Re: xpdf vulnerability?
- To: Micah Anderson <micah@debian.org>
- Cc: debian-tetex-maint <debian-tetex-maint@lists.debian.org>, xpdf@packages.debian.org, pdftohtml@packages.debian.org, debian-security@lists.debian.org, secure-testing-team@lists.alioth.debian.org
- Subject: Re: xpdf vulnerability?
- From: Hilmar Preusse <hille42@web.de>
- Date: Fri, 18 Mar 2005 09:38:14 +0100
- Message-id: <[🔎] 20050318083814.GA2500@preusse>
- Mail-followup-to: Micah Anderson <micah@debian.org>, debian-tetex-maint <debian-tetex-maint@lists.debian.org>, xpdf@packages.debian.org, pdftohtml@packages.debian.org, debian-security@lists.debian.org, secure-testing-team@lists.alioth.debian.org
- In-reply-to: <[🔎] 20050318055610.GM9731@riseup.net>
- References: <[🔎] 20050316040149.GD9731@riseup.net> <[🔎] 874qfcc7ug.fsf@alhambra.kuesterei.ch> <[🔎] 87ll8nwtol.fsf@alhambra.kuesterei.ch> <[🔎] 20050318055610.GM9731@riseup.net>
On 18.03.05 Micah Anderson (micah@debian.org) wrote:
> On Wed, 16 Mar 2005, Frank Küster wrote:
Hi .*,
> > Can anybody point me to a place where I can find the patch for
> > the 64-bit-specific issue? The CVE only lists the RedHat and
> > Mandrake security announcements, but I don't know how to get
> > those source-rpm's. I found
> > ftp://ftp.foolabs.com/pub/xpdf/xpdf-3.00pl3.patch - if that's the
> > right one, tetex-bin in sarge/unstable is vulnerable. In woody
> > the code looks very different.
>
> Unfortunately, it takes some deep digging sometimes. I've had to
> email the security announce mailing address to find specific
> patches before. Surprisingly, they responded...
>
Great! Now I found out that the patch was only two links away from
the RHSA :-(.
> I searched Redhat's Bugzilla, and found this:
> https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=135393
>
> Can you determine if tetex-bin, pdftohtml and xpdf have this in
> Sarge?
>
As thex extension to CAN-2004-0888 (CAN-2005-0206) came in after the
latest tetex-bin upload we can't have the fix in sarge. I'll file a
bug against tetex-bin and I guess Frank will upload ASAP. I'll check
the woody version too.
H.
--
Deliver yesterday, code today, think tomorrow.
Reply to: