Bug#322467: Please Help (was: Bug#322467: [CAN-2005-2097] Loca Table Verification Remote Denial of Service Vulnerability)

2005-08-14 Thread Derek B. Noonburg
On 12 Aug, Martin Schröder wrote: > On 2005-08-12 16:08:07 +0200, Martin Schroeder wrote: >> I don't know about 2005-2097, but the worst would be a crash of >> pdfTeX. Is a patch around? > > I've found it and checked the code: The vulnerable code > (fofi/FoFiTrueType.cc) is only called from the in

Bug#322467: Please Help (was: Bug#322467: [CAN-2005-2097] Loca Table Verification Remote Denial of Service Vulnerability)

2005-08-12 Thread Martin Schröder
On 2005-08-12 16:08:07 +0200, Martin Schroeder wrote: > I don't know about 2005-2097, but the worst would be a crash of > pdfTeX. Is a patch around? I've found it and checked the code: The vulnerable code (fofi/FoFiTrueType.cc) is only called from the interactive code (xpdf/PShOutputDev.cc and xpd

Bug#322467: Please Help (was: Bug#322467: [CAN-2005-2097] Loca Table Verification Remote Denial of Service Vulnerability)

2005-08-12 Thread Martin Schroeder
On 2005-08-12 13:36:32 +0200, Thomas Esser wrote: > > Now I'm wondering which changes you have made to the upstream sources, > > and whether they were on purpose; and whether this makes teTeX > > non-vulnerable, or requires a different patch to fix the vulnerability. > > For the reasons given abov

Bug#322467: Please Help (was: Bug#322467: [CAN-2005-2097] Loca Table Verification Remote Denial of Service Vulnerability)

2005-08-12 Thread Thomas Esser
> This is why I'm contacting you, Thomas: Although according to the > CHANGES file we should have xpdf-3.00 just as the xpdf package has, but > at least one file (which should be patched) is missing in the teTeX > sources. The following changes are done to the original sources: - xpdf/GlobalPara

Bug#322467: Please Help (was: Bug#322467: [CAN-2005-2097] Loca Table Verification Remote Denial of Service Vulnerability)

2005-08-12 Thread Frank Küster
Hello Thomas, hello Debian Security team, Frank Küster <[EMAIL PROTECTED]> wrote: > tetex-bin_3.0 in experimental is vulnerable. This is about CAN-2005-2097, see http://www.securityfocus.com/bid/14529/info. The provided patch (see http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=322467) is said

Bug#322467: [CAN-2005-2097] Loca Table Verification Remote Denial of Service Vulnerability

2005-08-11 Thread Frank Küster
found 322467 3.0-5 thanks Hilmar Preusse <[EMAIL PROTECTED]> wrote: > Package: tetex-bin > Version: 2.0.2-31 > Severity: grave > Tags: patch > Justification: can result in disk consumption and ultimately lead to a denial > of service condition. > > Just a reminder, > > http://www.securityfocus.c

Bug#322467: [CAN-2005-2097] Loca Table Verification Remote Denial of Service Vulnerability

2005-08-11 Thread Hilmar Preusse
tags 322467 + experimental stop On 10.08.05 Hilmar Preusse ([EMAIL PROTECTED]) wrote: > Package: tetex-bin > Version: 2.0.2-31 > Severity: grave > Tags: patch > > Just a reminder, > > http://www.securityfocus.com/bid/14529/info > Martin Pitt gave me the hint, that teTeX from stable is not vuln

Bug#322467: [CAN-2005-2097] Loca Table Verification Remote Denial of Service Vulnerability

2005-08-10 Thread Hilmar Preusse
Package: tetex-bin Version: 2.0.2-31 Severity: grave Tags: patch Justification: can result in disk consumption and ultimately lead to a denial of service condition. Just a reminder, http://www.securityfocus.com/bid/14529/info Ubuntu^1 already fixed the xpdf packages. I guess we're affected too,