Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 69043 - media-libs/pdflib contains vulnerable libtiff
Summary: media-libs/pdflib contains vulnerable libtiff
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All All
: High normal (vote)
Assignee: Gentoo Security
Whiteboard: B2 [glsa] koon
Depends on:
Reported: 2004-10-26 10:48 UTC by Thierry Carrez (RETIRED)
Modified: 2004-12-05 08:37 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Thierry Carrez (RETIRED) gentoo-dev 2004-10-26 10:48:21 UTC
pdflib contains an embedded libtiff, and unfortunately a rather heavily adjusted one. So, large parts of the classic tiff patches do not apply.

Note that this package has no official maintainer.
Comment 1 Thierry Carrez (RETIRED) gentoo-dev 2004-10-26 11:03:53 UTC
Sent mail upstream asking for patches
Comment 2 Thierry Carrez (RETIRED) gentoo-dev 2004-10-27 06:28:25 UTC
Upstream answer : 

"[...] we are working on these TIFFlib-related issues [...], and will
shortly make available patches and/or recommendations for

Note that we generally release patches or bug fixes only for
the latest maintenance release of a particular major version,
i.e. the recommendation will apply to PDFlib Lite 5.0.4. While
modified patches may work for older maintenance releases such as
5.0.2, we only support the latest maintenance release of a series.

Of course, a solution will also be provided for version 6 (both
PDFlib Lite and commercial products based on PDFlib)."
Comment 3 Thierry Carrez (RETIRED) gentoo-dev 2004-11-15 06:18:12 UTC
Upstream update on November 10 :

"PDFlib Lite 5 source code: a patchlevel release 5.0.4p1 will be available
on our Web site ca. next week."
Comment 4 Thierry Carrez (RETIRED) gentoo-dev 2004-11-17 07:18:43 UTC
New upstream version available :

you can find an updated Unix source package for PDFlib Lite 5.0.4p1 at

The Changelog entries can be found at

As announced earlier, the libtiff vulnerability patches will also
be contained in our forthcoming 6.0.1 release, which is expected to
be available for download at the end of November.

This is semi-public now, since it appears in PDFLib Changelog, but isn't fixed yet in their 6.x versions.

We must find someone to bump to 5.0.4_p1... Package has no clear maintainer.
Comment 5 Thierry Carrez (RETIRED) gentoo-dev 2004-11-23 07:35:15 UTC
I think we should bump pdflib to 5.0.4_p1 ASAP and wait for pdflib 6 to be out (end of November) to issue our GLSA.

Tested simple bump (with "s/_p1/p1" in PV) and it looks ok (it builds and installs). solar : could you do the bump ?

To test, the following packages depend on PDFLIB (if pdflib use flag set):

Comment 6 Thierry Carrez (RETIRED) gentoo-dev 2004-11-29 08:58:32 UTC
ChrisWhite agreed to bump this.
Comment 7 Chris White (RETIRED) gentoo-dev 2004-11-29 21:32:12 UTC
In portage, tested with xml2doc on the example xmls with:

xml2doc -oP foo.xml foo.pdf

and viewing them in xpdf.  Only thing that doesn't work is list tag because the latest pdflib doesn't have it implemented, but that's more in the sense of parsing, core functionality is ok.  So then x86 stable.
Comment 8 Thierry Carrez (RETIRED) gentoo-dev 2004-11-30 01:19:30 UTC
6.0.0p1 is NOT fixed (released July, 2004)

Currently only 5.0.4p1 is fixed. So now the upgrade path is much more complex... We can remove 6.0.0p1 very quickly, hope almost nobody got it, and propose an upgrade path to 5.0.4p1 (unlikely) or just wait for 6.0.1 PDFLite to be available and have everyone migrate to that version.
Comment 9 Thierry Carrez (RETIRED) gentoo-dev 2004-11-30 12:01:58 UTC
Source accessible through :

File in question being :

Note that just issued 6.0.1 that is fixed as well.
This has no reason for this bug to be kept confidential anymore since PDFlib just released their commercial fix. Opening.
Comment 10 Chris White (RETIRED) gentoo-dev 2004-11-30 14:46:08 UTC
Ok, so bumped to 5.0.4p1 and I'll deal with 6.0.1 later on.  This time re-did all the tests and re-compiled everything that pdflib depeneded on to ensure nothing broke.  Nothing broke, x86 stable, I leave this to you.
Comment 11 Thierry Carrez (RETIRED) gentoo-dev 2004-12-01 01:01:13 UTC
Arches, please test and mark stable
Target KEYWORDS="x86 ppc sparc ~mips alpha arm hppa amd64 ia64 ppc64 s390"
Comment 12 Joe Jezak (RETIRED) gentoo-dev 2004-12-01 03:10:43 UTC
Tested and marked stable on ppc.
Comment 13 Gustavo Zacarias (RETIRED) gentoo-dev 2004-12-01 05:05:30 UTC
sparc stable.
Comment 14 Markus Rothe (RETIRED) gentoo-dev 2004-12-01 12:20:06 UTC
stable on ppc64
Comment 15 Mike Doty (RETIRED) gentoo-dev 2004-12-02 22:21:33 UTC
stable on amd64
Comment 16 Thierry Carrez (RETIRED) gentoo-dev 2004-12-03 08:31:15 UTC
alpha, we're waiting on you
Comment 17 SpanKY gentoo-dev 2004-12-05 01:13:38 UTC
arm/hppa/ia64/s390 stable
Comment 18 Bryan Østergaard (RETIRED) gentoo-dev 2004-12-05 03:26:23 UTC
Finally stable on alpha - sorry about the delay.
Comment 19 Luke Macken (RETIRED) gentoo-dev 2004-12-05 08:37:33 UTC
GLSA 200412-02