Comment 27 for bug 11419

Message-ID: <email address hidden>
Date: Wed, 29 Dec 2004 20:52:33 +0100
From: Martin Schulze <email address hidden>
To: Frank =?iso-8859-1?Q?K=FCster?= <email address hidden>
Cc: Debian Security Team <email address hidden>,
 <email address hidden>
Subject: Re: CAN-2004-1125: Arbitrary code execution in tetex-bin

Frank K=FCster wrote:
> Martin Schulze <email address hidden> schrieb:
>=20
> > Moin Frank
> >
> > an iDEFENSE researcher noticed another buffer overflow in Xpdf that
> > could lead to the execution of arbitrary code in Xpdf. Similar
> > code is also present in tetex-bin. Hence, we'll need to roll an
> > update.=20
>=20
> This has been reported by Martin Pitt from Ubuntu as #286984, which has
> been Cc'ed to team@s.d.o. Didn't you get the mail?

I just saw it.

> > I'm attaching the patch we're using for fixing woody.
>=20
> The patch was empty.=20

Uh? How did that happen?

> By the way, is there a way for an "ordinary maintainer" like me to get
> information about security problems in a timely manner? Like some
> announce list that can easily be filtered? The iDEFENSE advisory says
> beneath "timeline":
>=20
> 12/21/2004 Coordinated public disclosure

My first trace of this is from December 21th as well. iDEFENSE doesn't
coordinate and vendor refers to author in this case. Since there was
some discussion, iDEFENSE may switch to using author or something in
the future.

Regards,

 Joey

--=20
Open source is important from a technical angle. -- Linus Tor=
valds

Please always Cc to me when replying to me on the lists.