Ubuntu
tetex-bin package

tetex-bin: CAN-2005-0064 fix was incomplete

Bug #15018 reported by Debian Bug Importer
4
Affects Status Importance Assigned to Milestone
tetex-bin (Debian)
Fix Released
Unknown
tetex-bin (Ubuntu)
Invalid
High
Martin Pitt

Bug Description

Automatically imported from Debian bug report #303288 http://bugs.debian.org/303288

See original description

CVE References

Revision history for this message
Debian Bug Importer (debzilla) wrote :

Automatically imported from Debian bug report #303288 http://bugs.debian.org/303288

Revision history for this message
Debian Bug Importer (debzilla) wrote :
Download full text (3.8 KiB)

Message-Id: <email address hidden>
Date: Tue, 05 Apr 2005 22:06:04 +0200
From: Moritz Muehlenhoff <email address hidden>
To: Debian Bug Tracking System <email address hidden>
Subject: tetex-bin: CAN-2005-0064 fix was incomplete

--===============0832715301==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

Package: tetex-bin
Version: 2.0.2-27
Severity: grave
Tags: security patch
Justification: user security hole

Dear TeX maintainers,
the patch you used to fix CAN-2005-0064 in -26 seems to have been derived from
xpdf 3.00-12, which unfortunately was missing a portion of the security fix
(the one that is referenced as xpdf 3.00pl3 at the xpdf website, this has been
fixed in xpdf 3.00-13). Attached patch provides the necessary fix for the
tetex-bin package.

Cheers,
        Moritz

-- System Information:
Debian Release: 3.1
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.11
Locale: LANG=C, LC_CTYPE=de_DE.ISO-8859-15@euro (charmap=ISO-8859-15)

Versions of packages tetex-bin depends on:
ii debconf 1.4.47 Debian configuration management sy
ii debianutils 2.13.2 Miscellaneous utilities specific t
ii dpkg 1.10.27 Package maintenance system for Deb
ii ed 0.2-20 The classic unix line editor
ii libc6 2.3.2.ds1-20 GNU C Library: Shared libraries an
ii libgcc1 1:4.0-0pre2 GCC support library
ii libice6 4.3.0.dfsg.1-12.0.1 Inter-Client Exchange library
ii libkpathsea3 2.0.2-27 path search library for teTeX (run
ii libpaper1 1.1.14-3 Library for handling paper charact
ii libpng12-0 1.2.8rel-1 PNG library - runtime
ii libsm6 4.3.0.dfsg.1-12.0.1 X Window System Session Management
ii libstdc++5 1:3.3.5-12 The GNU Standard C++ Library v3
ii libt1-5 5.0.2-3 Type 1 font rasterizer library - r
ii libwww0 5.4.0-9 The W3C WWW library
ii libx11-6 4.3.0.dfsg.1-12.0.1 X Window System protocol client li
ii libxaw7 4.3.0.dfsg.1-12.0.1 X Athena widget set library
ii libxext6 4.3.0.dfsg.1-12.0.1 X Window System miscellaneous exte
ii libxmu6 4.3.0.dfsg.1-12.0.1 X Window System miscellaneous util
ii libxt6 4.3.0.dfsg.1-12.0.1 X Toolkit Intrinsics
ii mime-support 3.31-1 MIME files 'mime.types' & 'mailcap
ii perl 5.8.4-8 Larry Wall's Practical Extraction
ii sed 4.1.4-2 The GNU sed stream editor
ii tetex-base 2.0.2c-7 Basic library files of teTeX
ii ucf 1.17 Update Configuration File: preserv
ii xlibs 4.3.0.dfsg.1-12 X Keyboard Extension (XKB) configu
ii zlib1g 1:1.2.2-4 compression library - runtime

-- debconf information excluded

--===============0832715301==
Content-Type:...

Read more...

Revision history for this message
In , Martin Pitt (pitti) wrote :

Hi!

tetex-bin is not affected by the keyLength patch, since encryption is
disabled in tetex-bin and the relevant part of XRef.cc is not even
compiled.

Please close this bug.

Thanks,

Martin

--
Martin Pitt http://www.piware.de
Ubuntu Developer http://www.ubuntulinux.org
Debian Developer http://www.debian.org

Revision history for this message
Martin Pitt (pitti) wrote :

tetex-bin does not use encryption and the relevant code, so this patch is
unnecessary for tetex-bin. I also followed up on the Debian bug, should appear
here soon.

Revision history for this message
Debian Bug Importer (debzilla) wrote :

Message-ID: <email address hidden>
Date: Wed, 6 Apr 2005 14:31:40 +0200
From: Martin Pitt <email address hidden>
To: <email address hidden>
Subject: Re: tetex-bin: CAN-2005-0064 fix was incomplete

--k1lZvvs/B4yU6o8G
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Hi!

tetex-bin is not affected by the keyLength patch, since encryption is
disabled in tetex-bin and the relevant part of XRef.cc is not even
compiled.

Please close this bug.

Thanks,

Martin

--=20
Martin Pitt http://www.piware.de
Ubuntu Developer http://www.ubuntulinux.org
Debian Developer http://www.debian.org

--k1lZvvs/B4yU6o8G
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)

iD8DBQFCU9asDecnbV4Fd/IRAmcjAJ9xO5ersPw4xEZA4+iYFe8JwkHbowCgo03M
qFKE5/yzAF1nJL9eAKy9sl4=
=fr+K
-----END PGP SIGNATURE-----

--k1lZvvs/B4yU6o8G--

Revision history for this message
In , Moritz Muehlenhoff (jmm-inutil) wrote : I missed the missing encryption support

Hi,
I missed that. I'm closing the bug.

Cheers,
        Moritz

Revision history for this message
Debian Bug Importer (debzilla) wrote :

Message-ID: <email address hidden>
Date: Wed, 6 Apr 2005 16:32:33 +0200
From: Moritz Muehlenhoff <email address hidden>
To: <email address hidden>
Subject: I missed the missing encryption support

Hi,
I missed that. I'm closing the bug.

Cheers,
        Moritz

Bug Watch Updater (bug-watch-updater)
Changed in tetex-bin:
status: Unknown → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.