Hello Thomas, hello Debian Security team, Frank Küster <[EMAIL PROTECTED]> wrote:
> tetex-bin_3.0 in experimental is vulnerable. This is about CAN-2005-2097, see http://www.securityfocus.com/bid/14529/info. The provided patch (see http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=322467) is said to be against xpdf-3.00, and indeed it applies cleanly against the Debian xpdf source package; however the xpdf sources in teTeX are different. This is why I'm contacting you, Thomas: Although according to the CHANGES file we should have xpdf-3.00 just as the xpdf package has, but at least one file (which should be patched) is missing in the teTeX sources. Now I'm wondering which changes you have made to the upstream sources, and whether they were on purpose; and whether this makes teTeX non-vulnerable, or requires a different patch to fix the vulnerability. xpdf/xpdf/SplashOutputDev.cc is the file that does not exist. I tried to find code fragments that match the parts the patch removes, or the lines before and after, but they don't occur in the sources in tetex-bin. TIA, Frank -- Frank Küster Inst. f. Biochemie der Univ. Zürich Debian Developer