[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#322467: Please Help (was: Bug#322467: [CAN-2005-2097] Loca Table Verification Remote Denial of Service Vulnerability)

Hello Thomas, hello Debian Security team,

Frank Küster <frank@debian.org> wrote:

> tetex-bin_3.0 in experimental is vulnerable.

This is about CAN-2005-2097, see
http://www.securityfocus.com/bid/14529/info.  The provided patch (see
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=322467) is said to be
against xpdf-3.00, and indeed it applies cleanly against the Debian xpdf
source package; however the xpdf sources in teTeX are different.

This is why I'm contacting you, Thomas: Although according to the
CHANGES file we should have xpdf-3.00 just as the xpdf package has, but
at least one file (which should be patched) is missing in the teTeX
sources.

Now I'm wondering which changes you have made to the upstream sources,
and whether they were on purpose; and whether this makes teTeX
non-vulnerable, or requires a different patch to fix the vulnerability.

xpdf/xpdf/SplashOutputDev.cc is the file that does not exist.  I tried
to find code fragments that match the parts the patch removes, or the
lines before and after, but they don't occur in the sources in
tetex-bin.

TIA, Frank
-- 
Frank Küster
Inst. f. Biochemie der Univ. Zürich
Debian Developer
Reply to: