Bug#286984: marked as done (tetex-bin: Vulnerable to CAN-2004-1125)
Your message dated Thu, 23 Dec 2004 12:02:30 -0500
with message-id <E1ChWMA-0003f0-00@newraff.debian.org>
and subject line Bug#286984: fixed in tetex-bin 2.0.2-25
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 23 Dec 2004 12:54:32 +0000
>From martin@piware.de Thu Dec 23 04:54:31 2004
Return-path: <martin@piware.de>
Received: from box79162.elkhouse.de [213.9.79.162]
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1ChSUB-00046R-00; Thu, 23 Dec 2004 04:54:31 -0800
Received: from martin by box79162.elkhouse.de with local (Exim 4.34)
id 1ChSTg-00085Z-Oh; Thu, 23 Dec 2004 13:54:00 +0100
Date: Thu, 23 Dec 2004 13:54:00 +0100
From: Martin Pitt <mpitt@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Cc: team@security.debian.org
Subject: tetex-bin: Vulnerable to CAN-2004-1125
Message-ID: <[🔎] 20041223125400.GA31076@box79162.elkhouse.de>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature"; boundary="UugvWAfsgieZRqgk"
Content-Disposition: inline
X-Reportbug-Version: 3.2
X-Debbugs-Cc: team@security.debian.org
User-Agent: Mutt/1.5.6+20040907i
Sender: Martin Pitt <martin@piware.de>
Delivered-To: submit@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2004_03_25
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-11.0 required=4.0 tests=BAYES_00,HAS_PACKAGE,
X_DEBBUGS_CC autolearn=ham version=2.60-bugs.debian.org_2004_03_25
X-Spam-Level:
--UugvWAfsgieZRqgk
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
Package: tetex-bin
Version: 2.0.2-23
Severity: grave
Tags: security patch
Justification: user security hole
Hi teTeX maintainers!
Recently CAN-2004-1125 has been discovered in xpdf. Since tetex-bin
contains verbatim xpdf code (sigh), this package is affected as well.
You can get the Ubuntu security update patch from
http://patches.ubuntu.com/patches/tetex-bin.CAN-2004-1125.diff
Thanks,
Martin
-- System Information:
Debian Release: 3.1
APT prefers testing
APT policy: (500, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.6.9
Locale: LANG=3Dde_DE.UTF-8, LC_CTYPE=3Dde_DE.UTF-8 (charmap=3DUTF-8)
Versions of packages tetex-bin depends on:
ii debconf 1.4.30.10 Debian configuration managemen=
t sy
ii debianutils 2.8.4 Miscellaneous utilities specif=
ic t
ii dpkg 1.10.25 Package maintenance system for=
Deb
ii ed 0.2-20 The classic unix line editor
ii libc6 2.3.2.ds1-18 GNU C Library: Shared librarie=
s an
ii libgcc1 1:3.4.2-2 GCC support library
ii libice6 4.3.0.dfsg.1-8 Inter-Client Exchange library
ii libkpathsea3 2.0.2-23 path search library for teTeX =
(run
ii libpaper1 1.1.14-3 Library for handling paper cha=
ract
ii libpng12-0 1.2.8rel-1 PNG library - runtime
ii libsm6 4.3.0.dfsg.1-8 X Window System Session Manage=
ment
ii libstdc++5 1:3.3.4-13 The GNU Standard C++ Library v3
ii libt1-5 5.0.2-3 Type 1 font rasterizer library=
- r
ii libwww0 5.4.0-9 The W3C WWW library
ii libx11-6 4.3.0.dfsg.1-8 X Window System protocol clien=
t li
ii libxaw7 4.3.0.dfsg.1-8 X Athena widget set library
ii libxext6 4.3.0.dfsg.1-8 X Window System miscellaneous =
exte
ii libxmu6 4.3.0.dfsg.1-8 X Window System miscellaneous =
util
ii libxt6 4.3.0.dfsg.1-8 X Toolkit Intrinsics
ii mime-support 3.28-1 MIME files 'mime.types' & 'mai=
lcap
ii perl 5.8.4-3 Larry Wall's Practical Extract=
ion=20
ii sed 4.1.2-8 The GNU sed stream editor
ii tetex-base 2.0.2c-3 Basic library files of teTeX
ii ucf 1.13 Update Configuration File: pre=
serv
ii zlib1g 1:1.2.2-3 compression library - runtime
-- debconf information excluded
--=20
Martin Pitt http://www.piware.de
Ubuntu Developer http://www.ubuntulinux.org
Debian GNU/Linux Developer http://www.debian.org
--UugvWAfsgieZRqgk
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQFByr/oDecnbV4Fd/IRAvZuAJ4wsQ55c2zwolbSA/U+l72sXI0SMACg7Qnl
9V89uKTqLss67z1uAdRBR1c=
=RoOb
-----END PGP SIGNATURE-----
--UugvWAfsgieZRqgk--
---------------------------------------
Received: (at 286984-close) by bugs.debian.org; 23 Dec 2004 17:08:02 +0000
>From katie@ftp-master.debian.org Thu Dec 23 09:08:02 2004
Return-path: <katie@ftp-master.debian.org>
Received: from newraff.debian.org [208.185.25.31] (mail)
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1ChWRV-0006eT-00; Thu, 23 Dec 2004 09:08:01 -0800
Received: from katie by newraff.debian.org with local (Exim 3.35 1 (Debian))
id 1ChWMA-0003f0-00; Thu, 23 Dec 2004 12:02:30 -0500
From: =?iso-8859-1?q?Frank_K=FCster?= <frank@debian.org>
To: 286984-close@bugs.debian.org
X-Katie: $Revision: 1.54 $
Subject: Bug#286984: fixed in tetex-bin 2.0.2-25
Message-Id: <E1ChWMA-0003f0-00@newraff.debian.org>
Sender: Archive Administrator <katie@ftp-master.debian.org>
Date: Thu, 23 Dec 2004 12:02:30 -0500
Delivered-To: 286984-close@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2004_03_25
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER
autolearn=no version=2.60-bugs.debian.org_2004_03_25
X-Spam-Level:
X-CrossAssassin-Score: 3
Source: tetex-bin
Source-Version: 2.0.2-25
We believe that the bug you reported is fixed in the latest version of
tetex-bin, which is due to be installed in the Debian FTP archive:
libkpathsea-dev_2.0.2-25_i386.deb
to pool/main/t/tetex-bin/libkpathsea-dev_2.0.2-25_i386.deb
libkpathsea3_2.0.2-25_i386.deb
to pool/main/t/tetex-bin/libkpathsea3_2.0.2-25_i386.deb
tetex-bin_2.0.2-25.diff.gz
to pool/main/t/tetex-bin/tetex-bin_2.0.2-25.diff.gz
tetex-bin_2.0.2-25.dsc
to pool/main/t/tetex-bin/tetex-bin_2.0.2-25.dsc
tetex-bin_2.0.2-25_i386.deb
to pool/main/t/tetex-bin/tetex-bin_2.0.2-25_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 286984@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Frank Küster <frank@debian.org> (supplier of updated tetex-bin package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Thu, 23 Dec 2004 16:31:38 +0100
Source: tetex-bin
Binary: libkpathsea3 tetex-bin libkpathsea-dev
Architecture: source i386
Version: 2.0.2-25
Distribution: unstable
Urgency: high
Maintainer: teTeX maintainers <debian-tetex-maint@lists.debian.org>
Changed-By: Frank Küster <frank@debian.org>
Description:
libkpathsea-dev - path search library for teTeX (devel part)
libkpathsea3 - path search library for teTeX (runtime part)
tetex-bin - The teTeX binary files
Closes: 196987 286370 286984
Changes:
tetex-bin (2.0.2-25) unstable; urgency=high
.
* SECURITY UPDATE:
- Added debian/patches/patch-CAN-2004-1125 to fix a buffer overflow in
PDF reading code that was taken from xpdf (closes: #286984). Thanks to
Martin Pitt <martin.pitt@canonical.com>, see
http://www.idefense.com/application/poi/display?id=172 [frank]
- Fixed insecure tempfile creation, thanks to Javier
Fernández-Sanguino Peña <jfs@computer.org> (closes: #286370) [frank]
* Fixed clean target, again providing clean sources [frank]
* Added Suggests: rubber; together with lacheck this (closes: #196987)
[frank]
Files:
c0c67fb28b68a60e3fb4919c98dc63de 1044 tex optional tetex-bin_2.0.2-25.dsc
22234075b7454394cb95b40dcf393988 183001 tex optional tetex-bin_2.0.2-25.diff.gz
579513f95eb9ca5ff56fa653be3ca3e9 3934886 tex optional tetex-bin_2.0.2-25_i386.deb
312583a749bf035cf6386d1831c9859e 58066 libs optional libkpathsea3_2.0.2-25_i386.deb
8fba153ada4da2fcc994baa435928223 66208 libdevel optional libkpathsea-dev_2.0.2-25_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQFByvXw+xs9YyJS+hoRAmuLAKCcIBS3Pz9GfaC+0kDjJTuu/Y8ePwCfVqy+
cLlZTys6TjtpkkNWFYNFWuo=
=AFY5
-----END PGP SIGNATURE-----
Reply to: