Your message dated Wed, 07 Dec 2005 06:32:11 -0800
with message-id <[EMAIL PROTECTED]>
and subject line Bug#342292: fixed in tetex-bin 3.0-11
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 6 Dec 2005 22:15:41 +0000
>From [EMAIL PROTECTED] Tue Dec 06 14:15:41 2005
Return-path: <[EMAIL PROTECTED]>
Received: from inutil.org ([193.22.164.111]
helo=vserver151.vserver151.serverflex.de)
by spohr.debian.org with esmtp (Exim 4.50)
id 1Ejl65-0001nj-HJ
for [EMAIL PROTECTED]; Tue, 06 Dec 2005 14:15:41 -0800
Received: from dslb-082-083-190-244.pools.arcor-ip.net ([82.83.190.244]
helo=localhost.localdomain)
by vserver151.vserver151.serverflex.de with esmtpsa
(TLS-1.0:RSA_AES_256_CBC_SHA:32)
(Exim 4.50)
id 1Ejl64-0008Cq-C5
for [EMAIL PROTECTED]; Tue, 06 Dec 2005 23:15:40 +0100
Received: from jmm by localhost.localdomain with local (Exim 4.60)
(envelope-from <[EMAIL PROTECTED]>)
id 1Ejl5i-0001za-GD; Tue, 06 Dec 2005 23:15:18 +0100
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: Moritz Muehlenhoff <[EMAIL PROTECTED]>
To: Debian Bug Tracking System <[EMAIL PROTECTED]>
Subject: tetex-bin: Multiple exploitable heap overflows in embedded xpdf copy
Message-ID: <[EMAIL PROTECTED]>
X-Mailer: reportbug 3.18
Date: Tue, 06 Dec 2005 23:15:18 +0100
X-Debbugs-Cc: Debian Security Team <[EMAIL PROTECTED]>
X-SA-Exim-Connect-IP: 82.83.190.244
X-SA-Exim-Mail-From: [EMAIL PROTECTED]
X-SA-Exim-Scanned: No (on vserver151.vserver151.serverflex.de); SAEximRunCond
expanded to false
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level:
X-Spam-Status: No, hits=-10.5 required=4.0 tests=BAYES_00,HAS_PACKAGE,
RCVD_IN_SORBS,X_DEBBUGS_CC autolearn=ham
version=2.60-bugs.debian.org_2005_01_02
Package: tetex-bin
Version: 3.0-10.1
Severity: grave
Tags: security
Justification: user security hole
Multiple exploitable security problems have been found in xpdf, which are
all present in tetex-bin's embedded xpdf copy as well:
Multiple Vendor xpdf DCTStream Baseline Heap Overflow Vulnerability
http://www.idefense.com/application/poi/display?id=342
Multiple Vendor xpdf DCTStream Progressive Heap Overflow
http://www.idefense.com/application/poi/display?id=343
Multiple Vendor xpdf StreamPredictor Heap Overflow Vulnerability
http://www.idefense.com/application/poi/display?id=344
Multiple Vendor xpdf JPX Stream Reader Heap Overflow Vulnerability
http://www.idefense.com/application/poi/display?id=345
Please reference CVE-2005-3191, CVE-2005-3192 and CVE-2005-3193 when fixing
this.
Cheers,
Moritz
-- System Information:
Debian Release: testing/unstable
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.14-2-686
Locale: LANG=C, [EMAIL PROTECTED] (charmap=ISO-8859-15)
Versions of packages tetex-bin depends on:
ii debconf [debconf-2.0] 1.4.62 Debian configuration management sy
ii debianutils 2.15.1 Miscellaneous utilities specific t
ii dpkg 1.13.11.0.1 package maintenance system for Deb
ii ed 0.2-20 The classic unix line editor
ii libc6 2.3.5-8.1 GNU C Library: Shared libraries an
ii libgcc1 1:4.0.2-5 GCC support library
ii libice6 6.8.2.dfsg.1-11 Inter-Client Exchange library
ii libkpathsea4 3.0-10.1 path search library for teTeX (run
ii libpaper1 1.1.14-3 Library for handling paper charact
ii libpng12-0 1.2.8rel-5 PNG library - runtime
ii libsm6 6.8.2.dfsg.1-11 X Window System Session Management
ii libstdc++6 4.0.2-5 The GNU Standard C++ Library v3
ii libt1-5 5.1.0-2 Type 1 font rasterizer library - r
ii libx11-6 6.8.2.dfsg.1-11 X Window System protocol client li
ii libxaw8 6.8.2.dfsg.1-11 X Athena widget set library
ii libxext6 6.8.2.dfsg.1-11 X Window System miscellaneous exte
ii libxmu6 6.8.2.dfsg.1-11 X Window System miscellaneous util
ii libxp6 6.8.2.dfsg.1-11 X Window System printing extension
ii libxpm4 6.8.2.dfsg.1-11 X pixmap library
ii libxt6 6.8.2.dfsg.1-11 X Toolkit Intrinsics
ii mime-support 3.35-1 MIME files 'mime.types' & 'mailcap
ii perl 5.8.7-8 Larry Wall's Practical Extraction
ii sed 4.1.4-4 The GNU sed stream editor
ii tetex-base 3.0-10 Basic library files of teTeX
ii ucf 2.004 Update Configuration File: preserv
pi xlibs 6.8.2.dfsg.1-11 X Window System client libraries m
ii zlib1g 1:1.2.3-8 compression library - runtime
Versions of packages tetex-bin recommends:
ii dialog 1.0-20051107-1 Displays user-friendly dialog boxe
pn libxml-parser-perl <none> (no description available)
pn perl-tk <none> (no description available)
ii psutils 1.17-21 A collection of PostScript documen
ii whiptail 0.51.6-31 Displays user-friendly dialog boxe
-- debconf information excluded
---------------------------------------
Received: (at 342292-close) by bugs.debian.org; 7 Dec 2005 14:41:04 +0000
>From [EMAIL PROTECTED] Wed Dec 07 06:41:04 2005
Return-path: <[EMAIL PROTECTED]>
Received: from katie by spohr.debian.org with local (Exim 4.50)
id 1Ek0L5-0000If-Si; Wed, 07 Dec 2005 06:32:11 -0800
From: =?utf-8?q?Frank_K=C3=BCster?= <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
X-Katie: $Revision: 1.60 $
Subject: Bug#342292: fixed in tetex-bin 3.0-11
Message-Id: <[EMAIL PROTECTED]>
Sender: Archive Administrator <[EMAIL PROTECTED]>
Date: Wed, 07 Dec 2005 06:32:11 -0800
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level:
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER
autolearn=no version=2.60-bugs.debian.org_2005_01_02
Source: tetex-bin
Source-Version: 3.0-11
We believe that the bug you reported is fixed in the latest version of
tetex-bin, which is due to be installed in the Debian FTP archive:
libkpathsea4-dev_3.0-11_i386.deb
to pool/main/t/tetex-bin/libkpathsea4-dev_3.0-11_i386.deb
libkpathsea4_3.0-11_i386.deb
to pool/main/t/tetex-bin/libkpathsea4_3.0-11_i386.deb
tetex-bin_3.0-11.diff.gz
to pool/main/t/tetex-bin/tetex-bin_3.0-11.diff.gz
tetex-bin_3.0-11.dsc
to pool/main/t/tetex-bin/tetex-bin_3.0-11.dsc
tetex-bin_3.0-11_i386.deb
to pool/main/t/tetex-bin/tetex-bin_3.0-11_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Frank Küster <[EMAIL PROTECTED]> (supplier of updated tetex-bin package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Wed, 7 Dec 2005 14:34:12 +0100
Source: tetex-bin
Binary: tetex-bin libkpathsea4-dev libkpathsea4
Architecture: source i386
Version: 3.0-11
Distribution: unstable
Urgency: high
Maintainer: teTeX maintainers <[email protected]>
Changed-By: Frank Küster <[EMAIL PROTECTED]>
Description:
libkpathsea4 - path search library for teTeX (runtime part)
libkpathsea4-dev - path search library for teTeX (devel part)
tetex-bin - The teTeX binary files
Closes: 207874 335055 335477 336092 337308 338986 339388 341940 342292
Changes:
tetex-bin (3.0-11) unstable; urgency=high
.
* Apply xpdf patch 3.01pl1 to fix vulnerabilities in the included xpdf
code. The patch has been modified slightly, because our code is based
on xpdf 3.00 which uses gmalloc() instead of gmallocn() (closes:
#342292) [frank]
* Remove old alternatives for oxdvi, which is now integrated in xdvi
(closes: #335477) [frank]
* Add Florent to the list of uploaders to prevent future technical NMUs,
and acknowledge the last one with thanks (closes: #335055)
[frank]
* Fix up our backwards compatibility code in fmtutil(-sys), so that root
can now also use it as mktexfmt (closes: #338986) [frank]
* Remove ancient code from libkpathsea's postinst script; it is now
fully created by debhelper. The same is true for libkpathsea4-dev.
Many thanks to Hilmar (closes: #207874) [frank]
* Unset variables that might override texmf.cnf settings in postinst
[frank]
* Translations:
- Update Italian debconf translation, thanks to Luca Monducci
<[EMAIL PROTECTED]> (closes: #336092) [frank]
- Update French debconf translation, thanks to Clement Stenac
<[EMAIL PROTECTED]> (closes: #337308) [frank]
- Update Danish debconf translation, thanks to Claus Hindsgaul
<[EMAIL PROTECTED]> (closes: #339388) [frank]
- Update Czech debconf translation, thanks to Miroslav Kure
<[EMAIL PROTECTED]> (closes: #341940) [frank]
Files:
fef63f1e8fa7b88fd3e23df61ba38c1a 998 tex optional tetex-bin_3.0-11.dsc
a6b589f665edbc6305d793ad5c1ce8c6 127304 tex optional tetex-bin_3.0-11.diff.gz
b0548d39c6b42f579b73a372c025d727 3844736 tex optional tetex-bin_3.0-11_i386.deb
d21401d7e7f504fc5c00d4af671581f7 74040 libs optional
libkpathsea4_3.0-11_i386.deb
d74d8571306f04092ecd9c70273e4f8e 70020 libdevel optional
libkpathsea4-dev_3.0-11_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
iD8DBQFDlvA3+xs9YyJS+hoRAtMxAJ95+98enWcQjWZ69zf8OOIem7TwsgCfZfge
15eDjopNRrZq6nzYbW9BMPs=
=kZ4I
-----END PGP SIGNATURE-----
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]