Bug 75801

Summary:

app-text/tetex: vulnerable xpdf and tmpfile vulns

Product:

Gentoo Security

Reporter:

Thierry Carrez (RETIRED) <koon>

Component:

Vulnerabilities

Assignee:

Gentoo Security <security>

Status:

RESOLVED FIXED

Severity:

major

CC:

matsuu, ppc-macos, text-markup+disabled

Priority:

Highest

Version:

unspecified

Hardware:

All

OS:

All

Whiteboard:

A2 [glsa] koon

Package list:

Runtime testing required:

---

Attachments:

Description	Flags
xdvizilla.patch	none
tetex-2.0.2-r5.ebuild	none
ptex-3.1.4-r2.ebuild	none
cstetex-2.0.2-r1.ebuild	none
xpdf-CESA-2004-007-xpdf2-newer.diff	none
xpdf-goo-sizet.patch	none
xpdf2-underflow.patch	none
xpdf-3.00pl2-CAN-2004-1125.patch	none
tetex-2.0.2-r5.ebuild	none

Description Thierry Carrez (RETIRED) gentoo-dev

2004-12-27 08:11:34 UTC

Tetex includes xpdf code, so it is vulnerable to :
- CAN-2004-0888 and CAN-2004-0889 and 64 bit issues that were found on these
  xpdf2-style patches for these 2 can be found in app-text/pdftohtml files
  xpdf3-style patches for these 2 can be found in gnustep-libs/pdfkit files
- CAN-2004-1125 (see bug 75191)

Tetex also includes tmpfile vulns in "xdvizilla", see attached patch.

Comment 1 Thierry Carrez (RETIRED) gentoo-dev

2004-12-27 08:12:12 UTC

Created attachment 46970 [details, diff]
xdvizilla.patch

xdvizilla tmpfile vulns patch, ripped from Ubuntu's diff.

Comment 2 Thierry Carrez (RETIRED) gentoo-dev

2004-12-28 02:40:04 UTC

text-markup team, please apply patches and bump.

Comment 3 Thierry Carrez (RETIRED) gentoo-dev

2005-01-01 11:19:17 UTC

Mandrake Advisory: MDKSA-2004:166
Ubuntu Security Notice: USN-51-1

text-markup team: please apply patches and bump

Comment 4 Mamoru KOMACHI (RETIRED) gentoo-dev

2005-01-01 22:00:53 UTC

I don't have time to do this until 17 Jan. Sorry for that.
(It includes several patches and we need to check tetex,
ptex and cstetex)

Could somebody else from text-markup team apply these patches?

Comment 5 Thierry Carrez (RETIRED) gentoo-dev

2005-01-07 05:20:15 UTC

Mamoru: I tried to ask to other text-markup members but it seems only you can do it :/ If you know someone else please contact him/her and ask for help... since I didn't have much success asking for help myself.

Comment 6 MATSUU Takuto (RETIRED) gentoo-dev

2005-01-08 05:02:17 UTC

Created attachment 47932 [details]
tetex-2.0.2-r5.ebuild

Comment 7 MATSUU Takuto (RETIRED) gentoo-dev

2005-01-08 05:02:45 UTC

Created attachment 47933 [details]
ptex-3.1.4-r2.ebuild

Comment 8 MATSUU Takuto (RETIRED) gentoo-dev

2005-01-08 06:37:30 UTC

Created attachment 47937 [details]
cstetex-2.0.2-r1.ebuild

Comment 9 Thierry Carrez (RETIRED) gentoo-dev

2005-01-10 01:49:02 UTC

Matsuu: you're missing the CAN-2004-1125 fix. Something like app-text/pdftohtml/pdftohtml-xpdf-3.00pl2-CAN-2004-1125.patch should be applied too.

Comment 10 MATSUU Takuto (RETIRED) gentoo-dev

2005-01-15 23:50:38 UTC

Created attachment 48625 [details, diff]
xpdf-CESA-2004-007-xpdf2-newer.diff

Comment 11 MATSUU Takuto (RETIRED) gentoo-dev

2005-01-15 23:51:10 UTC

Created attachment 48626 [details, diff]
xpdf-goo-sizet.patch

Comment 12 MATSUU Takuto (RETIRED) gentoo-dev

2005-01-15 23:51:38 UTC

Created attachment 48627 [details, diff]
xpdf2-underflow.patch

Comment 13 MATSUU Takuto (RETIRED) gentoo-dev

2005-01-15 23:52:10 UTC

Created attachment 48628 [details, diff]
xpdf-3.00pl2-CAN-2004-1125.patch

Comment 14 MATSUU Takuto (RETIRED) gentoo-dev

2005-01-15 23:52:38 UTC

Created attachment 48629 [details]
tetex-2.0.2-r5.ebuild

Comment 15 Thierry Carrez (RETIRED) gentoo-dev

2005-01-19 00:28:49 UTC

Matsuu, you should commit new ebuilds in portage, as ~
Please also include xpdf-3.00pl3.patch from bug 77888

Comment 16 Thierry Carrez (RETIRED) gentoo-dev

2005-01-19 00:31:49 UTC

*** Bug 78251 has been marked as a duplicate of this bug. ***

Comment 17 MATSUU Takuto (RETIRED) gentoo-dev

2005-01-19 15:16:45 UTC

app-text/tetex-2.0.2-r5
app-text/cstetex-2.0.2-r1
app-text/ptex-3.1.4-r2
in cvs

Comment 18 Luke Macken (RETIRED) gentoo-dev

2005-01-19 15:47:39 UTC

Target KEYWORDS:

app-text/tetex-2.0.2-r5: alpha amd64 arm, hppa, ia64, mips, ppc, ppc64, ppc, macos, s390, sparc, x86
app-text/cstetex-2.0.2-r1: x86
app-text/ptex-3.1.4-r2: alpha, amd64, ppc, sparc, ppc64, ppc-macos, x86

archs, please mark stable.

Comment 19 Luke Macken (RETIRED) gentoo-dev

2005-01-19 15:52:23 UTC

s/ppc, macos/ppc-macos/

Comment 20 Mike Doty (RETIRED) gentoo-dev

2005-01-19 18:50:34 UTC

app-text/tetex-2.0.2-r5 stable on amd64, I'll have to find someone else to test ptex

Comment 21 Bryan Østergaard (RETIRED) gentoo-dev

2005-01-20 10:03:23 UTC

Stable on alpha.

Comment 22 Olivier Crete (RETIRED) gentoo-dev

2005-01-20 12:11:45 UTC

all three done on x86

Comment 23 Markus Rothe (RETIRED) gentoo-dev

2005-01-20 12:15:38 UTC

app-text/ptex-3.1.4-r2 and app-text/tetex-2.0.2-r5 stable on ppc64

Comment 24 Ferris McCormick (RETIRED) gentoo-dev

2005-01-20 12:26:30 UTC

Tetex good for sparc.  Builds, installs, and creates correct output.

I cannot comment on cstetex or ptex, and am leaving them for someone who knows what they are.

Comment 25 Hardave Riar (RETIRED) gentoo-dev

2005-01-21 02:38:07 UTC

tetex stable on mips.

Comment 26 Danny van Dyk (RETIRED) gentoo-dev

2005-01-21 12:49:06 UTC

ptex doesn't build for me... :-/

Comment 27 Simon Stelling (RETIRED) gentoo-dev

2005-01-21 13:25:18 UTC

i can't confirm kugelfang's issue, it works fine here so i marked it stable

Comment 28 Lars Weiler (RETIRED) gentoo-dev

2005-01-21 13:42:55 UTC

tetex and ptex stable on ppc.

Comment 29 Thierry Carrez (RETIRED) gentoo-dev

2005-01-21 14:17:14 UTC

We just wait on sparc testing of ptex to issue the GLSA.

Comment 30 Jason Wever (RETIRED) gentoo-dev

2005-01-22 13:15:42 UTC

ptex stable on sparc

Comment 31 Thierry Carrez (RETIRED) gentoo-dev

2005-01-23 04:19:13 UTC

GLSA 200501-31
arm, hppa, ia64, ppc-macos, s390: please mark those stable to benefit from GLSA

Comment 32 René Nussbaumer (RETIRED) gentoo-dev

2005-06-26 05:24:19 UTC

Already stable on hppa