[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

xpdf code security, removal of pdftohtml



Hello,

xpdf has a long history of security problems, and got its code
duplicated in a lot of packages.  All of this has to be tracked
by the security team and this is a serious burden.

As Moritz wrote:

>> the whole xpdf mess is just insane: There's another massive round
>> of security issues being found and it's certainly not the last.
>> I won't spend another 2-3 days for each maintenance round of this
>> junk, so we need to cut down the maintenance overhead now:


I am the maintainer of pdftohtml, it embeds code from xpdf, and can be
replaced by pdftohtml from poppler-utils; this has been the case in sid
for months (package got removed from sid/lenny in June) and nobody
complained about compatibility problems using the new poppler code.


We failed to manage the transition before Etch went out but it would
be appreciated to do it for a point release; Moritz wrote:

>> I don't remember why we didn't make the transition to poppler-utils
>> inside Etch in time, but we need to it now in a point update.

There is a pdftohtml package converted to be a transitional package
available at http://people.debian.org/~fpeters/pdftohtml/, interdiff
is attached to this message.  It adds a NEWS file explaining the
situation.

Could this issue be considered by the release team ?


Thanks,

        Frederic
diff -u pdftohtml-0.36/debian/control pdftohtml-0.36/debian/control
--- pdftohtml-0.36/debian/control
+++ pdftohtml-0.36/debian/control
@@ -10,5 +10,10 @@
-Depends: ${shlibs:Depends}, gs
-Recommends: xpdf-common
-Description: Translates pdf documents into html format
- Translates pdf files into HTML or XML formats, combined with png images.
- Supports encrypted pdf files.
+Depends: ${shlibs:Depends}, poppler-utils (>= 0.4.5-1)
+Description: Translates PDF documents into HTML format (transitional package)
+ pdftohtml translates PDF files into HTML or XML formats, combined with png
+ images.  It supports encrypted PDF files.
+ .
+ This dummy package exists only to ease the transition to poppler-utils,
+ as it now provides a pdftohtml implementation and will be easier to maintain
+ security-wise.
+ .
+ It can be safely removed after upgrade.
diff -u pdftohtml-0.36/debian/rules pdftohtml-0.36/debian/rules
--- pdftohtml-0.36/debian/rules
+++ pdftohtml-0.36/debian/rules
@@ -33,7 +33,7 @@
 	dh_testdir
 
 	# Commands to compile the package.
-	$(MAKE) DEBUG=-g
+	#$(MAKE) DEBUG=-g
 
 	touch build-stamp
 
@@ -54,7 +54,7 @@
 	dh_installdirs
 
 	# Commands to install the package into debian/pdftohtml.
-	$(MAKE) install DESTDIR=$(CURDIR)/debian/pdftohtml
+	#$(MAKE) install DESTDIR=$(CURDIR)/debian/pdftohtml
 
 
 # Build architecture-independent files here.
@@ -65,9 +65,9 @@
 binary-arch: build install
 	dh_testdir
 	dh_testroot
-	dh_installdocs README AUTHORS BUGS
-	dh_installman debian/pdftohtml.1
-	dh_installchangelogs CHANGES
+	dh_installdocs
+	#dh_installman debian/pdftohtml.1
+	dh_installchangelogs
 	dh_link
 	dh_strip
 	dh_compress
diff -u pdftohtml-0.36/debian/changelog pdftohtml-0.36/debian/changelog
--- pdftohtml-0.36/debian/changelog
+++ pdftohtml-0.36/debian/changelog
@@ -1,3 +1,12 @@
+pdftohtml (0.36-13etch1) stable; urgency=high
+
+  * same as 0.36-14
+    * pdftohtml is now a transitional package; it exists only to ease
+      the transition to poppler-utils, as it now provides a pdftohtml
+      implementation and will be easier to maintain security-wise.
+
+ -- Frederic Peters <fpeters@debian.org>  Thu, 08 Nov 2007 12:58:04 +0100
+
 pdftohtml (0.36-13) unstable; urgency=low
 
   * debian/patches/12_GCC_4.1.dpatch: fix to build with G++ 4.1
reverted:
--- pdftohtml-0.36/debian/dirs
+++ pdftohtml-0.36.orig/debian/dirs
@@ -1 +0,0 @@
-usr/bin
reverted:
--- pdftohtml-0.36/debian/docs
+++ pdftohtml-0.36.orig/debian/docs
@@ -1,2 +0,0 @@
-BUGS
-README
only in patch2:
unchanged:
--- pdftohtml-0.36.orig/debian/NEWS
+++ pdftohtml-0.36/debian/NEWS
@@ -0,0 +1,14 @@
+pdftohtml (0.36-14) unstable; urgency=low
+
+  * pdftohtml is now provided by poppler-utils, this package turned into
+    a transitional package so poppler-utils is sure to be installed on
+    your system.
+
+    pdftohtml from poppler provides the same features, with the same
+    command line options.
+
+    The only change you may experience is when using XML output, coordinates
+    are expressed in another unit.  If this is relevant to you, you will have
+    to check your scripts.
+
+ -- Frederic Peters <fpeters@debian.org>  Tue,  3 Oct 2006 10:55:17 +0200

Reply to: