Comment 4 for bug 26650

Message-ID: <email address hidden>
Date: Wed, 07 Dec 2005 09:36:24 +0100
From: =?iso-8859-1?q?Frank_K=FCster?= <email address hidden>
To: <email address hidden>
Cc: <email address hidden>, Moritz Muehlenhoff <email address hidden>
Subject: Re: Bug#342292: tetex-bin: Multiple exploitable heap overflows in
 embedded xpdf copy

Dear security team,

Moritz Muehlenhoff <email address hidden> wrote:

> Package: tetex-bin
> Version: 3.0-10.1
> Severity: grave
> Tags: security
> Justification: user security hole
>
> Multiple exploitable security problems have been found in xpdf, which are
> all present in tetex-bin's embedded xpdf copy as well

A patch is provided by upstream, and I'll be able to upload a fixed
version to sid in the next 2 or three days.

However, since I'm currently busy with real-life issues, I will *NOT* be
able to backport the patch to the stable version of tetex-bin, nor work
on the numerous other packages that contain xpdf code and that I have
prepared patches for or NMU'ed previously in similar cases.

Note also that testing still has the same upstream version as stable,
and other issues prevent the new version to migrate from sid to testing
soon.=20

Regards, Frank

P.S. Is anybody in contact with the xpdf upstream about providing a
dynamically shared library, or at least get clarification whether they
think distributions should try libpoppler instead? If not, would the
security team allow me to quote them as "We would very much appreciate
if such a library existed, and would urge maintainers and upstream
developers to switch to using it"?
--=20
Frank K=FCster
Inst. f. Biochemie der Univ. Z=FCrich
Debian Developer