Message-ID: <email address hidden>
Date: Tue, 28 Dec 2004 10:24:16 +0100
From: =?iso-8859-1?q?Frank_K=FCster?= <email address hidden>
To: Martin Schulze <email address hidden>
Cc: Debian Security Team <email address hidden>, <email address hidden>
Subject: Re: CAN-2004-1125: Arbitrary code execution in tetex-bin
Martin Schulze <email address hidden> schrieb:
> Moin Frank
>
> an iDEFENSE researcher noticed another buffer overflow in Xpdf that
> could lead to the execution of arbitrary code in Xpdf. Similar
> code is also present in tetex-bin. Hence, we'll need to roll an
> update.=20
This has been reported by Martin Pitt from Ubuntu as #286984, which has
been Cc'ed to team@s.d.o. Didn't you get the mail?
> I'm attaching the patch we're using for fixing woody.
The patch was empty.=20
> Please
> . update the package in sid
Done
> . mention the CVE id from the subject in the changelog
> . tell me the version number of the fixed package
tetex-bin (2.0.2-25) unstable; urgency=3Dhigh
* SECURITY UPDATE:=20
- Added debian/patches/patch-CAN-2004-1125 to fix a buffer overflow in
PDF reading code that was taken from xpdf (closes: #286984). Thanks to
Martin Pitt <email address hidden>, see http://www.idefense.com/application/poi/display?id=3D172 [frank]
- Fixed insecure tempfile creation, thanks to Javier
Fern=C3=A1ndez-Sanguino Pe=C3=B1a <email address hidden> (closes: #286370=
) [frank]
> . no need to upload into sarge directly, except the version in
> sid is not meant to go into testing
I have done that, and reopened the bug with tag "sarge" in order to
track its progress into testing.
By the way, is there a way for an "ordinary maintainer" like me to get
information about security problems in a timely manner? Like some
announce list that can easily be filtered? The iDEFENSE advisory says
beneath "timeline":
12/21/2004 Coordinated public disclosure
So I guess some "not-so-public" people knew it before; and the bug was
reported 2 days later. If we didn't have Ubuntu, I would probably not
have known about this until today. And I guess if the Debian Security
team took the time to inform all maintainers of affected packages (and
to figure out who, from a list of uploaders, is in fact currently
active), you wouldn't have any time left to do coding and testing work.=20
Regards, Frank
--=20
Frank K=FCster
Inst. f. Biochemie der Univ. Z=FCrich
Debian Developer
Message-ID: <email address hidden> 1?q?Frank_ K=FCster? = <email address hidden>
Date: Tue, 28 Dec 2004 10:24:16 +0100
From: =?iso-8859-
To: Martin Schulze <email address hidden>
Cc: Debian Security Team <email address hidden>, <email address hidden>
Subject: Re: CAN-2004-1125: Arbitrary code execution in tetex-bin
Martin Schulze <email address hidden> schrieb:
> Moin Frank
>
> an iDEFENSE researcher noticed another buffer overflow in Xpdf that
> could lead to the execution of arbitrary code in Xpdf. Similar
> code is also present in tetex-bin. Hence, we'll need to roll an
> update.=20
This has been reported by Martin Pitt from Ubuntu as #286984, which has
been Cc'ed to team@s.d.o. Didn't you get the mail?
> I'm attaching the patch we're using for fixing woody.
The patch was empty.=20
> Please
> . update the package in sid
Done
> . mention the CVE id from the subject in the changelog
> . tell me the version number of the fixed package
tetex-bin (2.0.2-25) unstable; urgency=3Dhigh
* SECURITY UPDATE:=20 patches/ patch-CAN- 2004-1125 to fix a buffer overflow in www.idefense. com/application /poi/display? id=3D172 [frank] C3=A1ndez- Sanguino Pe=C3=B1a <email address hidden> (closes: #286370=
- Added debian/
PDF reading code that was taken from xpdf (closes: #286984). Thanks to
Martin Pitt <email address hidden>, see
http://
- Fixed insecure tempfile creation, thanks to Javier
Fern=
) [frank]
> . no need to upload into sarge directly, except the version in
> sid is not meant to go into testing
I have done that, and reopened the bug with tag "sarge" in order to
track its progress into testing.
By the way, is there a way for an "ordinary maintainer" like me to get
information about security problems in a timely manner? Like some
announce list that can easily be filtered? The iDEFENSE advisory says
beneath "timeline":
12/21/2004 Coordinated public disclosure
So I guess some "not-so-public" people knew it before; and the bug was
reported 2 days later. If we didn't have Ubuntu, I would probably not
have known about this until today. And I guess if the Debian Security
team took the time to inform all maintainers of affected packages (and
to figure out who, from a list of uploaders, is in fact currently
active), you wouldn't have any time left to do coding and testing work.=20
Regards, Frank
--=20
Frank K=FCster
Inst. f. Biochemie der Univ. Z=FCrich
Debian Developer