xpdf: Vulnerable to CAN-2004-1125

Automatically imported from Debian bug report #286983 http://bugs.debian.org/286983

Message-ID: <email address hidden>
Date: Thu, 23 Dec 2004 13:51:27 +0100
From: Martin Pitt <email address hidden>
To: Debian Bug Tracking System <email address hidden>
Cc: <email address hidden>
Subject: xpdf: Vulnerable to CAN-2004-1125

--45Z9DzgjV8m4Oswq
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Package: xpdf
Version: 3.0.0-10
Severity: grave
Tags: security patch
Justification: user security hole

Hi Hamish!

xpdf is vulnerable to CAN-2004-1125, see

  http://www.idefense.com/application/poi/display?id=3D172

for details.

Woody is probably affected as well, but I did not check that.

You can get the Ubuntu security patch from

  http://patches.ubuntu.com/patches/xpdf.CAN-2004-1125.diff

Please note that xpdf code is also present in other packages like
tetex-bin, CUPS, gpdf, kpdf, kfax, xv, and possibly others. I already
patched the Ubuntu versions of tetex-bin and CUPS, I will write
separate bugs for these two packages.

Thanks,

Martin

--=20
Martin Pitt http://www.piware.de
Ubuntu Developer http://www.ubuntulinux.org
Debian GNU/Linux Developer http://www.debian.org

--45Z9DzgjV8m4Oswq
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFByr9PDecnbV4Fd/IRAlXIAKCNeZyHtzOXKupSgBVTwXPQJ/XCWwCfQD99
1L9LCGqgQcOLiPC2ITJmbnA=
=U9lr
-----END PGP SIGNATURE-----

--45Z9DzgjV8m4Oswq--

Message-ID: <email address hidden>
Date: Fri, 24 Dec 2004 08:27:46 +1100
From: Hamish Moffatt <email address hidden>
To: <email address hidden>, <email address hidden>
Subject: Re: Bug#286983: xpdf: Vulnerable to CAN-2004-1125

On Thu, Dec 23, 2004 at 01:51:27PM +0100, Martin Pitt wrote:
> xpdf is vulnerable to CAN-2004-1125, see
>
> http://www.idefense.com/application/poi/display?id=172
>
> for details.

Thanks for the note. I uploaded -11 yesterday morning with
the upstream author's patch applied. Bug#286742 was filed,
though against xpdf-reader so you may have missed it.

> You can get the Ubuntu security patch from
> http://patches.ubuntu.com/patches/xpdf.CAN-2004-1125.diff

It appears to be functionally equivalent to Derek's patch but
with some reformatting.

Regards
Hamish
--
Hamish Moffatt VK3SB <email address hidden> <email address hidden>

Already fixed in Warty (USN-48-1) and Hoary.