Ubuntu
tetex-bin package

  1. Bug #11419
  2. Comment #22

Comment 22 for bug 11419

Revision history for this message
Debian Bug Importer (debzilla) wrote :

Message-ID: <email address hidden>
Date: Tue, 28 Dec 2004 10:24:16 +0100
From: =?iso-8859-1?q?Frank_K=FCster?= <email address hidden>
To: Martin Schulze <email address hidden>
Cc: Debian Security Team <email address hidden>, <email address hidden>
Subject: Re: CAN-2004-1125: Arbitrary code execution in tetex-bin

Martin Schulze <email address hidden> schrieb:

> Moin Frank
>
> an iDEFENSE researcher noticed another buffer overflow in Xpdf that
> could lead to the execution of arbitrary code in Xpdf. Similar
> code is also present in tetex-bin. Hence, we'll need to roll an
> update.=20

This has been reported by Martin Pitt from Ubuntu as #286984, which has
been Cc'ed to team@s.d.o. Didn't you get the mail?

> I'm attaching the patch we're using for fixing woody.

The patch was empty.=20

> Please
> . update the package in sid

Done

> . mention the CVE id from the subject in the changelog
> . tell me the version number of the fixed package

tetex-bin (2.0.2-25) unstable; urgency=3Dhigh

  * SECURITY UPDATE:=20
    - Added debian/patches/patch-CAN-2004-1125 to fix a buffer overflow in
      PDF reading code that was taken from xpdf (closes: #286984). Thanks to
      Martin Pitt <email address hidden>, see
      http://www.idefense.com/application/poi/display?id=3D172 [frank]
    - Fixed insecure tempfile creation, thanks to Javier
      Fern=C3=A1ndez-Sanguino Pe=C3=B1a <email address hidden> (closes: #286370=
) [frank]

> . no need to upload into sarge directly, except the version in
> sid is not meant to go into testing

I have done that, and reopened the bug with tag "sarge" in order to
track its progress into testing.

By the way, is there a way for an "ordinary maintainer" like me to get
information about security problems in a timely manner? Like some
announce list that can easily be filtered? The iDEFENSE advisory says
beneath "timeline":

12/21/2004 Coordinated public disclosure

So I guess some "not-so-public" people knew it before; and the bug was
reported 2 days later. If we didn't have Ubuntu, I would probably not
have known about this until today. And I guess if the Debian Security
team took the time to inform all maintainers of affected packages (and
to figure out who, from a list of uploaders, is in fact currently
active), you wouldn't have any time left to do coding and testing work.=20

Regards, Frank
--=20
Frank K=FCster
Inst. f. Biochemie der Univ. Z=FCrich
Debian Developer