Bug#322467: Please Help (was: Bug#322467: [CAN-2005-2097] Loca Table Verification Remote Denial of Service Vulnerability)

To: Frank Küster <frank@debian.org>
Cc: Hilmar Preusse <hille42@web.de>, Joey Hess <joeyh@debian.org>, 322467@bugs.debian.org, Debian Security Team <team@security.debian.org>, martin@pdftex.org
Subject: Bug#322467: Please Help (was: Bug#322467: [CAN-2005-2097] Loca Table Verification Remote Denial of Service Vulnerability)
From: Thomas Esser <te@dbs.uni-hannover.de>
Date: Fri, 12 Aug 2005 13:36:32 +0200
Message-id: <[🔎] 20050812113632.GA12044@dbs.uni-hannover.de>
Reply-to: Thomas Esser <te@dbs.uni-hannover.de>, 322467@bugs.debian.org
In-reply-to: <[🔎] 87d5oj7d8l.fsf_-_@alhambra.kuesterei.ch>
References: <[🔎] 20050810201817.GA2452@preusse> <[🔎] 87br44on2t.fsf@alhambra.kuesterei.ch> <[🔎] 87d5oj7d8l.fsf_-_@alhambra.kuesterei.ch>

> This is why I'm contacting you, Thomas: Although according to the
> CHANGES file we should have xpdf-3.00 just as the xpdf package has, but
> at least one file (which should be patched) is missing in the teTeX
> sources.

The following changes are done to the original sources:
  - xpdf/GlobalParams.cc: add GlobalParams::GlobalParams() which is
    basically a stripped down GlobalParams::GlobalParams(char *cfgFileName)
  - remove all files which are not needed for pdftex, e.g. those for
    the stand-alone xpdf viewer
  - portability / security fixes

Those from the last group are always forwarded upstream, of course.

> Now I'm wondering which changes you have made to the upstream sources,
> and whether they were on purpose; and whether this makes teTeX
> non-vulnerable, or requires a different patch to fix the vulnerability.

For the reasons given above, I think that teTeX is only affected by a
subset of all xpdf vulnerabilities.

Thomas

Reply to:

Follow-Ups:
- Bug#322467: Please Help (was: Bug#322467: [CAN-2005-2097] Loca Table Verification Remote Denial of Service Vulnerability)
  - From: Martin Schroeder <ms@pdftex.org>

References:
- Bug#322467: [CAN-2005-2097] Loca Table Verification Remote Denial of Service Vulnerability
  - From: Hilmar Preusse <hille42@web.de>
- Bug#322467: [CAN-2005-2097] Loca Table Verification Remote Denial of Service Vulnerability
  - From: Frank Küster <frank@debian.org>
- Bug#322467: Please Help (was: Bug#322467: [CAN-2005-2097] Loca Table Verification Remote Denial of Service Vulnerability)
  - From: Frank Küster <frank@debian.org>

Prev by Date: Bug#322467: Please Help (was: Bug#322467: [CAN-2005-2097] Loca Table Verification Remote Denial of Service Vulnerability)
Next by Date: Bug#322713: dvipdfm doesn't understand gs anymore
Previous by thread: Bug#322467: Please Help (was: Bug#322467: [CAN-2005-2097] Loca Table Verification Remote Denial of Service Vulnerability)
Next by thread: Bug#322467: Please Help (was: Bug#322467: [CAN-2005-2097] Loca Table Verification Remote Denial of Service Vulnerability)
Index(es):
- Date
- Thread