Bug#342292: tetex-bin: Multiple exploitable heap overflows in embedded xpdf copy

[Frank Küster <frank@debian.org>]

Dear security team,

Moritz Muehlenhoff <jmm@inutil.org> wrote:

> Package: tetex-bin
> Version: 3.0-10.1
> Severity: grave
> Tags: security
> Justification: user security hole
>
> Multiple exploitable security problems have been found in xpdf, which are
> all present in tetex-bin's embedded xpdf copy as well

A patch is provided by upstream, and I'll be able to upload a fixed
version to sid in the next 2 or three days.

However, since I'm currently busy with real-life issues, I will *NOT* be
able to backport the patch to the stable version of tetex-bin, nor work
on the numerous other packages that contain xpdf code and that I have
prepared patches for or NMU'ed previously in similar cases.

Note also that testing still has the same upstream version as stable,
and other issues prevent the new version to migrate from sid to testing
soon. 

Regards, Frank

P.S. Is anybody in contact with the xpdf upstream about providing a
dynamically shared library, or at least get clarification whether they
think distributions should try libpoppler instead?  If not, would the
security team allow me to quote them as "We would very much appreciate
if such a library existed, and would urge maintainers and upstream
developers to switch to using it"?
-- 
Frank Küster
Inst. f. Biochemie der Univ. Zürich
Debian Developer