[Secure-testing-team] Re: xpdf vulnerability?
Hilmar Preusse
hille42 at web.de
Fri Mar 18 08:38:14 UTC 2005
On 18.03.05 Micah Anderson (micah at debian.org) wrote:
> On Wed, 16 Mar 2005, Frank Küster wrote:
Hi .*,
> > Can anybody point me to a place where I can find the patch for
> > the 64-bit-specific issue? The CVE only lists the RedHat and
> > Mandrake security announcements, but I don't know how to get
> > those source-rpm's. I found
> > ftp://ftp.foolabs.com/pub/xpdf/xpdf-3.00pl3.patch - if that's the
> > right one, tetex-bin in sarge/unstable is vulnerable. In woody
> > the code looks very different.
>
> Unfortunately, it takes some deep digging sometimes. I've had to
> email the security announce mailing address to find specific
> patches before. Surprisingly, they responded...
>
Great! Now I found out that the patch was only two links away from
the RHSA :-(.
> I searched Redhat's Bugzilla, and found this:
> https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=135393
>
> Can you determine if tetex-bin, pdftohtml and xpdf have this in
> Sarge?
>
As thex extension to CAN-2004-0888 (CAN-2005-0206) came in after the
latest tetex-bin upload we can't have the fix in sarge. I'll file a
bug against tetex-bin and I guess Frank will upload ASAP. I'll check
the woody version too.
H.
--
Deliver yesterday, code today, think tomorrow.
More information about the Secure-testing-team
mailing list