Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 115789 - app-text/pdftohtml: vulnerable version of xpdf included
Summary: app-text/pdftohtml: vulnerable version of xpdf included
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal
Assignee: Gentoo Security
URL:
Whiteboard: B2? [glsa] jaervosz
Keywords:
Depends on:
Blocks:
 
Reported: 2005-12-16 12:10 UTC by Thierry Carrez (RETIRED)
Modified: 2006-01-30 14:39 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Thierry Carrez (RETIRED) gentoo-dev 2005-12-16 12:10:43 UTC
pdftohtml is vulnerable to issues described in bug 114428
Comment 1 Thierry Carrez (RETIRED) gentoo-dev 2005-12-17 02:47:37 UTC
Given the risk of this specific exploitation path, I'd wait for more to come before releasing GLSA.
Comment 2 Florian Steinel 2005-12-18 07:14:24 UTC
how about using poppler as the backend for pdftohtml?
see Bug #115863 for more
Comment 3 Thierry Carrez (RETIRED) gentoo-dev 2005-12-23 02:40:56 UTC
Not sure it would help using poppler, since it's also xpdf-codebased AFAICT. What would help would be to RDEPEND on xpdf or poppler so that fixing them would also fix pdftohtml...
Comment 4 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-01-03 07:45:12 UTC
Back to ebuild, see bug #117481 for details.
Comment 5 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-01-16 14:07:49 UTC
Robbat2 any news on this one?
Comment 6 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-01-16 14:25:52 UTC
[23:24:56] <genstef> jaervosz: for pdftohtml, we still need to fix poppler so it can take over all the functionality
Comment 7 Daniel Gryniewicz (RETIRED) gentoo-dev 2006-01-19 12:26:25 UTC
What is missing on poppler?  I've added the pdf2xml.dtd.
Comment 8 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2006-01-19 12:34:18 UTC
dang: the DTD should be it.
now we just need a good way to migrate existing pdftohtml to users to poppler.
Comment 9 Daniel Gryniewicz (RETIRED) gentoo-dev 2006-01-20 09:32:50 UTC
Yep.

For the record, poppler-0.5.0 (just released) has the utilities in it already, so upstream is with the program.  I'm going to push the dtd patch to them.
Comment 10 Thierry Carrez (RETIRED) gentoo-dev 2006-01-20 09:41:00 UTC
(In reply to comment #8)
> now we just need a good way to migrate existing pdftohtml to users to poppler.

unless there is a smarter portage-way for this, we could package.mask pdftohtml as affected and say in the GLSA that users should migrate to poppler ?

Let us know when a poppler replacement candidate in is portage

Comment 11 Stefan Schweizer (RETIRED) gentoo-dev 2006-01-20 13:02:56 UTC
poppler can already replace pdftohtml, we just need to manage the conversion for users now.
Comment 12 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-01-25 22:44:41 UTC
Stefan what needs to be done to get this one out?
Comment 13 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2006-01-25 23:13:11 UTC
pdftohtml is now in p.mask, and will be removed early next week (keeping it around for a few days in case problems crop up).

I've changed all deps in the tree (sys-cluster/charm and app-zope/portaltransforms for those keeping track) to point to poppler instead.
Comment 14 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-01-30 14:39:34 UTC
GLSA 200601-17