Bug#278298: tetex-bin might be affected by CAN-2004-0889

To: Frank Küster <frank@debian.org>
Cc: 278298@bugs.debian.org, Adrian Bunk <bunk@stusta.de>
Subject: Bug#278298: tetex-bin might be affected by CAN-2004-0889
From: Hilmar Preusse <hille42@web.de>
Date: Tue, 26 Oct 2004 17:53:59 +0200
Message-id: <[🔎] 20041026155359.GA1996@preusse>
Reply-to: Hilmar Preusse <hille42@web.de>, 278298@bugs.debian.org
In-reply-to: <[🔎] 87is8xr0hv.fsf@alhambra.bioz.unibas.ch>
References: <[🔎] 20041025230059.9AE45B000D@r063144.stusta.swh.mhn.de> <[🔎] 20041026102154.GB1012@preusse> <[🔎] 20041026102556.GC3379@stusta.de> <[🔎] 87vfcxsmqf.fsf@alhambra.bioz.unibas.ch> <[🔎] 87is8xr0hv.fsf@alhambra.bioz.unibas.ch>

On 26.10.04 Frank Küster (frank@debian.org) wrote:
> Frank Küster <frank@debian.org> wrote:

Hi *,

> > 4 c/cc files in texk/web2c/pdftexdir include gmem.h from
> > libs/xpdf/goo. There might be more. It affects both woody and
> > sarge/sid. 
> 
> According to 
> 
> http://www.mandrakesoft.com/security/advisories?name=MDKSA-2004:113
> 
> and
> 
> http://www.securityfocus.com/archive/1/379114/2004-10-21/2004-10-27/0
> 
> the issue affects xpdf 3.0 and xpdf 2.02. woody ships xpdf 0.92
> (2000-dec-03) according to the README file in the xpdf directory.
> Might be hard to even find out whether it is affected. sarge/sid
> have 2.01 (2002-dec-05) and is probably affected.
> 
Remark. changelog of xpdf:

xpdf (3.00-9) unstable; urgency=high

 * Applied patch to fix vulnerability CAN-2004:0889: integer overflow
   issues that could allow denial of service or possibly arbitrary
   code execution

 -- Hamish Moffatt <hamish <at> debian.org>  Thu, 21 Oct 2004 23:49:32 +1000

The only changes were made in the source code of xpdf, not in the
code of libgoo, we use. So I guess, if we don't compile (and package)
xpdf, we're not affected...

H.
-- 
sigmentation fault

Reply to:

References:
- Bug#278298: tetex-bin might be affected by CAN-2004-0889
  - From: Adrian Bunk <bunk@stusta.de>
- Bug#278298: tetex-bin might be affected by CAN-2004-0889
  - From: Hilmar Preusse <hille42@web.de>
- Bug#278298: tetex-bin might be affected by CAN-2004-0889
  - From: Adrian Bunk <bunk@stusta.de>
- Bug#278298: tetex-bin might be affected by CAN-2004-0889
  - From: Frank Küster <frank@debian.org>
- Bug#278298: tetex-bin might be affected by CAN-2004-0889
  - From: Frank Küster <frank@debian.org>

Prev by Date: Bug#278298: tetex-bin might be affected by CAN-2004-0889
Next by Date: Bug#278298: tetex-bin might be affected by CAN-2004-0889
Previous by thread: Bug#278298: tetex-bin might be affected by CAN-2004-0889
Next by thread: Bug#278298: tetex-bin might be affected by CAN-2004-0889
Index(es):
- Date
- Thread