Re: texlive-bin stable update for CVE-2007-5935
On Sun, 30 Nov 2008, Nico Golde wrote:
> CVE-2007-5935[0]:
> | Stack-based buffer overflow in hpc.c in dvips in teTeX and TeXlive
> | 2007 and earlier allows user-assisted attackers to execute arbitrary
> | code via a DVI file with a long href tag.
already fixed in 2007.dfsg.1-1
patch hps-segfault-fix
> CVE-2007-5936[1]:
> | dvips in teTeX and TeXlive 2007 and earlier allows local users to
> | obtain sensitive information and modify certain data by creating
> | certain temporary files before they are processed by dviljk, which can
> | then be read or modified in place.
already fixed in 2007-13
patch dviljk-security-fixes
> CVE-2007-5937[2]:
> | Multiple buffer overflows in dvi2xx.c in dviljk in teTeX and TeXlive
> | 2007 and earlier might allow user-assisted attackers to execute
> | arbitrary code via a crafted DVI input file.
already fixed in 2007-13
patch dviljk-security-fixes
This is patch dviljk-security-fixes has been included already before the
CVE came out, so no mentioning happened.
BTW, how did this funny automatic program find the CVEs??? Is there a
way we have to mention them in the changelog?
Best wishes
Norbert
-------------------------------------------------------------------------------
Dr. Norbert Preining <preining@logic.at> Vienna University of Technology
Debian Developer <preining@debian.org> Debian TeX Group
gpg DSA: 0x09C5B094 fp: 14DF 2E6C 0307 BE6D AD76 A9C0 D2BF 4AA3 09C5 B094
-------------------------------------------------------------------------------
GLOADBY MARWOOD (n.)
Someone who stops Jon Cleese on the street and demands that he does a
funny walk.
--- Douglas Adams, The Meaning of Liff
Reply to: