Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 117481 - app-text/xpdf first Xpdf round this year
Summary: app-text/xpdf first Xpdf round this year
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B2 [] jaervosz
Keywords:
Depends on:
Blocks:
 
Reported: 2006-01-02 13:05 UTC by Sune Kloppenborg Jeppesen (RETIRED)
Modified: 2006-11-11 19:34 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
xpdf300_combined.diff (xpdf300_combined.diff,8.50 KB, patch)
2006-01-03 05:17 UTC, Thierry Carrez (RETIRED)
no flags Details | Diff
xpdf202_combined.diff (xpdf202_combined.diff,6.89 KB, patch)
2006-01-03 05:17 UTC, Thierry Carrez (RETIRED)
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-01-02 13:05:06 UTC
Opening separate bugs for cups, poppler, gpdf. 

Handling pdftohtml, tetex, pdff, kword on their respective bugs that are still open.

kpdf and kword already silently patched in CVS.
Comment 1 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-01-02 13:08:31 UTC
CC'ing metalgod for advise. If you commit please only mention the bug # in the Changelog for now.
Comment 2 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-01-02 14:50:50 UTC
metalgod is short on time, CC'ing dang as well.
Comment 3 Daniel Gryniewicz (RETIRED) gentoo-dev 2006-01-02 16:51:15 UTC
Are there any fixed patches for this?  None of us are actually devs for xpdf/poppler/etc...
Comment 4 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-01-03 00:17:48 UTC
The patch useb by kpdf and kword is in Portage. I hope there will be an official upstream patch soon.
Comment 5 Thierry Carrez (RETIRED) gentoo-dev 2006-01-03 05:17:08 UTC
Created attachment 76071 [details, diff]
xpdf300_combined.diff

Combined xpdf-3 patch from Ludwig Nussel. Might include some already-fixed issues so might need some cleanup.
Comment 6 Thierry Carrez (RETIRED) gentoo-dev 2006-01-03 05:17:44 UTC
Created attachment 76072 [details, diff]
xpdf202_combined.diff

Combined xpdf-2 patch from Ludwig Nussel, in case it's needed by some tools.
Comment 7 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-01-03 07:42:20 UTC
Printing please provide an updated ebuild.
Comment 8 Stefan Schweizer (RETIRED) gentoo-dev 2006-01-03 15:03:32 UTC
The diff returns a lot of failed hunks when i try to apply it on poppler, do we have a native poppler patch somewhere?
Comment 9 Daniel Gryniewicz (RETIRED) gentoo-dev 2006-01-05 10:16:44 UTC
poppler is bumped to poppler-0.4.3-r4 with this fix.  Xpdf is not yet done.
Comment 10 Daniel Gryniewicz (RETIRED) gentoo-dev 2006-01-05 12:03:24 UTC
xpdf-3.01-r5 is bumped with these fixes.
Comment 11 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-01-05 13:32:05 UTC
Arches please test and mark stable.
Comment 12 Markus Rothe (RETIRED) gentoo-dev 2006-01-05 14:25:50 UTC
stable on ppc64
Comment 13 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-01-05 22:22:14 UTC
Handling stable marking of Xpdf on bug #117495, please see that bug for details about stable marking.
Comment 14 Jeroen Roovers (RETIRED) gentoo-dev 2006-01-09 08:31:34 UTC
app-text/xpdf-3.01-r5 marked stable on hppa.
Comment 15 Gustavo Zacarias (RETIRED) gentoo-dev 2006-01-11 05:54:27 UTC
sparc done, i think :)
Comment 16 Tobias Scherbaum (RETIRED) gentoo-dev 2006-01-11 07:58:14 UTC
ppc stable
Comment 17 Simon Stelling (RETIRED) gentoo-dev 2006-01-12 08:14:02 UTC
amd64 stablized as mentioned in bug 117495
Comment 18 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2006-01-12 14:47:09 UTC
as the maintainer for pdftohtml, could I please be CC when these holes crop up? I'm not a member of the printing herd.

Related to Xpdf security holes, I was just reviewing pdftohtml's existing patches vs. poppler, and I noticed that poppler seems to be missing the fixes from xpdf2-underflow.patch. Could the security team or the poppler maintainers please take a look at it?

Seeing how poppler and pdftohtml are diverging, I'd like to know of any functionality differences in the pdftohtml provided by the pdftohtml from each of the poppler and pdftohtml codebases. The only one I see at a glance is the -nodrm stuff in poppler. (FYI even the poppler pdftohtml claims to be pdftohtml-0.36, might want to change that ;-).
Comment 19 Mark Loeser (RETIRED) gentoo-dev 2006-01-12 17:48:56 UTC
x86 done
Comment 20 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-01-12 22:31:34 UTC
Robbat, see bug #115789 for the pdftohtml bug.

Printing please advise on missing patch.
Comment 21 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2006-01-12 23:35:24 UTC
jaervosz: Yes I see #115789. We're trying to figure if pdftohtml should just be dropped in favour of poppler, as they do seem to be reasonably close in terms of functionality.
Comment 22 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-01-13 15:16:28 UTC
And stable marking can continue:-)

[00:15:06] <@taviso> jaervosz: looks like poppler doesnt need the underflow patch
[00:15:12] <@taviso> so i would say, safe
Comment 23 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-01-16 14:16:21 UTC
Bahh sorry for the bug spam. Stable marking is on bug #117495
Comment 24 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2006-01-25 23:14:01 UTC
pdftohtml is now in p.mask, and will be removed early next week (keeping it around for a few days in case problems crop up).

I've changed all deps in the tree (sys-cluster/charm and app-zope/portaltransforms for those keeping track) to point to poppler instead.

The dep blocker in poppler of "!app-text/poppler" remains, as a way to force users to uninstall pdftohtml and move to poppler instead.
Comment 25 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-01-26 05:16:02 UTC
We should probably push this info to the GWN team.
Comment 26 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-01-27 23:09:12 UTC
Mail send to GWN a few days ago.
Comment 27 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-01-30 14:39:52 UTC
GLSA 200601-17
Comment 28 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-01-31 02:37:39 UTC
And now actually closing.