Bug#709146: marked as done (several security issues due embedded t1lib)

To: Norbert Preining <preining@debian.org>
Subject: Bug#709146: marked as done (several security issues due embedded t1lib)
From: owner@bugs.debian.org (Debian Bug Tracking System)
Date: Wed, 22 May 2013 03:06:28 +0000
Message-id: <[🔎] handler.709146.D709146.136919189828776.ackdone@bugs.debian.org>
References: <E1UezMG-0008LM-W3@franck.debian.org> <[🔎] 20130521072142.3353.61038.reportbug@localhost6.localdomain6>

Your message dated Wed, 22 May 2013 03:04:56 +0000
with message-id <E1UezMG-0008LM-W3@franck.debian.org>
and subject line Bug#709146: fixed in texlive-bin 2013.20130522.30620-1
has caused the Debian Bug report #709146,
regarding several security issues due embedded t1lib
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
709146: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=709146
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: several security issues due embedded t1lib
From: Ondřej Surý <ondrej@debian.org>
Date: Tue, 21 May 2013 09:21:42 +0200
Message-id: <[🔎] 20130521072142.3353.61038.reportbug@localhost6.localdomain6>

Package: texlive-bin
Version: 2012.20120628-4
Severity: grave
Tags: security

Due to embedding t1lib, but not (at least) pulling the security
patches from t1lib package, the texlive-bin suffers from:

CVE-2011-0764
CVE-2011-0433
CVE-2011-1552
CVE-2011-1553
CVE-2011-1554

CVE-2010-2642 seems to be fixed in patch-01-buffer-limit

Hiding the fact with the lintian-override doesn't help very much (and
wheezy still have t1lib).

O.

-- System Information:
Debian Release: 7.0
  APT prefers stable
  APT policy: (500, 'stable'), (300, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

--- End Message ---

--- Begin Message ---

To: 709146-close@bugs.debian.org
Subject: Bug#709146: fixed in texlive-bin 2013.20130522.30620-1
From: Norbert Preining <preining@debian.org>
Date: Wed, 22 May 2013 03:04:56 +0000
Message-id: <E1UezMG-0008LM-W3@franck.debian.org>

Source: texlive-bin
Source-Version: 2013.20130522.30620-1

We believe that the bug you reported is fixed in the latest version of
texlive-bin, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 709146@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Norbert Preining <preining@debian.org> (supplier of updated texlive-bin package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Wed, 22 May 2013 10:07:27 +0900
Source: texlive-bin
Binary: texlive-binaries libkpathsea6 libkpathsea-dev libptexenc1 libptexenc-dev
Architecture: source amd64
Version: 2013.20130522.30620-1
Distribution: unstable
Urgency: low
Maintainer: Debian TeX Maintainers <debian-tex-maint@lists.debian.org>
Changed-By: Norbert Preining <preining@debian.org>
Description: 
 libkpathsea-dev - TeX Live: path search library for TeX (development part)
 libkpathsea6 - TeX Live: path search library for TeX (runtime part)
 libptexenc-dev - TeX Live: ptex encoding library (development part)
 libptexenc1 - TeX Live: pTeX encoding library
 texlive-binaries - Binaries for TeX Live
Closes: 709145 709146
Changes: 
 texlive-bin (2013.20130522.30620-1) unstable; urgency=low
 .
   * remove libgd and t1lib copies by removing the need to configure
     these libraries at all (Closes: #709145, #709146)
     Thanks Ondřej Surý <ondrej@debian.org> for providing the patch.
   * build with system zzlib and ice, remove embedded copies
   * remove copies of cairo, pixman which are already unused
   * re-include pmpost building, thanks to Hironori Kitagawa
Checksums-Sha1: 
 392c84e864add982dbb45775b6ce68cc0b3d1eb1 1960 texlive-bin_2013.20130522.30620-1.dsc
 a4dd7a32260544953eada03c6ad1ba23ff348c91 161184764 texlive-bin_2013.20130522.30620.orig.tar.xz
 ec5775773babfa32e2c56cb71ac900914a7927ff 80994 texlive-bin_2013.20130522.30620-1.debian.tar.gz
 1de5618c78de762a5956a88eaf03f7d9ccc6df44 6565160 texlive-binaries_2013.20130522.30620-1_amd64.deb
 61f88dec3cd58b2d0a396f4ddafd20e31a8d32b7 165220 libkpathsea6_2013.20130522.30620-1_amd64.deb
 a8fb9c12be24df421b11d6d247b3a1b9f3d28964 193370 libkpathsea-dev_2013.20130522.30620-1_amd64.deb
 3a2d6d3b06c0f5cf42e9b19dd5091042a4143212 56570 libptexenc1_2013.20130522.30620-1_amd64.deb
 48e8ff3777af7ce929d585e08b1d1daaf272de20 56004 libptexenc-dev_2013.20130522.30620-1_amd64.deb
Checksums-Sha256: 
 1f9e8118c807a363d07d2b20e254b7b9e9ade4f53777c8691475dfb67d5b4001 1960 texlive-bin_2013.20130522.30620-1.dsc
 a36f070aee5732685615c145639d536e1b33e7fa3af4a66d84d6edb50e890b21 161184764 texlive-bin_2013.20130522.30620.orig.tar.xz
 dbdbd2e105d5e620ce94469b831d0dbf6843bc4bd8272f7bb841660dbd629fdf 80994 texlive-bin_2013.20130522.30620-1.debian.tar.gz
 a4b9a63becfc4743ecf68abc9b25548dc81ddc4e99de649b004a736f74a4a3b5 6565160 texlive-binaries_2013.20130522.30620-1_amd64.deb
 13ffc7887184784d7ef0eeaedd53031f013ea470d96b60ac713ecd966507b550 165220 libkpathsea6_2013.20130522.30620-1_amd64.deb
 ae108b72f36bbce59ddd3474046933f592357542e88a134f52b5ba9f17a02750 193370 libkpathsea-dev_2013.20130522.30620-1_amd64.deb
 ba502e82d80a15b6231fc5cbfd886c5b8c5b9b90f34612ff267ff01cbf49e35a 56570 libptexenc1_2013.20130522.30620-1_amd64.deb
 57aea1548b89e2f810f71f88dd7602bf5a2eb33b22d8c9a6143638d57c217a9b 56004 libptexenc-dev_2013.20130522.30620-1_amd64.deb
Files: 
 5f781b11b855e5d6c62af10253a68469 1960 tex optional texlive-bin_2013.20130522.30620-1.dsc
 04b865f57f0deef5c682cfea2c3817d9 161184764 tex optional texlive-bin_2013.20130522.30620.orig.tar.xz
 dd1fc57fa47555d5097fac92882e810b 80994 tex optional texlive-bin_2013.20130522.30620-1.debian.tar.gz
 b7196aca179acadefb8466b39682b7dc 6565160 tex optional texlive-binaries_2013.20130522.30620-1_amd64.deb
 162bfd965cbcafc0aaf1a24608ee8296 165220 libs optional libkpathsea6_2013.20130522.30620-1_amd64.deb
 fb4e4d7d2d32b3499270e380001405c2 193370 libdevel optional libkpathsea-dev_2013.20130522.30620-1_amd64.deb
 6d11c541586bfa30b81019d9a13a9399 56570 libs optional libptexenc1_2013.20130522.30620-1_amd64.deb
 7ddefcb211ea44c2e09ccdb2b2d37ab7 56004 libdevel optional libptexenc-dev_2013.20130522.30620-1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlGcJxEACgkQ0r9KownFsJT8oACgjP/AnpvdorDI1MaU7CCit724
ARAAn2taUxZ9wSovF0zNUAdpok66Xj4x
=gnUT
-----END PGP SIGNATURE-----

--- End Message ---

Reply to:

References:
- Bug#709146: several security issues due embedded t1lib
  - From: Ondřej Surý <ondrej@debian.org>

Prev by Date: Bug#709145: marked as done ([CVE-2009-3546]: contains embedded (and outdated) copy of libgd2)
Next by Date: [SCM] Debian packaging of texlive-bin) branch, pristine-tar, updated. bda6e1fed458927590bbd78173b05c7270968240
Previous by thread: Bug#709146: several security issues due embedded t1lib
Next by thread: Bug#709159: updmap-sys failed. Output has been stored in
Index(es):
- Date
- Thread