> Moin Frank
>
> an iDEFENSE researcher noticed another buffer overflow in Xpdf that
> could lead to the execution of arbitrary code in Xpdf. Similar
> code is also present in tetex-bin. Hence, we'll need to roll an
> update.
This has been reported by Martin Pitt from Ubuntu as #286984, which has
been Cc'ed to team@s.d.o. Didn't you get the mail?
> I'm attaching the patch we're using for fixing woody.
The patch was empty.
> Please
> . update the package in sid
Done
> . mention the CVE id from the subject in the changelog
> . tell me the version number of the fixed package
tetex-bin (2.0.2-25) unstable; urgency=high
* SECURITY UPDATE:
- Added debian/patches/patch-CAN-2004-1125 to fix a buffer overflow in
PDF reading code that was taken from xpdf (closes: #286984). Thanks to
Martin Pitt <email address hidden>, see http://www.idefense.com/application/poi/display?id=172 [frank]
- Fixed insecure tempfile creation, thanks to Javier
Fernández-Sanguino Peña <email address hidden> (closes: #286370) [frank]
> . no need to upload into sarge directly, except the version in
> sid is not meant to go into testing
I have done that, and reopened the bug with tag "sarge" in order to
track its progress into testing.
By the way, is there a way for an "ordinary maintainer" like me to get
information about security problems in a timely manner? Like some
announce list that can easily be filtered? The iDEFENSE advisory says
beneath "timeline":
12/21/2004 Coordinated public disclosure
So I guess some "not-so-public" people knew it before; and the bug was
reported 2 days later. If we didn't have Ubuntu, I would probably not
have known about this until today. And I guess if the Debian Security
team took the time to inform all maintainers of affected packages (and
to figure out who, from a list of uploaders, is in fact currently
active), you wouldn't have any time left to do coding and testing work.
Regards, Frank
--
Frank Küster
Inst. f. Biochemie der Univ. Zürich
Debian Developer
Martin Schulze <email address hidden> schrieb:
> Moin Frank
>
> an iDEFENSE researcher noticed another buffer overflow in Xpdf that
> could lead to the execution of arbitrary code in Xpdf. Similar
> code is also present in tetex-bin. Hence, we'll need to roll an
> update.
This has been reported by Martin Pitt from Ubuntu as #286984, which has
been Cc'ed to team@s.d.o. Didn't you get the mail?
> I'm attaching the patch we're using for fixing woody.
The patch was empty.
> Please
> . update the package in sid
Done
> . mention the CVE id from the subject in the changelog
> . tell me the version number of the fixed package
tetex-bin (2.0.2-25) unstable; urgency=high
* SECURITY UPDATE: patches/ patch-CAN- 2004-1125 to fix a buffer overflow in www.idefense. com/application /poi/display? id=172 [frank] ndez-Sanguino Peña <email address hidden> (closes: #286370) [frank]
- Added debian/
PDF reading code that was taken from xpdf (closes: #286984). Thanks to
Martin Pitt <email address hidden>, see
http://
- Fixed insecure tempfile creation, thanks to Javier
Ferná
> . no need to upload into sarge directly, except the version in
> sid is not meant to go into testing
I have done that, and reopened the bug with tag "sarge" in order to
track its progress into testing.
By the way, is there a way for an "ordinary maintainer" like me to get
information about security problems in a timely manner? Like some
announce list that can easily be filtered? The iDEFENSE advisory says
beneath "timeline":
12/21/2004 Coordinated public disclosure
So I guess some "not-so-public" people knew it before; and the bug was
reported 2 days later. If we didn't have Ubuntu, I would probably not
have known about this until today. And I guess if the Debian Security
team took the time to inform all maintainers of affected packages (and
to figure out who, from a list of uploaders, is in fact currently
active), you wouldn't have any time left to do coding and testing work.
Regards, Frank
--
Frank Küster
Inst. f. Biochemie der Univ. Zürich
Debian Developer