Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 69019

Summary: app-text/pdftohtml: vulnerable version of xpdf included
Product: Gentoo Security Reporter: Matthias Geerdsen (RETIRED) <vorlon>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Severity: normal CC: jesse, klieber, robbat2, solar
Priority: High    
Version: unspecified   
Hardware: All   
OS: All   
Whiteboard: B2 [glsa] koon
Package list:
Runtime testing required: ---

Description Matthias Geerdsen (RETIRED) gentoo-dev 2004-10-26 07:33:05 UTC
robbat2 you committed the ebuild, could you maybe verify and apply the patches for xpdf?
Comment 1 Thierry Carrez (RETIRED) gentoo-dev 2004-10-26 09:14:26 UTC
If needed, patches are on bug 68058
Comment 2 Thierry Carrez (RETIRED) gentoo-dev 2004-10-30 09:29:43 UTC
Robin: please apply fixes and bump
Comment 3 Thierry Carrez (RETIRED) gentoo-dev 2004-11-03 02:51:31 UTC
Robin: in fact you might want to use patches from bug 69662
Comment 4 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2004-11-09 01:21:33 UTC
Robin seems to be away. I think either security should patch or it should be masked.
Comment 5 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2004-11-09 03:04:05 UTC
Sorry, no time at the moment. I'm doing exams, and i'll be away this weekend at the ACM contest.

I'd say go ahead and mask it for the moment, citing this bug. I don't believe it's a dependancy for anything, so nothing should break.

If somebody else needs it before I have time to get to it (~2 weeks from now), then they can leave the exact needed patches here, and I can see about applying them.
Comment 6 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2004-11-13 00:02:53 UTC
Thx Robin.

solar/klieber please mask for now.
Comment 7 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2004-11-20 01:42:07 UTC
CC'ing devs with masking powers.
Comment 8 solar (RETIRED) gentoo-dev 2004-11-20 08:55:59 UTC
# <> (20 Nov 2004)
# security masked per request of maintainer till
# such time as he can fix it. bug 69019

Checking in package.mask;
/var/cvsroot/gentoo-x86/profiles/package.mask,v  <--  package.mask
new revision: 1.3337; previous revision: 1.3336
Comment 9 Jesse Adelman 2004-11-20 12:23:07 UTC
Plone 2.0.4 depends -> net-zope/portaltransforms depends-> app-text/pdftohtml. Just FYI, no biggie:

homeserver-02 root # emerge -puD world

These are the packages that I would merge, in order:

Calculating world dependencies |
!!! All ebuilds that could satisfy "app-text/pdftohtml" have been masked.
!!! One of the following masked packages is required to complete your request:
- app-text/pdftohtml-0.36 (masked by: package.mask)
# <> (20 Nov 2004)
# security masked per request of maintainer till 
# such time as he can fix it. bug 69019

For more information, see MASKED PACKAGES section in the emerge man page or 
section 2.2 "Software Availability" in the Gentoo Handbook.
!!!    (dependency required by "net-zope/portaltransforms-1.3.2" [ebuild])

!!! Problem with ebuild net-zope/plone-2.0.4
!!! Possibly a DEPEND/*DEPEND problem.

!!! Depgraph creation failed.
Comment 10 Thierry Carrez (RETIRED) gentoo-dev 2004-11-21 01:20:12 UTC
This hopefully will be fixed soon enough that we don't have to issue a temp GLSA about it. Blocked deps users can still unmask the package, at their own risk.
Comment 11 solar (RETIRED) gentoo-dev 2004-11-21 06:34:01 UTC
Or attach a patch here.
Comment 12 Thierry Carrez (RETIRED) gentoo-dev 2004-11-21 13:57:27 UTC
Re: the patch, it's the usual set of recent xpdf patches, but someone must ensure that they apply correctly and build. I miss the time, so if someone else can do it (scouts out there ?)
Comment 13 Thierry Carrez (RETIRED) gentoo-dev 2004-11-22 02:23:52 UTC
Here we go... This is an xpdf-2 so you should get :

xpdf-CESA-2004-007-xpdf2-newer.diff (
Applies cleanly in xpdf/ (-p0)

xpdf2-underflow.patch (
Applies cleanly in xpdf/ (-p2)

xpdf-goo-sizet.patch (
Appies cleanly in goo/ (-p2)
Comment 14 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2004-11-22 03:01:01 UTC
The patched version is tested and placed in CVS now.

One really minor complaint with your patches.
I ran it thru a few test PDF files, and while the output is identical, I do notice a slowdown between the two.

The largest test case is a ~3000-page PDF with lots of cross-referencing links (it's a preprint of an encyclopedia from some past work)

The patched version takes ~10% longer to process than the unpatched version.
For the large file, this is approx. 2.5 minutes more (old time is ~25 minutes, new time is ~27.5 minutes).
Comment 15 Thierry Carrez (RETIRED) gentoo-dev 2004-11-22 08:56:12 UTC
Thx Robin, this is ready for a GLSA.

About the patches : I suppose the performance drop comes from the all extra sanity checks done to ensure the provided PDF is not nasty. I'm not too sure we can workaround this...
Comment 16 Thierry Carrez (RETIRED) gentoo-dev 2004-11-23 01:09:56 UTC
GLSA 200411-30