Bug 75801 - app-text/tetex: vulnerable xpdf and tmpfile vulns
Bug#: 75801 Product:  Gentoo Security Version: unspecified Platform: All
OS/Version: All Status: RESOLVED Severity: major Priority: P1
Resolution: FIXED Assigned To: security@gentoo.org Reported By: koon@gentoo.org
Component: Vulnerabilities
URL: 
Summary: app-text/tetex: vulnerable xpdf and tmpfile vulns
Keywords:  
Status Whiteboard: A2 [glsa] koon
Opened: 2004-12-27 08:11 0000
Description:   Opened: 2004-12-27 08:11 0000 
Tetex includes xpdf code, so it is vulnerable to :
- CAN-2004-0888 and CAN-2004-0889 and 64 bit issues that were found on these
  xpdf2-style patches for these 2 can be found in app-text/pdftohtml files
  xpdf3-style patches for these 2 can be found in gnustep-libs/pdfkit files
- CAN-2004-1125 (see bug 75191)

Tetex also includes tmpfile vulns in "xdvizilla", see attached patch.

------- Comment #1 From Thierry Carrez (RETIRED) 2004-12-27 08:12:12 0000 ------- 
Created an attachment (id=46970) [details]
xdvizilla.patch

xdvizilla tmpfile vulns patch, ripped from Ubuntu's diff.

------- Comment #2 From Thierry Carrez (RETIRED) 2004-12-28 02:40:04 0000 ------- 
text-markup team, please apply patches and bump.

------- Comment #3 From Thierry Carrez (RETIRED) 2005-01-01 11:19:17 0000 ------- 
Mandrake Advisory: MDKSA-2004:166
Ubuntu Security Notice: USN-51-1

text-markup team: please apply patches and bump

------- Comment #4 From Mamoru KOMACHI (RETIRED) 2005-01-01 22:00:53 0000 ------- 
I don't have time to do this until 17 Jan. Sorry for that.
(It includes several patches and we need to check tetex,
ptex and cstetex)

Could somebody else from text-markup team apply these patches?

------- Comment #5 From Thierry Carrez (RETIRED) 2005-01-07 05:20:15 0000 ------- 
Mamoru: I tried to ask to other text-markup members but it seems only you can
do it :/ If you know someone else please contact him/her and ask for help...
since I didn't have much success asking for help myself.

------- Comment #6 From MATSUU Takuto 2005-01-08 05:02:17 0000 ------- 
Created an attachment (id=47932) [details]
tetex-2.0.2-r5.ebuild

------- Comment #7 From MATSUU Takuto 2005-01-08 05:02:45 0000 ------- 
Created an attachment (id=47933) [details]
ptex-3.1.4-r2.ebuild

------- Comment #8 From MATSUU Takuto 2005-01-08 06:37:30 0000 ------- 
Created an attachment (id=47937) [details]
cstetex-2.0.2-r1.ebuild

------- Comment #9 From Thierry Carrez (RETIRED) 2005-01-10 01:49:02 0000 ------- 
Matsuu: you're missing the CAN-2004-1125 fix. Something like
app-text/pdftohtml/pdftohtml-xpdf-3.00pl2-CAN-2004-1125.patch should be applied
too.

------- Comment #10 From MATSUU Takuto 2005-01-15 23:50:38 0000 ------- 
Created an attachment (id=48625) [details]
xpdf-CESA-2004-007-xpdf2-newer.diff

------- Comment #11 From MATSUU Takuto 2005-01-15 23:51:10 0000 ------- 
Created an attachment (id=48626) [details]
xpdf-goo-sizet.patch

------- Comment #12 From MATSUU Takuto 2005-01-15 23:51:38 0000 ------- 
Created an attachment (id=48627) [details]
xpdf2-underflow.patch

------- Comment #13 From MATSUU Takuto 2005-01-15 23:52:10 0000 ------- 
Created an attachment (id=48628) [details]
xpdf-3.00pl2-CAN-2004-1125.patch

------- Comment #14 From MATSUU Takuto 2005-01-15 23:52:38 0000 ------- 
Created an attachment (id=48629) [details]
tetex-2.0.2-r5.ebuild

------- Comment #15 From Thierry Carrez (RETIRED) 2005-01-19 00:28:49 0000 ------- 
Matsuu, you should commit new ebuilds in portage, as ~
Please also include xpdf-3.00pl3.patch from bug 77888

------- Comment #16 From Thierry Carrez (RETIRED) 2005-01-19 00:31:49 0000 ------- 
*** Bug 78251 has been marked as a duplicate of this bug. ***

------- Comment #17 From MATSUU Takuto 2005-01-19 15:16:45 0000 ------- 
app-text/tetex-2.0.2-r5
app-text/cstetex-2.0.2-r1
app-text/ptex-3.1.4-r2
in cvs

------- Comment #18 From Luke Macken (RETIRED) 2005-01-19 15:47:39 0000 ------- 
Target KEYWORDS:

app-text/tetex-2.0.2-r5: alpha amd64 arm, hppa, ia64, mips, ppc, ppc64, ppc, macos, s390, sparc, x86
app-text/cstetex-2.0.2-r1: x86
app-text/ptex-3.1.4-r2: alpha, amd64, ppc, sparc, ppc64, ppc-macos, x86

archs, please mark stable.

------- Comment #19 From Luke Macken (RETIRED) 2005-01-19 15:52:23 0000 ------- 
s/ppc, macos/ppc-macos/

------- Comment #20 From Mike Doty 2005-01-19 18:50:34 0000 ------- 
app-text/tetex-2.0.2-r5 stable on amd64, I'll have to find someone else to test
ptex

------- Comment #21 From Bryan Østergaard (RETIRED) 2005-01-20 10:03:23 0000 ------- 
Stable on alpha.

------- Comment #22 From Olivier Crete 2005-01-20 12:11:45 0000 ------- 
all three done on x86

------- Comment #23 From Markus Rothe 2005-01-20 12:15:38 0000 ------- 
app-text/ptex-3.1.4-r2 and app-text/tetex-2.0.2-r5 stable on ppc64

------- Comment #24 From Ferris McCormick 2005-01-20 12:26:30 0000 ------- 
Tetex good for sparc.  Builds, installs, and creates correct output.

I cannot comment on cstetex or ptex, and am leaving them for someone who knows what they are.

------- Comment #25 From Hardave Riar (RETIRED) 2005-01-21 02:38:07 0000 ------- 
tetex stable on mips.

------- Comment #26 From Danny van Dyk (RETIRED) 2005-01-21 12:49:06 0000 ------- 
ptex doesn't build for me... :-/

------- Comment #27 From Simon Stelling (RETIRED) 2005-01-21 13:25:18 0000 ------- 
i can't confirm kugelfang's issue, it works fine here so i marked it stable

------- Comment #28 From Lars Weiler (RETIRED) 2005-01-21 13:42:55 0000 ------- 
tetex and ptex stable on ppc.

------- Comment #29 From Thierry Carrez (RETIRED) 2005-01-21 14:17:14 0000 ------- 
We just wait on sparc testing of ptex to issue the GLSA.

------- Comment #30 From Jason Wever (RETIRED) 2005-01-22 13:15:42 0000 ------- 
ptex stable on sparc

------- Comment #31 From Thierry Carrez (RETIRED) 2005-01-23 04:19:13 0000 ------- 
GLSA 200501-31
arm, hppa, ia64, ppc-macos, s390: please mark those stable to benefit from GLSA

------- Comment #32 From René Nussbaumer 2005-06-26 05:24:19 0000 ------- 
Already stable on hppa