Re: [SECURITY] [DSA 1548-1] New xpdf packages fix arbitrary code exitution

To: debian-security@lists.debian.org
Subject: Re: [SECURITY] [DSA 1548-1] New xpdf packages fix arbitrary code exitution
From: Lasse Kliemann <lasse-list-debian-2008@mail.plastictree.net>
Date: Tue, 6 May 2008 02:02:40 +0200
Message-id: <[🔎] 20080506000240.GC1841@lasse.mail.plastictre.net>
In-reply-to: <E1JmXbI-0002DE-1N@klecker.debian.org>
References: <E1JmXbI-0002DE-1N@klecker.debian.org>

* Message by -Devin Carraway- from Thu 2008-04-17:

> Package        : xpdf
> Vulnerability  : multiple
> Problem type   : local (remote)
> Debian-specific: no
> CVE Id(s)      : CVE-2008-1693
 
[...]
> For the unstable distribution (sid), these problems were fixed in
> version 3.02-1.2.

Is that really the case?

I checked the file[1] and found no traces from the fix[2] in it.

[1] http://ftp.de.debian.org/debian/pool/main/x/xpdf/xpdf_3.02-1.3.diff.gz 
[2] http://ftp.de.debian.org/debian/pool/main/x/xpdf/xpdf_3.01-9.1+etch4.diff.gz
    file debian/patches/36_CVE-2008-1693_embedded-font-typesafety.patch

Or maybe 3.02 does not need that fix (in contrast to 3.01)? But then, I found 
that the patch 36_CVE-2008-1693_embedded-font-typesafety.patch can be applied 
cleanly against 3.02 sources.

Thank you for a clarification.

Lasse

Attachment: pgplXed21z7KR.pgp
Description: PGP signature

Reply to:

Prev by Date: Re: [SECURITY] [DSA 1569-1] New cacti packages fix multiple vulnerabilities
Next by Date: Re: [SECURITY] [DSA 1569-1] New cacti packages fix multiple vulnerabilities
Previous by thread: Re: [SECURITY] [DSA 1569-1] New cacti packages fix multiple vulnerabilities
Next by thread: Re: [SECURITY] [DSA 1570-1] New kazehakase packages fix execution of arbitrarycode
Index(es):
- Date
- Thread