=20
Martin Pitt http://
Ubuntu Developer http://
Debian GNU/Linux Developer http://
--k1lZvvs/B4yU6o8G
Content-Type: application/
Content-
Content-
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
iD8DBQFCPo9QDec
ujfOgg0b+
=8nIL
-----END PGP ...
In Debian Bug tracker #300182, Hilmar Preusse (hille42) wrote : | #14 |
On 18.03.05 Joey Hess (<email address hidden>) wrote:
> Hilmar Preusse wrote:
Hi,
> > As recently discovered the patch, which fixed CAN-2004-0888,
> > seems to be broken on all 64bit platforms (tested only on ia64
> > though).[1]
>
> Note that CAN-2005-0206 has been assigned for this issue.
>
> BTW, since you were able to track this one down, do you have any
> info about the other packages (cupsys, xpdf, etc) that also has
> CAN-2004-0888? Do they also need fixes, and do you have a patch for
> them?
>
Martin Pitt <martin <at> piware.de> told me, that tetex-bin is not
vulnerable as the file debian/
not the original patch form the xpdf developer, but already a fixed
version of the patch. So we should not be affected.
Sorry for the confusion!
Hilmar
--
sigmentation fault
Debian Bug Importer (debzilla) wrote : | #15 |
Message-ID: <20050322103959
Date: Tue, 22 Mar 2005 11:39:59 +0100
From: Hilmar Preusse <email address hidden>
To: Joey Hess <email address hidden>, <email address hidden>
Cc: Martin Pitt <email address hidden>
Subject: Re: Bug#300182: tetex-bin still vulnerable to CAN-2004-0888 (CAN-2005-0206)
--XsQoSWH+UP9D9v3l
Content-Type: text/plain; charset=us-ascii
Content-
Content-
On 18.03.05 Joey Hess (<email address hidden>) wrote:
> Hilmar Preusse wrote:
Hi,
> > As recently discovered the patch, which fixed CAN-2004-0888,
> > seems to be broken on all 64bit platforms (tested only on ia64
> > though).[1]
>=20
> Note that CAN-2005-0206 has been assigned for this issue.
>=20
> BTW, since you were able to track this one down, do you have any
> info about the other packages (cupsys, xpdf, etc) that also has
> CAN-2004-0888? Do they also need fixes, and do you have a patch for
> them?
>=20
Martin Pitt <martin <at> piware.de> told me, that tetex-bin is not
vulnerable as the file debian/
not the original patch form the xpdf developer, but already a fixed
version of the patch. So we should not be affected.
Sorry for the confusion!
Hilmar
--=20
sigmentation fault
--XsQoSWH+UP9D9v3l
Content-Type: application/
Content-
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (Cygwin)
iQB1AwUBQj/
1vHVLirSQXAZMrr
6FdLu2R/
=OTL+
-----END PGP SIGNATURE-----
--XsQoSWH+
In Debian Bug tracker #300182, Frank Küster (frank-debian) wrote : | #16 |
Hi Martin,
Hilmar Preusse <email address hidden> wrote:
> On 18.03.05 Joey Hess (<email address hidden>) wrote:
>> Hilmar Preusse wrote:
>
> Hi,
>
>> > As recently discovered the patch, which fixed CAN-2004-0888,
>> > seems to be broken on all 64bit platforms (tested only on ia64
>> > though).[1]
>>
>> Note that CAN-2005-0206 has been assigned for this issue.
>>
>> BTW, since you were able to track this one down, do you have any
>> info about the other packages (cupsys, xpdf, etc) that also has
>> CAN-2004-0888? Do they also need fixes, and do you have a patch for
>> them?
>>
> Martin Pitt <martin <at> piware.de> told me, that tetex-bin is not
> vulnerable as the file debian/
> not the original patch form the xpdf developer, but already a fixed
> version of the patch.
Martin, good to hear that. Did you also read the other messages in this
thread, namely Hamish's confusion about CAN-2004-0888 vs. CAN-2004-0889?
And, by the way, why didn't you answer to the bug, or the security
list(s)?
Regards, Frank
--
Frank Küster
Inst. f. Biochemie der Univ. Zürich
Debian Developer
In Debian Bug tracker #300182, Frank Küster (frank-kuesterei) wrote : Re: xpdf vulnerability? | #17 |
Please please keep the bugnumber in the Cc!
Bastian Blank wrote:
> On Fri, Mar 18, 2005 at 12:04:21PM -0500, Hubert Chan wrote:
> > (which, if you're using from C++ code, you'll
> > have to #define __STDC_LIMIT_MACROS before you include stdint.h).
>
> This name is reserved. It is undefined behaviour if you define it.
So what is the recommended way to do this correctly? And why is my
analysis wrong that INT_MAX is defined in limits.h?
Regards, Frank
--
Frank Küster
Inst. f. Biochemie der Univ. Zürich
Debian Developer
In Debian Bug tracker #300182, Martin Pitt (pitti) wrote : Re: Bug#300182: tetex-bin still vulnerable to CAN-2004-0888 (CAN-2005-0206) | #18 |
Hi!
Frank Küster [2005-03-22 12:49 +0100]:
> Martin, good to hear that. Did you also read the other messages in this
> thread, namely Hamish's confusion about CAN-2004-0888 vs. CAN-2004-0889?
He is certainly not the only one who is confused about these. All
patches that I ever saw fix both CANs, and the description of both
CANs are nearly identical. I really don't know which particular fix
belongs to which CAN.
> And, by the way, why didn't you answer to the bug, or the security
> list(s)?
Hmm, I replied to <email address hidden> and I can see my
reply at
http://
Didn't you get this mail? If not, I shall probably reply to
<email address hidden> in addition, but I thought this would happen
automatically.
Martin
--
Martin Pitt http://
Ubuntu Developer http://
Debian Developer http://
Debian Bug Importer (debzilla) wrote : | #19 |
Message-ID: <email address hidden>
Date: Tue, 22 Mar 2005 12:49:06 +0100
From: =?iso-8859-
To: Martin Pitt <email address hidden>
Cc: <email address hidden>, Joey Hess <email address hidden>,
Hilmar Preusse
<email address hidden>
Subject: Re: Bug#300182: tetex-bin still vulnerable to CAN-2004-0888
(CAN-2005-0206)
Hi Martin,
Hilmar Preusse <email address hidden> wrote:
> On 18.03.05 Joey Hess (<email address hidden>) wrote:
>> Hilmar Preusse wrote:
>
> Hi,
>
>> > As recently discovered the patch, which fixed CAN-2004-0888,
>> > seems to be broken on all 64bit platforms (tested only on ia64
>> > though).[1]
>>=20
>> Note that CAN-2005-0206 has been assigned for this issue.
>>=20
>> BTW, since you were able to track this one down, do you have any
>> info about the other packages (cupsys, xpdf, etc) that also has
>> CAN-2004-0888? Do they also need fixes, and do you have a patch for
>> them?
>>=20
> Martin Pitt <martin <at> piware.de> told me, that tetex-bin is not
> vulnerable as the file debian/
> not the original patch form the xpdf developer, but already a fixed
> version of the patch.
Martin, good to hear that. Did you also read the other messages in this
thread, namely Hamish's confusion about CAN-2004-0888 vs. CAN-2004-0889?
And, by the way, why didn't you answer to the bug, or the security
list(s)?=20
Regards, Frank
--=20
Frank K=FCster
Inst. f. Biochemie der Univ. Z=FCrich
Debian Developer
Debian Bug Importer (debzilla) wrote : | #20 |
Message-ID: <email address hidden>
Date: Tue, 22 Mar 2005 12:52:20 +0100
From: <email address hidden> (=?iso-
To: <email address hidden>
Cc: <email address hidden>
Subject: Re: xpdf vulnerability?
Please please keep the bugnumber in the Cc!
Bastian Blank wrote:
> On Fri, Mar 18, 2005 at 12:04:21PM -0500, Hubert Chan wrote:
> > (which, if you're using from C++ code, you'll
> > have to #define __STDC_LIMIT_MACROS before you include stdint.h).
>=20
> This name is reserved. It is undefined behaviour if you define it.
So what is the recommended way to do this correctly? And why is my
analysis wrong that INT_MAX is defined in limits.h?
Regards, Frank
--=20
Frank K=FCster
Inst. f. Biochemie der Univ. Z=FCrich
Debian Developer
Debian Bug Importer (debzilla) wrote : | #21 |
Message-ID: <email address hidden>
Date: Tue, 22 Mar 2005 13:09:12 +0100
From: Martin Pitt <email address hidden>
To: Frank =?iso-8859-
Cc: <email address hidden>, Joey Hess <email address hidden>,
Hilmar Preusse <email address hidden>
Subject: Re: Bug#300182: tetex-bin still vulnerable to CAN-2004-0888 (CAN-2005-0206)
--HcAYCG3uE/tztfnV
Content-Type: text/plain; charset=iso-8859-1
Content-
Content-
Hi!
Frank K=FCster [2005-03-22 12:49 +0100]:
> Martin, good to hear that. Did you also read the other messages in this
> thread, namely Hamish's confusion about CAN-2004-0888 vs. CAN-2004-0889?
He is certainly not the only one who is confused about these. All
patches that I ever saw fix both CANs, and the description of both
CANs are nearly identical. I really don't know which particular fix
belongs to which CAN.
> And, by the way, why didn't you answer to the bug, or the security
> list(s)?=20
Hmm, I replied to <email address hidden> and I can see my
reply at
http://
Didn't you get this mail? If not, I shall probably reply to
<email address hidden> in addition, but I thought this would happen
automatically.
Martin
--=20
Martin Pitt http://
Ubuntu Developer http://
Debian Developer http://
--HcAYCG3uE/tztfnV
Content-Type: application/
Content-
Content-
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
iD8DBQFCQAroDec
K9+8fZ91eQpw6vg
=TqgV
-----END PGP SIGNATURE-----
--HcAYCG3uE/
In Debian Bug tracker #300182, Frank Küster (frank-kuesterei) wrote : tetex-bin not vulnerable | #22 |
After the discussion on -security, starting with
http://
it is clear that tetex-bin is not vulnerably in woody, sarge or sid.
Regards, Frank
--
Frank Küster
Inst. f. Biochemie der Univ. Zürich
Debian Developer
Debian Bug Importer (debzilla) wrote : | #23 |
Message-ID: <email address hidden>
Date: Tue, 29 Mar 2005 15:25:37 +0200
From: <email address hidden> (=?iso-
To: <email address hidden>
Subject: tetex-bin not vulnerable
After the discussion on -security, starting with
http://
it is clear that tetex-bin is not vulnerably in woody, sarge or sid.
Regards, Frank
--=20
Frank K=FCster
Inst. f. Biochemie der Univ. Z=FCrich
Debian Developer
Changed in tetex-bin: | |
status: | Unknown → Fix Released |
Automatically imported from Debian bug report #300182 http:// bugs.debian. org/300182