[Secure-testing-team] Re: xpdf vulnerability?

Javier Fernández-Sanguino Peña jfs at computer.org
Wed Mar 23 00:13:36 UTC 2005 

On Tue, Mar 22, 2005 at 02:01:37PM +0100, Frank Küster wrote:
> 
> Thank you, I found it extremely difficult (as someone who follows their
> own upstream, but not security-related mailinglists) to find ressources
> of information.  Currently, the CVE IDs are often used to indicate which
> issue is talked about (like in the original mail from the
> secure-testing-team), but e.g. for CAN-2005-0206 there are no
> cross-references except the RedHat and Mandrake advisories, which aren't
> too helpful, either.

Why not? RedHat should probably have references to their Bugzilla database 
in their advisories...

> So I checked the bugtraq list at http://marc.theaimsgroup.com/, but
> again these are only security advisories by vendors, not actually
> information about patches, right?  And vendors often just link to the
> CVE... 

Actually, you looked at the Bugtraq mailing list and I was suggesting the 
Bugtraq database, actually Securityfocus' vulnerability database available 
at http://www.securityfocus.com/bid/

For example, if you search by CVE the Xpdf vulnerability related to 
CAN-2005-0206 you will get to BID-11501: 
http://www.securityfocus.com/bid/11501

In the 'solution' section you can see references to other vendors, and can 
go searching for information on their bug tracking systems or security 
advisories. Since you have a link to the version fixing it, you might do 
best if you go and check their sources too. SRPM packages, for example, are 
provided including both the original sources and the patches to those and 
you cand download those directly from RPM vendors (RedHat, SuSE, Mandrake, 
etc..) Gentoo sources include the patches to the sources in their CVS and 
usually reference the Bugzilla entries in their advisories (and the 
bugzilla entry usually includes the patch too).

Moreover, if you go to the 'credit' section you will see links to either 
the advisories themselves or to the discussion in the Bugtraq mailing list 
related to the vulnerability. Some vulnerabilities are first disclosed in 
the mailing list and then fixed by software provides, some others are only 
first noticed (and added to the database) when a vendor produces and 
advisory.

> 
> The Xforce link you gave is a little more helpful to me; but the best I
> found (and remembered to have seen before...) was the iDefense page I
> found linked from Xforce:
> 
> http://www.idefense.com/application/poi/display?type=vulnerabilities
> 
> (Unfortunately, there's nothing there about CAN-2005-0206). 

Probably because CVE entries were generated after the iDefense advisory.

> 
> As for NIST's ICAT - what is freeyl downloadable there?  Again, I only
> found references to vendor advisories, no patches.  

NIST's ICAT can be found at http://icat.nist.gov. You can find CSV dumps of 
the database but you are right, it does not include patches, no 
vulnerability holds patches at most they hold a reference to who disclosed 
the issue (maybe providing a patch) and what vendors were affected.

> Specifically, on all those pages I couldn't find anything about the
> differences between CAN-2004-0888 and CAN-2004-0889.

GLSA-200410-20, which is referenced to bug 69662 in Gentoo's BTS (
http://bugs.gentoo.org/show_bug.cgi?id=69662) includes both CVE references 
and provides two patches

Gentoo's GLSA 200410-30 references additional bugs ( #68558, #68665, 
#68571, #69936, and  #69624) so maybe they are worth reviewing.

In any case, from the Gentoo's BTS, it looks like this was disclosed first 
on Vendor-Sec (a private mailing list used by open source distributions) so 
you might want to send off a mail to the Security Team asking them to 
forward you the relevant mails.

> 
> If you keep me (or debian-tetex-maint) in the Cc, I'll happily write a
> patch for the Developer's Reference about security ressources.

Done.

Regards

Javier
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20050323/bf6465a6/attachment.pgp

More information about the Secure-testing-team mailing list