Comment 21 for bug 11419

Revision history for this message
In , Frank Küster (frank-debian) wrote : Re: CAN-2004-1125: Arbitrary code execution in tetex-bin

Martin Schulze <email address hidden> schrieb:

> Moin Frank
>
> an iDEFENSE researcher noticed another buffer overflow in Xpdf that
> could lead to the execution of arbitrary code in Xpdf. Similar
> code is also present in tetex-bin. Hence, we'll need to roll an
> update.

This has been reported by Martin Pitt from Ubuntu as #286984, which has
been Cc'ed to team@s.d.o. Didn't you get the mail?

> I'm attaching the patch we're using for fixing woody.

The patch was empty.

> Please
> . update the package in sid

Done

> . mention the CVE id from the subject in the changelog
> . tell me the version number of the fixed package

tetex-bin (2.0.2-25) unstable; urgency=high

  * SECURITY UPDATE:
    - Added debian/patches/patch-CAN-2004-1125 to fix a buffer overflow in
      PDF reading code that was taken from xpdf (closes: #286984). Thanks to
      Martin Pitt <email address hidden>, see
      http://www.idefense.com/application/poi/display?id=172 [frank]
    - Fixed insecure tempfile creation, thanks to Javier
      Fernández-Sanguino Peña <email address hidden> (closes: #286370) [frank]

> . no need to upload into sarge directly, except the version in
> sid is not meant to go into testing

I have done that, and reopened the bug with tag "sarge" in order to
track its progress into testing.

By the way, is there a way for an "ordinary maintainer" like me to get
information about security problems in a timely manner? Like some
announce list that can easily be filtered? The iDEFENSE advisory says
beneath "timeline":

12/21/2004 Coordinated public disclosure

So I guess some "not-so-public" people knew it before; and the bug was
reported 2 days later. If we didn't have Ubuntu, I would probably not
have known about this until today. And I guess if the Debian Security
team took the time to inform all maintainers of affected packages (and
to figure out who, from a list of uploaders, is in fact currently
active), you wouldn't have any time left to do coding and testing work.

Regards, Frank
--
Frank Küster
Inst. f. Biochemie der Univ. Zürich
Debian Developer