tetex-bin: Vulnerable to CAN-2004-1125

Automatically imported from Debian bug report #286984 http://bugs.debian.org/286984

Message-ID: <email address hidden>
Date: Thu, 23 Dec 2004 13:54:00 +0100
From: Martin Pitt <email address hidden>
To: Debian Bug Tracking System <email address hidden>
Cc: <email address hidden>
Subject: tetex-bin: Vulnerable to CAN-2004-1125

--UugvWAfsgieZRqgk
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Package: tetex-bin
Version: 2.0.2-23
Severity: grave
Tags: security patch
Justification: user security hole

Hi teTeX maintainers!

Recently CAN-2004-1125 has been discovered in xpdf. Since tetex-bin
contains verbatim xpdf code (sigh), this package is affected as well.

You can get the Ubuntu security update patch from

  http://patches.ubuntu.com/patches/tetex-bin.CAN-2004-1125.diff

Thanks,

Martin

-- System Information:
Debian Release: 3.1
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.6.9
Locale: LANG=3Dde_DE.UTF-8, LC_CTYPE=3Dde_DE.UTF-8 (charmap=3DUTF-8)

Versions of packages tetex-bin depends on:
ii debconf 1.4.30.10 Debian configuration managemen=
t sy
ii debianutils 2.8.4 Miscellaneous utilities specif=
ic t
ii dpkg 1.10.25 Package maintenance system for=
 Deb
ii ed 0.2-20 The classic unix line editor
ii libc6 2.3.2.ds1-18 GNU C Library: Shared librarie=
s an
ii libgcc1 1:3.4.2-2 GCC support library
ii libice6 4.3.0.dfsg.1-8 Inter-Client Exchange library
ii libkpathsea3 2.0.2-23 path search library for teTeX =
(run
ii libpaper1 1.1.14-3 Library for handling paper cha=
ract
ii libpng12-0 1.2.8rel-1 PNG library - runtime
ii libsm6 4.3.0.dfsg.1-8 X Window System Session Manage=
ment
ii libstdc++5 1:3.3.4-13 The GNU Standard C++ Library v3
ii libt1-5 5.0.2-3 Type 1 font rasterizer library=
 - r
ii libwww0 5.4.0-9 The W3C WWW library
ii libx11-6 4.3.0.dfsg.1-8 X Window System protocol clien=
t li
ii libxaw7 4.3.0.dfsg.1-8 X Athena widget set library
ii libxext6 4.3.0.dfsg.1-8 X Window System miscellaneous =
exte
ii libxmu6 4.3.0.dfsg.1-8 X Window System miscellaneous =
util
ii libxt6 4.3.0.dfsg.1-8 X Toolkit Intrinsics
ii mime-support 3.28-1 MIME files 'mime.types' & 'mai=
lcap
ii perl 5.8.4-3 Larry Wall's Practical Extract=
ion=20
ii sed 4.1.2-8 The GNU sed stream editor
ii tetex-base 2.0.2c-3 Basic library files of teTeX
ii ucf 1.13 Update Configuration File: pre=
serv
ii zlib1g 1:1.2.2-3 compression library - runtime

-- debconf information excluded

--=20
Martin Pitt http://www.piware.de
Ubuntu Developer http://www.ubuntulinux.org
Debian GNU/Linux Developer http://www.debian.org

...

Message-ID: <20041223143700.GA1900@preusse>
Date: Thu, 23 Dec 2004 15:37:00 +0100
From: Hilmar Preusse <email address hidden>
To: Martin Pitt <email address hidden>, <email address hidden>
Subject: Re: Bug#286984: tetex-bin: Vulnerable to CAN-2004-1125

On 23.12.04 Martin Pitt (<email address hidden>) wrote:

Hi,

> Recently CAN-2004-1125 has been discovered in xpdf. Since tetex-bin
> contains verbatim xpdf code (sigh), this package is affected as well.
>
Time got get a fix for #252104...

> You can get the Ubuntu security update patch from
>
> http://patches.ubuntu.com/patches/tetex-bin.CAN-2004-1125.diff
>
, which is not much more than
ftp://ftp.foolabs.com/pub/xpdf/xpdf-3.00pl2.patch + the Debian/Ubuntu
specific stuff. The original report e.g. on
http://www.auscert.org.au/render.html?it=4651 .

Thanks for the report! Hmm, xpdf 1.0 contains exactly the same
vulnerable code. I guess there will be another tetex for stable soon.

Regards,
  Hilmar
--
sigmentation fault

Message-ID: <email address hidden>
Date: Thu, 23 Dec 2004 17:09:29 +0100
From: =?iso-8859-1?q?Frank_K=FCster?= <email address hidden>
To: <email address hidden>
Subject: Re: Bug#286984: tetex-bin: Vulnerable to CAN-2004-1125

Hilmar Preusse <email address hidden> schrieb:

> Thanks for the report! Hmm, xpdf 1.0 contains exactly the same
> vulnerable code.=20

I must be blind (or you looked at something different: I looked at the
code in tetex-bin_1.0.7+20011202-7.3, which does not contain xpdf-1.0,
but 0.92). I couldn't find it in these sources; the vulnerable part after

    // get the mask

is missing.

TIA, Frank
--=20
Frank K=FCster
Inst. f. Biochemie der Univ. Z=FCrich
Debian Developer

Message-ID: <email address hidden>
Date: Thu, 23 Dec 2004 17:28:49 +0100
From: Martin Pitt <email address hidden>
To: <email address hidden>
Subject: Re: Bug#286984: tetex-bin: Vulnerable to CAN-2004-1125

--4Ckj6UjgE2iN1+kY
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Hi Hilmar!

Hilmar Preusse [2004-12-23 15:37 +0100]:
> > You can get the Ubuntu security update patch from
> >=20
> > http://patches.ubuntu.com/patches/tetex-bin.CAN-2004-1125.diff
> >=20
> , which is not much more than
> ftp://ftp.foolabs.com/pub/xpdf/xpdf-3.00pl2.patch + the Debian/Ubuntu
> specific stuff.=20

Right; to the contrary, it is even a bit shorter than the original
patch. I included it more or less only for the sake of completeness
:-)

> The original report e.g. on
> http://www.auscert.org.au/render.html?it=3D4651 .
>=20
> Thanks for the report! Hmm, xpdf 1.0 contains exactly the same
> vulnerable code. I guess there will be another tetex for stable soon.

I did not look into that. If stable is affected, too, then can you
please keep track of the release tags?

Merry Christmas!

Martin

--=20
Martin Pitt http://www.piware.de
Ubuntu Developer http://www.ubuntulinux.org
Debian GNU/Linux Developer http://www.debian.org

--4Ckj6UjgE2iN1+kY
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFByvJBDecnbV4Fd/IRAoeUAKDBPVBu2b4auzYHC9MjJIp/+3tjjgCffXJH
gMcCSgObsPyu23n+gn+GeMc=
=JlVb
-----END PGP SIGNATURE-----

--4Ckj6UjgE2iN1+kY--

Message-ID: <email address hidden>
Date: Thu, 23 Dec 2004 17:27:46 +0100
From: =?iso-8859-1?q?Frank_K=FCster?= <email address hidden>
To: Martin Pitt <email address hidden>
Cc: <email address hidden>, <email address hidden>
Subject: Re: Bug#286984: tetex-bin: Vulnerable to CAN-2004-1125

Martin Pitt <email address hidden> wrote:

> Package: tetex-bin
> Version: 2.0.2-23
> Severity: grave
> Tags: security patch
> Justification: user security hole
>
> Hi teTeX maintainers!
>
> Recently CAN-2004-1125 has been discovered in xpdf. Since tetex-bin
> contains verbatim xpdf code (sigh), this package is affected as well.

Thank you. Have you filed bugs against the other packages that are known
to use xpdf code, too? By the way, the idefense URL in your changelog
has been truncated; it needs a trailing "&type=3Dvulnerabilities" to
work.=20

Regards, Frank

--=20
Frank K=FCster
Inst. f. Biochemie der Univ. Z=FCrich
Debian Developer

Message-Id: <email address hidden>
Date: Thu, 23 Dec 2004 12:02:30 -0500
From: =?iso-8859-1?q?Frank_K=FCster?= <email address hidden>
To: <email address hidden>
Subject: Bug#286984: fixed in tetex-bin 2.0.2-25

Source: tetex-bin
Source-Version: 2.0.2-25

We believe that the bug you reported is fixed in the latest version of
tetex-bin, which is due to be installed in the Debian FTP archive:

libkpathsea-dev_2.0.2-25_i386.deb
  to pool/main/t/tetex-bin/libkpathsea-dev_2.0.2-25_i386.deb
libkpathsea3_2.0.2-25_i386.deb
  to pool/main/t/tetex-bin/libkpathsea3_2.0.2-25_i386.deb
tetex-bin_2.0.2-25.diff.gz
  to pool/main/t/tetex-bin/tetex-bin_2.0.2-25.diff.gz
tetex-bin_2.0.2-25.dsc
  to pool/main/t/tetex-bin/tetex-bin_2.0.2-25.dsc
tetex-bin_2.0.2-25_i386.deb
  to pool/main/t/tetex-bin/tetex-bin_2.0.2-25_i386.deb

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to <email address hidden>,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Frank K�<email address hidden> (supplier of updated tetex-bin package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing <email address hidden>)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Thu, 23 Dec 2004 16:31:38 +0100
Source: tetex-bin
Binary: libkpathsea3 tetex-bin libkpathsea-dev
Architecture: source i386
Version: 2.0.2-25
Distribution: unstable
Urgency: high
Maintainer: teTeX maintainers <email address hidden>
Changed-By: Frank K�<email address hidden>
Description:
 libkpathsea-dev - path search library for teTeX (devel part)
 libkpathsea3 - path search library for teTeX (runtime part)
 tetex-bin - The teTeX binary files
Closes: 196987 286370 286984
Changes:
 tetex-bin (2.0.2-25) unstable; urgency=high
 .
   * SECURITY UPDATE:
     - Added debian/patches/patch-CAN-2004-1125 to fix a buffer overflow in
       PDF reading code that was taken from xpdf (closes: #286984). Thanks to
       Martin Pitt <email address hidden>, see
       http://www.idefense.com/application/poi/display?id=172 [frank]
     - Fixed insecure tempfile creation, thanks to Javier
       Fernández-Sanguino Peña <email address hidden> (closes: #286370) [frank]
   * Fixed clean target, again providing clean sources [frank]
   * Added Suggests: rubber; together with lacheck this (closes: #196987)
     [frank]
Files:
 c0c67fb28b68a60e3fb4919c98dc63de 1044 tex optional tetex-bin_2.0.2-25.dsc
 22234075b7454394cb95b40dcf393988 183001 tex optional tetex-bin_2.0.2-25.diff.gz
 579513f95eb9ca5ff56fa653be3ca3e9 3934886 tex optional tetex-bin_2.0.2-25_i386.deb
 312583a749bf035cf6386d1831c9859e 58066 libs optional libkpathsea3_2.0.2-25_i386.deb
 8fba153ada4da2fcc994baa435928223 66208 libdevel optional libkpathsea-dev_2.0.2-25_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFByvXw+xs9YyJS+hoRAmuLAKCcIBS3Pz9GfaC+0kDjJTuu/Y8ePwCfVqy+
cLlZTys6TjtpkkNWFYNFWuo=
=AFY5
-----END...

Message-ID: <email address hidden>
Date: Thu, 23 Dec 2004 18:16:46 +0100
From: Martin Pitt <email address hidden>
To: Frank =?iso-8859-1?Q?K=FCster?= <email address hidden>
Cc: <email address hidden>, <email address hidden>
Subject: Re: Bug#286984: tetex-bin: Vulnerable to CAN-2004-1125

--BOKacYhQ+x31HxR3
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Hi Frank!

Frank K=FCster [2004-12-23 17:27 +0100]:
> Thank you. Have you filed bugs against the other packages that are known
> to use xpdf code, too?=20

Only against xpdf proper and CUPS. I did not fix any other packages. I
included a short list of possibly affected packages in #286983, but I
do not have the time to evaluate them all (sorry).

> By the way, the idefense URL in your changelog has been truncated;
> it needs a trailing "&type=3Dvulnerabilities" to work.=20

Hmm, I tried to remove it and it still worked. However, I did not
notice that the URL got rewritten. The following works and is a bit
shorter:

  http://www.idefense.com/application/poi/display?id=3D172

Martin

--=20
Martin Pitt http://www.piware.de
Ubuntu Developer http://www.ubuntulinux.org
Debian GNU/Linux Developer http://www.debian.org

--BOKacYhQ+x31HxR3
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFByv1+DecnbV4Fd/IRAny/AJsF8oE7bjF6Arz4egVGv51Nw7EkzgCglRm1
PqZFsTLb1XKq39H08+B1w8o=
=1+FF
-----END PGP SIGNATURE-----

--BOKacYhQ+x31HxR3--

Message-ID: <20041226214430.GA1452@preusse>
Date: Sun, 26 Dec 2004 22:44:30 +0100
From: Hilmar Preusse <email address hidden>
To: <email address hidden>, <email address hidden>
Subject: Re: Bug#286984: tetex-bin: Vulnerable to CAN-2004-1125

On 23.12.04 Frank K�(<email address hidden>) wrote:
> Hilmar Preusse <email address hidden> schrieb:

Hi,

> > Thanks for the report! Hmm, xpdf 1.0 contains exactly the same
> > vulnerable code.
>
> I must be blind (or you looked at something different: I looked at
> the code in tetex-bin_1.0.7+20011202-7.3, which does not contain
> xpdf-1.0, but 0.92). I couldn't find it in these sources; the
> vulnerable part after
>
> // get the mask
>
> is missing.
>
Yes, you're right. Sorry! I had a look at the source code of xpdf
1.00, cause I believed this is the version contained in teTeX 1.0.7.
The first part of your patch doesn't fit into xpdf 0.92, however the
second part does. I'm not sure if this part is still part of the CAN.

Regards,
  Hilmar
--
sigmentation fault

Message-ID: <email address hidden>
Date: Thu, 23 Dec 2004 18:41:51 +0100
From: =?iso-8859-1?q?Frank_K=FCster?= <email address hidden>
To: Debian Bug Control Server <email address hidden>
Cc: teTeX maintainers <email address hidden>
Subject: Re: Bug#286984: marked as done (tetex-bin: Vulnerable to
 CAN-2004-1125)

reopen 286984
tags 286984 sarge
stop

> * SECURITY UPDATE:
> - Added debian/patches/patch-CAN-2004-1125 to fix a buffer overflow =
in
> PDF reading code that was taken from xpdf (closes: #286984). Thank=
s to
> Martin Pitt <email address hidden>, see
> http://www.idefense.com/application/poi/display?id=3D172 [frank]
> - Fixed insecure tempfile creation, thanks to Javier
> Fern=C3=A1ndez-Sanguino Pe=C3=B1a <email address hidden> (closes: #286=
370) [frank]

I'm going to keep this open until this upload has entered sarge, just as
Adrian has suggested (and did) with CAN-2004-0888

Regards, Frank
--=20
Frank K=FCster
Inst. f. Biochemie der Univ. Z=FCrich
Debian Developer

Message-ID: <email address hidden>
Date: Mon, 27 Dec 2004 10:42:24 +0100
From: =?iso-8859-1?q?Frank_K=FCster?= <email address hidden>
To: Hilmar Preusse <email address hidden>
Cc: <email address hidden>, <email address hidden>, Debian
 Security Team <email address hidden>
Subject: tetex-bin in woody (was: Bug#286984: tetex-bin: Vulnerable to
 CAN-2004-1125)

Hi Martin, hi security team (probably also Martin),

Hilmar Preusse <email address hidden> wrote:

> The first part of your patch doesn't fit into xpdf 0.92, however the
> second part does. I'm not sure if this part is still part of the CAN.

Indeed, I missed that. I had thought that the patch to GfxState.cc is
just to get a decent error message, and that the real security patch is
just in Gfx.cc. I missed that also in GfxState.cc, the patch changes
nCompsA (which is called nComps in tetex-bin_1.0.7's sources).

Still it seems to me as if there is no exploit in 1.0.7, but I would
like to hear comments about this from you. As stated before, the patched
code in Gfx.cc, the main point of vulnerability, simply doesn't
exist. The original code in GfxState.cc looks quite similar:

  nComps =3D obj2.getInt();
  obj2.free();
+ if (nCompsA > gfxColorMaxComps) {
+ error(-1, "ICCBased color space with too many (%d > %d) components",
+ nCompsA, gfxColorMaxComps);
+ nCompsA =3D gfxColorMaxComps;
+ }
  if (dict->lookup("Alternate", &obj2)->isNull() ||
      !(alt =3D GfxColorSpace::parse(&obj2))) {
    switch (nComps) {
    case 1:
      alt =3D new GfxDeviceGrayColorSpace();
      break;
    case 3:
      alt =3D new GfxDeviceRGBColorSpace();
      break;
    case 4:
      alt =3D new GfxDeviceCMYKColorSpace();
      break;
    default:
      error(-1, "Bad ICCBased color space - invalid N");
      obj2.free();
      obj1.free();
      return NULL;
    }
  }

Here, without the patch, nComps would not be set to its maximum value,
but everything above 4 is treated as an error. I'm confused whether
"return NULL" means an error as in Perl or success as in shell? nComps
is also used outside this function, however.

Regards, Frank
--=20
Frank K=FCster
Inst. f. Biochemie der Univ. Z=FCrich
Debian Developer

Message-ID: <email address hidden>
Date: Tue, 28 Dec 2004 10:24:16 +0100
From: =?iso-8859-1?q?Frank_K=FCster?= <email address hidden>
To: Martin Schulze <email address hidden>
Cc: Debian Security Team <email address hidden>, <email address hidden>
Subject: Re: CAN-2004-1125: Arbitrary code execution in tetex-bin

Martin Schulze <email address hidden> schrieb:

> Moin Frank
>
> an iDEFENSE researcher noticed another buffer overflow in Xpdf that
> could lead to the execution of arbitrary code in Xpdf. Similar
> code is also present in tetex-bin. Hence, we'll need to roll an
> update.=20

This has been reported by Martin Pitt from Ubuntu as #286984, which has
been Cc'ed to team@s.d.o. Didn't you get the mail?

> I'm attaching the patch we're using for fixing woody.

The patch was empty.=20

> Please
> . update the package in sid

Done

> . mention the CVE id from the subject in the changelog
> . tell me the version number of the fixed package

tetex-bin (2.0.2-25) unstable; urgency=3Dhigh

  * SECURITY UPDATE:=20
    - Added debian/patches/patch-CAN-2004-1125 to fix a buffer overflow in
      PDF reading code that was taken from xpdf (closes: #286984). Thanks to
      Martin Pitt <email address hidden>, see
      http://www.idefense.com/application/poi/display?id=3D172 [frank]
    - Fixed insecure tempfile creation, thanks to Javier
      Fern=C3=A1ndez-Sanguino Pe=C3=B1a <email address hidden> (closes: #286370=
) [frank]

> . no need to upload into sarge directly, except the version in
> sid is not meant to go into testing

I have done that, and reopened the bug with tag "sarge" in order to
track its progress into testing.

By the way, is there a way for an "ordinary maintainer" like me to get
information about security problems in a timely manner? Like some
announce list that can easily be filtered? The iDEFENSE advisory says
beneath "timeline":

12/21/2004 Coordinated public disclosure

So I guess some "not-so-public" people knew it before; and the bug was
reported 2 days later. If we didn't have Ubuntu, I would probably not
have known about this until today. And I guess if the Debian Security
team took the time to inform all maintainers of affected packages (and
to figure out who, from a list of uploaders, is in fact currently
active), you wouldn't have any time left to do coding and testing work.=20

Regards, Frank
--=20
Frank K=FCster
Inst. f. Biochemie der Univ. Z=FCrich
Debian Developer

Message-ID: <email address hidden>
Date: Tue, 28 Dec 2004 19:21:19 +0100
From: =?iso-8859-1?q?Frank_K=FCster?= <email address hidden>
To: Martin Pitt <email address hidden>
Cc: <email address hidden>, <email address hidden>
Subject: Re: Bug#286984: tetex-bin: Vulnerable to CAN-2004-1125

Martin Pitt <email address hidden> schrieb:

> Hi Frank!
>
> Frank K=FCster [2004-12-23 17:27 +0100]:
>> Thank you. Have you filed bugs against the other packages that are known
>> to use xpdf code, too?=20
>
> Only against xpdf proper and CUPS. I did not fix any other packages. I
> included a short list of possibly affected packages in #286983, but I
> do not have the time to evaluate them all (sorry).

pdftohtml also counts under "possibly others". I've just filed a bug
against it, with patch.

Regards, Frank
--=20
Frank K=FCster
Inst. f. Biochemie der Univ. Z=FCrich
Debian Developer

Already fixed in Warty (USN-48-1) and Hoary.

Message-ID: <email address hidden>
Date: Wed, 29 Dec 2004 20:52:33 +0100
From: Martin Schulze <email address hidden>
To: Frank =?iso-8859-1?Q?K=FCster?= <email address hidden>
Cc: Debian Security Team <email address hidden>,
 <email address hidden>
Subject: Re: CAN-2004-1125: Arbitrary code execution in tetex-bin

Frank K=FCster wrote:
> Martin Schulze <email address hidden> schrieb:
>=20
> > Moin Frank
> >
> > an iDEFENSE researcher noticed another buffer overflow in Xpdf that
> > could lead to the execution of arbitrary code in Xpdf. Similar
> > code is also present in tetex-bin. Hence, we'll need to roll an
> > update.=20
>=20
> This has been reported by Martin Pitt from Ubuntu as #286984, which has
> been Cc'ed to team@s.d.o. Didn't you get the mail?

I just saw it.

> > I'm attaching the patch we're using for fixing woody.
>=20
> The patch was empty.=20

Uh? How did that happen?

> By the way, is there a way for an "ordinary maintainer" like me to get
> information about security problems in a timely manner? Like some
> announce list that can easily be filtered? The iDEFENSE advisory says
> beneath "timeline":
>=20
> 12/21/2004 Coordinated public disclosure

My first trace of this is from December 21th as well. iDEFENSE doesn't
coordinate and vendor refers to author in this case. Since there was
some discussion, iDEFENSE may switch to using author or something in
the future.

Regards,

 Joey

--=20
Open source is important from a technical angle. -- Linus Tor=
valds

Please always Cc to me when replying to me on the lists.

Message-ID: <email address hidden>
Date: Thu, 30 Dec 2004 11:12:56 +0100
From: =?iso-8859-1?q?Frank_K=FCster?= <email address hidden>
To: Martin Schulze <email address hidden>
Cc: <email address hidden>, Debian Security Team <email address hidden>
Subject: Re: Bug#286984: CAN-2004-1125: Arbitrary code execution in
 tetex-bin

Martin Schulze <email address hidden> schrieb:

> Frank K=FCster wrote:
>> Martin Schulze <email address hidden> schrieb:
>
>> > I'm attaching the patch we're using for fixing woody.
>>=20
>> The patch was empty.=20
>
> Uh? How did that happen?

Don't know. I would still be interested.

TIA, Frank
--=20
Frank K=FCster
Inst. f. Biochemie der Univ. Z=FCrich
Debian Developer

Message-ID: <email address hidden>
Date: Thu, 30 Dec 2004 12:09:32 +0100
From: Martin Schulze <email address hidden>
To: Frank =?iso-8859-1?Q?K=FCster?= <email address hidden>
Cc: <email address hidden>,
 Debian Security Team <email address hidden>
Subject: Re: Bug#286984: CAN-2004-1125: Arbitrary code execution in tetex-bin

Frank K=FCster wrote:
> Martin Schulze <email address hidden> schrieb:
>=20
> > Frank K=FCster wrote:
> >> Martin Schulze <email address hidden> schrieb:
> >
> >> > I'm attaching the patch we're using for fixing woody.
> >>=20
> >> The patch was empty.=20
> >
> > Uh? How did that happen?
>=20
> Don't know. I would still be interested.

It's basically the same as in this bug report, but it's bogus
as you correctly pointed out, since the program flow will end
in the case statement that is able to detect wrong values of
nComps.

Regards,

 Joey

--=20
Ten years and still binary compatible. -- XFree86

Message-ID: <email address hidden>
Date: Fri, 31 Dec 2004 10:54:04 +0100
From: Hilmar Preusse <email address hidden>
To: Martin Schulze <email address hidden>, <email address hidden>
Subject: Re: Bug#286984: CAN-2004-1125: Arbitrary code execution in tetex-bin

On 30.12.04 Martin Schulze (<email address hidden>) wrote:
> Frank K�wrote:
> > Martin Schulze <email address hidden> schrieb:
> > > Frank K�wrote:
> > >> Martin Schulze <email address hidden> schrieb:

Hi,

> > >> > I'm attaching the patch we're using for fixing woody.
> > >>
> > >> The patch was empty.
> > >
> > > Uh? How did that happen?
> >
> > Don't know. I would still be interested.
>
> It's basically the same as in this bug report, but it's bogus
> as you correctly pointed out, since the program flow will end
> in the case statement that is able to detect wrong values of
> nComps.
>
So why is the hunk then included in the patch for xpdf 1.0 (DSA
619-1)? Why is it part of 3.00pl2 at all?

Regards,
  Hilmar
--
sigmentation fault

Message-ID: <email address hidden>
Date: Fri, 31 Dec 2004 13:19:36 +0100
From: Martin Schulze <email address hidden>
To: Hilmar Preusse <email address hidden>
Cc: <email address hidden>
Subject: Re: Bug#286984: CAN-2004-1125: Arbitrary code execution in tetex-bin

Hilmar Preusse wrote:
> > > >> > I'm attaching the patch we're using for fixing woody.
> > > >>=20
> > > >> The patch was empty.=20
> > > >
> > > > Uh? How did that happen?
> > >=20
> > > Don't know. I would still be interested.
> >=20
> > It's basically the same as in this bug report, but it's bogus
> > as you correctly pointed out, since the program flow will end
> > in the case statement that is able to detect wrong values of
> > nComps.
> >=20
> So why is the hunk then included in the patch for xpdf 1.0 (DSA
> 619-1)? Why is it part of 3.00pl2 at all?

Because it's the upstream fix and doesn't harm. Contrary to tetex-bin
this is only a minor part of the correction for cups and xpdf. The
real vulnerability does not exist in tetex-bin, so there's no update
needed.

Regards,

 Joey

--=20
A mathematician is a machine for converting coffee into theorems. Paul =
Erd=F6s

Please always Cc to me when replying to me on the lists.

Message-ID: <email address hidden>
Date: Sat, 1 Jan 2005 23:45:18 -0800
From: Steve Langasek <email address hidden>
To: <email address hidden>
Subject: Fixed package in testing, stable appears to still need an update from the security team

tags 286984 -sarge
tags 286984 +woody
thanks

Message-ID: <email address hidden>
Date: Tue, 4 Jan 2005 10:20:48 +0100
From: Hilmar Preusse <email address hidden>
To: Martin Schulze <email address hidden>
Cc: <email address hidden>
Subject: Re: Bug#286984: CAN-2004-1125: Arbitrary code execution in tetex-bin

On 31.12.04 Martin Schulze (<email address hidden>) wrote:
> Hilmar Preusse wrote:

Hi,

> > So why is the hunk then included in the patch for xpdf 1.0 (DSA
> > 619-1)? Why is it part of 3.00pl2 at all?
>
> Because it's the upstream fix and doesn't harm. Contrary to
> tetex-bin this is only a minor part of the correction for cups and
> xpdf. The real vulnerability does not exist in tetex-bin, so
> there's no update needed.
>
Would you be so kind to close that bug then?

Thanks and Regards,
  Hilmar
--
sigmentation fault