[Secure-testing-team] Re: xpdf vulnerability?

[Hamish Moffatt]

On Fri, Mar 18, 2005 at 09:38:14AM +0100, Hilmar Preusse wrote:
> As thex extension to CAN-2004-0888 (CAN-2005-0206) came in after the
> latest tetex-bin upload we can't have the fix in sarge. I'll file a
> bug against tetex-bin and I guess Frank will upload ASAP. I'll check
> the woody version too.

I'm a bit confused.

We have the 2005-0206 fix in Xpdf 3.00-10 (last November).

However it's marked as being a followup to for 2004-0889, not -0888.
The Xpdf changelog mentions 0889, but not 0888. I'm no longer sure which
patch is which.

It looks like we are missing part of 2005-0064. I am about to upload
that change (upstream patch 3.00pl3).

I was tempted to revert all the security patches and apply upstream's
versions, but I'm not sure that all the changes are there. Especially as
I don't know how 0888 and 0889 differ.


Hamish
-- 
Hamish Moffatt VK3SB <hamish at debian.org> <hamish at cloud.net.au>