Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 78128 - app-text/gpdf includes vulnerable xpdf again
Summary: app-text/gpdf includes vulnerable xpdf again
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All All
: High major (vote)
Assignee: Gentoo Security
Whiteboard: A2 [glsa] koon
Depends on:
Reported: 2005-01-15 12:40 UTC by Thierry Carrez (RETIRED)
Modified: 2006-03-23 19:29 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

xpdf-CAN-2005-0064.patch (CAN-2005-0064.patch,773 bytes, patch)
2005-01-15 12:41 UTC, Thierry Carrez (RETIRED)
no flags Details | Diff
diff between gpdf 2.8.1-r1 and 2.8.2 (2.8.1-r1_2.8.2.diff,656 bytes, patch)
2005-01-15 12:58 UTC, Joe McCann (RETIRED)
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Thierry Carrez (RETIRED) gentoo-dev 2005-01-15 12:40:21 UTC
A new Xpdf vulnerability will be disclosed on January 18. This will impact (again) GPdf. This is confidential, so we can't commit the fix to Portage until disclosure date. Please prepare an ebuild and if ready attach it to this bug so that we can call arch pre-testing.
Comment 1 Thierry Carrez (RETIRED) gentoo-dev 2005-01-15 12:41:25 UTC
Created attachment 48572 [details, diff]

Patch from RedHat. An official Xpdf patch will be available on Jan 18, but if
we can be ready before that, all the better.
Comment 2 Joe McCann (RETIRED) gentoo-dev 2005-01-15 12:58:11 UTC
Created attachment 48575 [details, diff]
diff between gpdf 2.8.1-r1 and 2.8.2

Gpdf also needs a bump to version 2.8.2 which includes the last security patch.
This is the diff between the 2.8.2 ebuild and 2.8.1-r1. I might not be
available very often this week, so somebody else may need to add it. Changed
the patched file location to xpdf/ so we can apply it from ${S}
Comment 3 Thierry Carrez (RETIRED) gentoo-dev 2005-01-15 13:22:39 UTC
Thanks joem. I suppose you keyworded it x86 because you tested it with success on that platform.

obz: please test and report success on ppc
kloeri: please test and report success on alpha
absinthe: please test and report success on amd64
gustavoz: please test and report success on sparc
Comment 4 Gustavo Zacarias (RETIRED) gentoo-dev 2005-01-17 05:38:24 UTC
sparc is happy, though the patch is still wrong (outside ${S}/xpdf), forgot to upload the corrected one?
Comment 5 Bryan Østergaard (RETIRED) gentoo-dev 2005-01-17 13:35:53 UTC
Alpha works.
Comment 6 Thierry Carrez (RETIRED) gentoo-dev 2005-01-18 03:23:10 UTC
This should go public sometime today. Still missing amd64/ppc testing, adding kugelfang and SeJo to help.
Comment 7 Thierry Carrez (RETIRED) gentoo-dev 2005-01-18 06:50:09 UTC
OK apparently this patch is not sufficient. We'll just wait for the upstream official patch... sorry for wasting your time, folks.
Comment 8 Thierry Carrez (RETIRED) gentoo-dev 2005-01-19 00:34:58 UTC
Gnome team, please adapt gpdf-2.8.2 so that it makes use of official and public xpdf-3.00pl3.patch from bug 77888.
Comment 9 Mike Gardiner (RETIRED) gentoo-dev 2005-01-20 01:05:56 UTC
Added an updated 2.8.2, marked stable on x86 and ppc.
Comment 10 Gustavo Zacarias (RETIRED) gentoo-dev 2005-01-20 06:56:19 UTC
Comment 11 Bryan Østergaard (RETIRED) gentoo-dev 2005-01-20 10:15:28 UTC
Alpha stable.
Comment 12 Hardave Riar (RETIRED) gentoo-dev 2005-01-21 03:23:38 UTC
Stable on mips.
Comment 13 Danny van Dyk (RETIRED) gentoo-dev 2005-01-21 12:32:11 UTC
Stable on amd64.
Comment 14 Thierry Carrez (RETIRED) gentoo-dev 2005-01-21 12:46:50 UTC
GLSA 200501-28
hppa, ia64 please mark stable to benefit from GLSA
Comment 15 René Nussbaumer (RETIRED) gentoo-dev 2005-06-26 05:41:20 UTC
Already stable on hppa