Bug#322467: Please Help (was: Bug#322467: [CAN-2005-2097] Loca Table Verification Remote Denial of Service Vulnerability)
On 12 Aug, Martin Schröder wrote: On 2005-08-12 16:08:07 +0200, Martin Schroeder wrote: I don't know about 2005-2097, but the worst would be a crash of pdfTeX. Is a patch around? I've found it and checked the code: The vulnerable code (fofi/FoFiTrueType.cc) is only called from the interactive code (xpdf/PShOutputDev.cc and xpdf/SplashOutputDev.cc), which is not included in pdfTex/teTeX. So teTeX is not affected. Well, PSOutputDev isn't interactive as such, but you're correct that it only affects those two modules (which means xpdf, pdftoppm, and pdftops). - Derek -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#322467: Please Help (was: Bug#322467: [CAN-2005-2097] Loca Table Verification Remote Denial of Service Vulnerability)
Hello Thomas, hello Debian Security team, Frank Küster [EMAIL PROTECTED] wrote: tetex-bin_3.0 in experimental is vulnerable. This is about CAN-2005-2097, see http://www.securityfocus.com/bid/14529/info. The provided patch (see http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=322467) is said to be against xpdf-3.00, and indeed it applies cleanly against the Debian xpdf source package; however the xpdf sources in teTeX are different. This is why I'm contacting you, Thomas: Although according to the CHANGES file we should have xpdf-3.00 just as the xpdf package has, but at least one file (which should be patched) is missing in the teTeX sources. Now I'm wondering which changes you have made to the upstream sources, and whether they were on purpose; and whether this makes teTeX non-vulnerable, or requires a different patch to fix the vulnerability. xpdf/xpdf/SplashOutputDev.cc is the file that does not exist. I tried to find code fragments that match the parts the patch removes, or the lines before and after, but they don't occur in the sources in tetex-bin. TIA, Frank -- Frank Küster Inst. f. Biochemie der Univ. Zürich Debian Developer
Bug#322467: Please Help (was: Bug#322467: [CAN-2005-2097] Loca Table Verification Remote Denial of Service Vulnerability)
This is why I'm contacting you, Thomas: Although according to the CHANGES file we should have xpdf-3.00 just as the xpdf package has, but at least one file (which should be patched) is missing in the teTeX sources. The following changes are done to the original sources: - xpdf/GlobalParams.cc: add GlobalParams::GlobalParams() which is basically a stripped down GlobalParams::GlobalParams(char *cfgFileName) - remove all files which are not needed for pdftex, e.g. those for the stand-alone xpdf viewer - portability / security fixes Those from the last group are always forwarded upstream, of course. Now I'm wondering which changes you have made to the upstream sources, and whether they were on purpose; and whether this makes teTeX non-vulnerable, or requires a different patch to fix the vulnerability. For the reasons given above, I think that teTeX is only affected by a subset of all xpdf vulnerabilities. Thomas -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#322467: Please Help (was: Bug#322467: [CAN-2005-2097] Loca Table Verification Remote Denial of Service Vulnerability)
On 2005-08-12 13:36:32 +0200, Thomas Esser wrote: Now I'm wondering which changes you have made to the upstream sources, and whether they were on purpose; and whether this makes teTeX non-vulnerable, or requires a different patch to fix the vulnerability. For the reasons given above, I think that teTeX is only affected by a subset of all xpdf vulnerabilities. We already have xpdf 3.00pl3, so everything till then should be fixed. We checked sometime before CAN2005-2097 for effects of the known vulnerabilities on pdfTeX and found none. I don't know about 2005-2097, but the worst would be a crash of pdfTeX. Is a patch around? Best Martin PS: Derek, the pdfTeX team would highly appreciate it if you would inform the customers of xpdf like pdfTeX of known security problems. -- http://www.tm.oneiros.de -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#322467: Please Help (was: Bug#322467: [CAN-2005-2097] Loca Table Verification Remote Denial of Service Vulnerability)
On 2005-08-12 16:08:07 +0200, Martin Schroeder wrote: I don't know about 2005-2097, but the worst would be a crash of pdfTeX. Is a patch around? I've found it and checked the code: The vulnerable code (fofi/FoFiTrueType.cc) is only called from the interactive code (xpdf/PShOutputDev.cc and xpdf/SplashOutputDev.cc), which is not included in pdfTex/teTeX. So teTeX is not affected. Best Martin -- http://www.tm.oneiros.de -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]