115775 2005-12-16 07:25 0000 app-text/tetex,cstetex,ptex share xpdf bugs listed in GLSA 200512-08 (CAN-2005-3193) 2006-05-23 10:48:28 0000 1 1 1 Unclassified Gentoo Security Vulnerabilities unspecified All All RESOLVED FIXED B2 [glsa] jaervosz P2 normal --- 1 castan.o@free.fr security@gentoo.org cjk@gentoo.org malenko@email.cz mips@gentoo.org text-markup@gentoo.org wolf31o2@gentoo.org castan.o@free.fr 2005-12-16 07:25:10 0000 This bug submission has been resquested by Thierry Carrez in bug #114428. CAN-2005-319{1|2|3} affect tetex since xpdf code is included in tetex-src tarball. I've checked tetex-src-3.0/xpdf/xpdf/Stream.cc from tetex-src-3.0.tar.gz and verified that patch ftp://ftp.foolabs.com/pub/xpdf/xpdf-3.01pl1.patch has not been applied. Moreover Fedora has already issued an 2 updates : http://www.redhat.com/archives/fedora-announce-list/2005-December/msg00015.html http://www.redhat.com/archives/fedora-announce-list/2005-December/msg00016.html Reproducible: Always Steps to Reproduce: koon@gentoo.org 2005-12-17 03:03:51 0000 Ccing maintainers so that they know about it. For now just waiting, more issues coming up. jaervosz@gentoo.org 2006-01-03 07:50:02 0000 Further Xpdf issues. See bug #117481 for details. koon@gentoo.org 2006-01-05 02:09:26 0000 See patch on bug 117481 jaervosz@gentoo.org 2006-01-11 07:29:31 0000 Madrive released their fixed version. jaervosz@gentoo.org 2006-01-22 00:10:51 0000 text-markup any news on this one? nattfodd@gentoo.org 2006-01-22 02:58:08 0000 I'll include patch on bug 117481 with tetex-3.0_p1-r1, which should hopefully happen very soon (I still have an unsolved issue about which file generates which during a tetex build, so patch in bug 98029 can be applied correctly). If it's still delayed, poke me again and I'll do a special revision just for this. Thanks, and sorry for the delay nattfodd@gentoo.org 2006-01-22 08:38:03 0000 tetex-3.0_p1-r1 has just been commited and it includes the fixes from bug #117481, though the patch was not directly applied as upstream had already ftp://ftp.foolabs.com/pub/xpdf/xpdf-3.01pl1.patch in the tarball of 3.0_p1. jaervosz@gentoo.org 2006-01-22 08:56:26 0000 Reopening: tetex-3 is not stable so we need a fix for tetex-2. nattfodd@gentoo.org 2006-01-23 14:06:46 0000 Done in tetex-2.0.2-r8 (which uses xpdf2 code). Please stabilize. dercorny@gentoo.org 2006-01-23 14:40:48 0000 dear arches, please test and mark tetex-2.0.2-r8 stable gustavoz@gentoo.org 2006-01-23 17:11:42 0000 dear security, sparc stable! killerfox@gentoo.org 2006-01-24 06:23:21 0000 Stable on hppa dertobi123@gentoo.org 2006-01-24 06:29:18 0000 ppc stable corsair@gentoo.org 2006-01-24 08:01:39 0000 stable on ppc64 kingtaco@gentoo.org 2006-01-24 18:30:29 0000 amd64 stable tsunam@gentoo.org 2006-01-24 23:44:48 0000 stable on x86, horray for latex :) yoswink@gentoo.org 2006-01-25 15:29:58 0000 Are the tetex tests working fine? Failed on alpha. Any other way of proper testing? ---------------------------------------------------------- make[2]: Entering directory `/var/tmp/portage/tetex-2.0.2-r8/work/tetex-src-2.0.2/texk/web2c' test -f tests/exampl.aux || \ cp ./tests/exampl.aux tests/exampl.aux TEXMFCNF=../kpathsea/texmf.cnf BSTINPUTS=./tests ./bibtex tests/exampl This is BibTeX, Version 0.99c (Web2C 7.4.5) The top-level auxiliary file: tests/exampl.aux I couldn't open database file xampl.bib ---line 1 of file tests/exampl.aux : \bibdata{xampl : } I'm skipping whatever remains of this command The style file: apalike.bst I found no database files---while reading file tests/exampl.aux Warning--I didn't find a database entry for "whole-journal" Warning--I didn't find a database entry for "whole-set" Warning--I didn't find a database entry for "whole-collection" Warning--I didn't find a database entry for "whole-proceedings" Warning--I didn't find a database entry for "book-full" (There were 2 error messages) make[2]: *** [bibtex-check] Error 2 make[2]: Leaving directory `/var/tmp/portage/tetex-2.0.2-r8/work/tetex-src-2.0.2/texk/web2c' make[1]: *** [check] Error 1 make[1]: Leaving directory `/var/tmp/portage/tetex-2.0.2-r8/work/tetex-src-2.0.2/texk' make: *** [check] Error 2 ---------------------------------------------------------- jaervosz@gentoo.org 2006-01-30 13:48:13 0000 text-markup please advise. jaervosz@gentoo.org 2006-01-30 14:23:10 0000 Back to ebuild wating to apply fix from bug #120985 koon@gentoo.org 2006-02-11 13:48:03 0000 nattfodd, could you do your magic again ? nattfodd@gentoo.org 2006-02-11 15:03:33 0000 Is there some way I can access an alpha box with emerge capabilities? koon@gentoo.org 2006-02-12 04:55:19 0000 The alpha herd is probably your friend in such a quest... nattfodd@gentoo.org 2006-02-13 03:48:59 0000 @jaervosz: I just check the source of tetex-2.0.2-r8 and the incriminated file from bug 120985 isn't there (tetex only uses part of xpdf source code, not the whole application). @yoswink: I tested tetex-2.0.2-r8 on an alpha box (thanks to the alpha herd) and it worked fine. Can you tell me if you have the file tetex-src-2.0.2/texmf/bibtex/bib/base/xampl.bib? Maybe we should move this elsewhere, as it doesn't seem to be related at all to xpdf patches or security matters. koon@gentoo.org 2006-02-13 10:18:23 0000 Ready for GLSA then. koon@gentoo.org 2006-02-18 06:38:44 0000 I fear app-text/cstetex app-text/ptex are affected as well... Maintainer herds, care to comment ? nattfodd@gentoo.org 2006-02-18 08:03:18 0000 I'm almost done with cstetex, which uses the tetex base code, so it's just a matter of adding the extra patch. Just checking it compiles fine and I'll commit it as 2.0.2-r2. It will need stabilization for x86 and amd64 though. I'll have a look at ptex after that, too. nattfodd@gentoo.org 2006-02-18 09:28:27 0000 I ended up porting most of the recent tetex patches to both of these packages. Anyway, cstetex-2.0.2-r2 and ptex-3.1.5-r1 have now the required fixes. They should be stabilized but I didn't know if I should ask for it myself or let you do it, so I didn't added the arch teams to Cc. koon@gentoo.org 2006-02-18 13:41:14 0000 arches please test and mark cstetex-2.0.2-r2 and ptex-3.1.5-r1 stable grobian@gentoo.org 2006-02-19 04:21:53 0000 cstetex-2.0.2-r2 has no ppc-macos keywords, so not marcked. ptex-3.1.5-r1 ppc-macos stable tsunam@gentoo.org 2006-02-19 15:45:01 0000 x86 stable corsair@gentoo.org 2006-02-20 05:48:35 0000 ptex-3.1.5-r1 stable on ppc64. cstetex never got ppc64 keyword gustavoz@gentoo.org 2006-02-20 06:46:10 0000 ptex sparc stable (and no cstetex for us). dertobi123@gentoo.org 2006-02-20 11:08:50 0000 ptex stable, no stable cstetex for ppc. killerfox@gentoo.org 2006-02-21 10:49:56 0000 ptex stable on hppa. No cstetex for us. koon@gentoo.org 2006-02-26 03:41:36 0000 tetex missing ppc-macos and mips [non-blocking] ptex still missing alpha and amd64 [blocking] + ia64 cstex missing amd64 [blocking] blubb@gentoo.org 2006-02-27 11:18:39 0000 make test fails for ptex on amd64, seems like the bug mentioned in comment 17, but i only had a very quick glance at it: make[2]: Entering directory `/var/tmp/portage/ptex-3.1.5-r1/work/tetex-src-2.0.2/texk/web2c' test -f tests/exampl.aux || \ cp ./tests/exampl.aux tests/exampl.aux TEXMFCNF=../kpathsea/texmf.cnf BSTINPUTS=./tests ./bibtex tests/exampl This is BibTeX, Version 0.99c (Web2C 7.4.5) The top-level auxiliary file: tests/exampl.aux I couldn't open database file xampl.bib ---line 1 of file tests/exampl.aux : \bibdata{xampl : } I'm skipping whatever remains of this command The style file: apalike.bst I found no database files---while reading file tests/exampl.aux Warning--I didn't find a database entry for "whole-journal" Warning--I didn't find a database entry for "whole-set" Warning--I didn't find a database entry for "whole-collection" Warning--I didn't find a database entry for "whole-proceedings" Warning--I didn't find a database entry for "book-full" (There were 2 error messages) make[2]: *** [bibtex-check] Error 2 make[2]: Leaving directory `/var/tmp/portage/ptex-3.1.5-r1/work/tetex-src-2.0.2/texk/web2c' make[1]: *** [check] Error 1 make[1]: Leaving directory `/var/tmp/portage/ptex-3.1.5-r1/work/tetex-src-2.0.2/texk' make: *** [check] Error 2 !!! ERROR: app-text/ptex-3.1.5-r1 failed. !!! Function src_test, Line 592, Exitcode 0 !!! Make check failed. See above for details. nattfodd@gentoo.org 2006-03-01 04:58:13 0000 (In reply to comment #36) > make test fails for ptex on amd64, seems like the bug mentioned in comment 17, > but i only had a very quick glance at it: Could you please answer to the question in comment #23? I still fail to see why this is happening... blubb@gentoo.org 2006-03-01 05:01:59 0000 Sure: # file /var/tmp/portage/ptex-3.1.5-r1/work/tetex-src-2.0.2/texmf/bibtex/bib/base/xampl.bib /var/tmp/portage/ptex-3.1.5-r1/work/tetex-src-2.0.2/texmf/bibtex/bib/base/xampl.bib: BibTeX text file ehmsen@gentoo.org 2006-03-01 05:03:53 0000 The problem you are having is described in bug 68878. It only happens if FEATURES="test" the first time tetex is emerged. It doesn't happen on up/down-grades. blubb@gentoo.org 2006-03-01 12:31:50 0000 i see. so it shouldn't affect users who upgrade because of this security bug -> marked stable on amd64 koon@gentoo.org 2006-03-04 04:25:06 0000 Alpha: we still need you to mark ptex-3.1.5-r1 stable. The GLSA is blocked for quite some time now... yoswink@gentoo.org 2006-03-04 08:09:42 0000 ptex-3.1.5-r1 stable on alpha. Sorry Thierry about the delay. koon@gentoo.org 2006-03-04 08:30:28 0000 Ready for GLSa, will send it right now. koon@gentoo.org 2006-03-04 08:44:00 0000 GLSA 200603-02 ia64, mips and ppc-macos should mark missing ebuilds stable grobian@gentoo.org 2006-05-23 10:48:28 0000 app-text/tetex-2.0.2-r8 ppc-macos stable Sorry for the delay!