Bug#278298: tetex-bin might be affected by CAN-2004-0889
On 26.10.04 Frank Küster (frank@debian.org) wrote:
> Frank Küster <frank@debian.org> wrote:
Hi *,
> > 4 c/cc files in texk/web2c/pdftexdir include gmem.h from
> > libs/xpdf/goo. There might be more. It affects both woody and
> > sarge/sid.
>
> According to
>
> http://www.mandrakesoft.com/security/advisories?name=MDKSA-2004:113
>
> and
>
> http://www.securityfocus.com/archive/1/379114/2004-10-21/2004-10-27/0
>
> the issue affects xpdf 3.0 and xpdf 2.02. woody ships xpdf 0.92
> (2000-dec-03) according to the README file in the xpdf directory.
> Might be hard to even find out whether it is affected. sarge/sid
> have 2.01 (2002-dec-05) and is probably affected.
>
Remark. changelog of xpdf:
xpdf (3.00-9) unstable; urgency=high
* Applied patch to fix vulnerability CAN-2004:0889: integer overflow
issues that could allow denial of service or possibly arbitrary
code execution
-- Hamish Moffatt <hamish <at> debian.org> Thu, 21 Oct 2004 23:49:32 +1000
The only changes were made in the source code of xpdf, not in the
code of libgoo, we use. So I guess, if we don't compile (and package)
xpdf, we're not affected...
H.
--
sigmentation fault
Reply to: