|Summary:||app-text/pdftohtml: vulnerable version of xpdf included|
|Product:||Gentoo Security||Reporter:||Matthias Geerdsen (RETIRED) <vorlon>|
|Component:||Vulnerabilities||Assignee:||Gentoo Security <security>|
|Severity:||normal||CC:||jesse, klieber, robbat2, solar|
|Whiteboard:||B2 [glsa] koon|
|Package list:||Runtime testing required:||---|
Description Matthias Geerdsen (RETIRED) 2004-10-26 07:33:05 UTC
robbat2 you committed the ebuild, could you maybe verify and apply the patches for xpdf?
Comment 2 Thierry Carrez (RETIRED) 2004-10-30 09:29:43 UTC
Robin: please apply fixes and bump
Comment 3 Thierry Carrez (RETIRED) 2004-11-03 02:51:31 UTC
Robin: in fact you might want to use patches from bug 69662
Comment 4 Sune Kloppenborg Jeppesen (RETIRED) 2004-11-09 01:21:33 UTC
Robin seems to be away. I think either security should patch or it should be masked.
Comment 5 Robin Johnson 2004-11-09 03:04:05 UTC
Sorry, no time at the moment. I'm doing exams, and i'll be away this weekend at the ACM contest. I'd say go ahead and mask it for the moment, citing this bug. I don't believe it's a dependancy for anything, so nothing should break. If somebody else needs it before I have time to get to it (~2 weeks from now), then they can leave the exact needed patches here, and I can see about applying them.
Comment 6 Sune Kloppenborg Jeppesen (RETIRED) 2004-11-13 00:02:53 UTC
Thx Robin. solar/klieber please mask for now.
Comment 7 Sune Kloppenborg Jeppesen (RETIRED) 2004-11-20 01:42:07 UTC
CC'ing devs with masking powers.
Comment 8 solar (RETIRED) 2004-11-20 08:55:59 UTC
# <firstname.lastname@example.org> (20 Nov 2004) # security masked per request of maintainer till # such time as he can fix it. bug 69019 app-text/pdftohtml Checking in package.mask; /var/cvsroot/gentoo-x86/profiles/package.mask,v <-- package.mask new revision: 1.3337; previous revision: 1.3336 done
Comment 9 Jesse Adelman 2004-11-20 12:23:07 UTC
Plone 2.0.4 depends -> net-zope/portaltransforms depends-> app-text/pdftohtml. Just FYI, no biggie: homeserver-02 root # emerge -puD world These are the packages that I would merge, in order: Calculating world dependencies | !!! All ebuilds that could satisfy "app-text/pdftohtml" have been masked. !!! One of the following masked packages is required to complete your request: - app-text/pdftohtml-0.36 (masked by: package.mask) # <email@example.com> (20 Nov 2004) # security masked per request of maintainer till # such time as he can fix it. bug 69019 For more information, see MASKED PACKAGES section in the emerge man page or section 2.2 "Software Availability" in the Gentoo Handbook. !!! (dependency required by "net-zope/portaltransforms-1.3.2" [ebuild]) !!! Problem with ebuild net-zope/plone-2.0.4 !!! Possibly a DEPEND/*DEPEND problem. !!! Depgraph creation failed.
Comment 10 Thierry Carrez (RETIRED) 2004-11-21 01:20:12 UTC
This hopefully will be fixed soon enough that we don't have to issue a temp GLSA about it. Blocked deps users can still unmask the package, at their own risk.
Comment 11 solar (RETIRED) 2004-11-21 06:34:01 UTC
Or attach a patch here.
Comment 12 Thierry Carrez (RETIRED) 2004-11-21 13:57:27 UTC
Re: the patch, it's the usual set of recent xpdf patches, but someone must ensure that they apply correctly and build. I miss the time, so if someone else can do it (scouts out there ?)
Comment 13 Thierry Carrez (RETIRED) 2004-11-22 02:23:52 UTC
Here we go... This is an xpdf-2 so you should get : xpdf-CESA-2004-007-xpdf2-newer.diff (http://bugs.gentoo.org/attachment.cgi?id=42169) Applies cleanly in xpdf/ (-p0) xpdf2-underflow.patch (http://bugs.gentoo.org/attachment.cgi?id=43034) Applies cleanly in xpdf/ (-p2) xpdf-goo-sizet.patch (http://bugs.gentoo.org/attachment.cgi?id=43033) Appies cleanly in goo/ (-p2)
Comment 14 Robin Johnson 2004-11-22 03:01:01 UTC
The patched version is tested and placed in CVS now. One really minor complaint with your patches. I ran it thru a few test PDF files, and while the output is identical, I do notice a slowdown between the two. The largest test case is a ~3000-page PDF with lots of cross-referencing links (it's a preprint of an encyclopedia from some past work) The patched version takes ~10% longer to process than the unpatched version. For the large file, this is approx. 2.5 minutes more (old time is ~25 minutes, new time is ~27.5 minutes).
Comment 15 Thierry Carrez (RETIRED) 2004-11-22 08:56:12 UTC
Thx Robin, this is ready for a GLSA. About the patches : I suppose the performance drop comes from the all extra sanity checks done to ensure the provided PDF is not nasty. I'm not too sure we can workaround this...
Comment 16 Thierry Carrez (RETIRED) 2004-11-23 01:09:56 UTC