Martin Schroeder <[EMAIL PROTECTED]> wrote: > On 2005-08-12 13:36:32 +0200, Thomas Esser wrote: >> > Now I'm wondering which changes you have made to the upstream sources, >> > and whether they were on purpose; and whether this makes teTeX >> > non-vulnerable, or requires a different patch to fix the vulnerability. >> >> For the reasons given above, I think that teTeX is only affected by a >> subset of all xpdf vulnerabilities. > > We already have xpdf 3.00pl3, so everything till then should be > fixed. We checked sometime before CAN2005-2097 for effects of the > known vulnerabilities on pdfTeX and found none.
Have you pdfTeX people ever considered to use libpoppler instead of copied xpdf code - or are there any plans for a libxpdf? In this case it would be much easier, because all distributions would simply provide a new version of the dynamic library and be done for all xpdf-derived things. > I don't know about 2005-2097, but the worst would be a crash of > pdfTeX. Unfortunately not, the worst is a DOS attack against a "pdf server", as explained in: http://www.ubuntulinux.org/support/documentation/usn/usn-163-1 ,---- | xpdf and kpdf did not sufficiently verify the validity of the "loca" | table in PDF files, a table that contains glyph description | information for embedded TrueType fonts. After detecting the broken | table, xpdf attempted to reconstruct the information in it, which | caused the generation of a huge temporary file that quickly filled up | available disk space and rendered the application unresponsive. `---- > Is a patch around? Yes, as an attachment on http://bugs.debian.org/322467, or at ftp://ftp.kde.org/pub/kde/security_patches/ where Hilmar took it from. Regards, Frank -- Frank Küster Inst. f. Biochemie der Univ. Zürich Debian Developer