Bug 152868
Summary: | xpdf code in pdflatex is exploitable, CAN-2004-1125, CAN-2005-0064, CAN-2004-0888, CVE-2005-3191, CVE-2005-3192, CVE-2005-3193 | ||
---|---|---|---|
Product: | [Retired] Fedora Legacy | Reporter: | David Lawrence <dkl> |
Component: | tetex | Assignee: | Fedora Legacy Bugs <bugs> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | deisenst, donjr, pekkas, rob.myers |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://www.ubuntulinux.org/support/documentation/usn/usn-9-1 | ||
Whiteboard: | 1, 2, rh73, rh90 | ||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2006-05-13 00:50:51 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
David Lawrence
2005-03-30 23:30:17 UTC
CAN-2004-1125, CAN-2005-0064, CAN-2004-0888, CVE-2005-3191, CVE-2005-3192, CVE-2005-3193 seem to be the outstanding issues with teTeX. Rob's packages seem to be no longer available for a PUBLISH vote. Oh, and these apply to fc2 as well. files should be available now if it helps. I've already rolled new ones for fc1. Thanks, though. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I have created packages that address the following issues: CAN-2004-1125, CAN-2005-0064, CAN-2004-0888, CVE-2005-3191, CVE-2005-3192, CVE-2005-3193 rh73: 60ee63a23abbfb38dc62c9d3fb917cff762102f5 http://lance.maner.org/tetex-1.0.7-47.1.legacy.src.rpm rh9: 1bf76267a9b494f98f84a9c99773aa5354a28efc http://lance.maner.org/tetex-1.0.7-66.1.legacy.src.rpm fc1: 36bb2c55d8b0e729ea98a8040dc6d1a71e38e599 http://lance.maner.org/tetex-2.0.2-14.3.legacy.src.rpm fc2: ddf1616849f63203f4b20735736bdba0d26c0b70 http://lance.maner.org/tetex-2.0.2-8.1.legacy.src.rpm -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (GNU/Linux) iD8DBQFEGdtypxMPKJzn2lIRAu3lAJ9Z1UidKD8NvcpLIXE90SJJVqv+1QCeMhWa 3VVJX7Yv5RDAB2N1zykbG4k= =9QWT -----END PGP SIGNATURE----- Hmm.. you appear to have missed the fact that Red Hat put out an updated tetex package for RHL73 in 2002. Patches look mostly good. However, tetex 1.0.7 patches don't use the same approach as RHEL21's tetex 1.0.7 patch. How were the patches derived? You should probably use a script like follows to ease finding out whether there has been a security update for an SRPM or not: https://www.redhat.com/archives/fedora-legacy-list/2005-June/msg00097.html Thanks for the link. The fact that I don't remember exactly where I pulled them from is a good indication that I better just pull from RHAS 2.1, which I didn't do. I probably backported from RHEL3. So, let's try 7.3 again, this time based off 1.0.7-47.1 from 7.3 update. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Below is another try with patches taken from RHAS 2.1 rh73: 1762a1c05903c66c5f8884da4a2f8cf97bb75f76 http://lance.maner.org/tetex-1.0.7-47.2.legacy.src.rpm -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (GNU/Linux) iD8DBQFEGxIwpxMPKJzn2lIRAl3DAJoCd7ptu4ONafJl1nSNViIWBLsfHwCfebvp EgpMaxjgEjEWIUBLtfHm7I4= =S4kJ -----END PGP SIGNATURE----- RHL73 looks good. I noted that RHL9 tetex is lacking the CESA patch (*xpdf.patch). Was it dropped out by accident, or was that intentional? Sorry for not noticing this earlier. Ok, got a new package made for RH9. Thanks for noticing that, Pekka, I missed it too. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Package redone with CESA patch for rh9: 40227c80e65a2b833e05646fe5b803eaa6470870 http://lance.maner.org/tetex-1.0.7-66.1.legacy.src.rpm -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (GNU/Linux) iD8DBQFELKkZpxMPKJzn2lIRAoDNAJsH4OLQmPBsrFHQUNxr16bpk8uJgwCeJn1M GTIToFzb4KIzXcpIdJbPYQo= =N2Ak -----END PGP SIGNATURE----- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 QA w/ rpm-build-compare.sh: - source integrity good - spec file changes minimal - patches verified to come or be derived from upstream Comment: it would have been good to bump the RHL9 tetex version number so that the wrong package (with the same name) won't get build in updates-testing by accident. +PUBLISH RHL73, RHL9, FC1, FC2 1762a1c05903c66c5f8884da4a2f8cf97bb75f76 tetex-1.0.7-47.2.legacy.src.rpm 40227c80e65a2b833e05646fe5b803eaa6470870 tetex-1.0.7-66.1.legacy.src.rpm.1 36bb2c55d8b0e729ea98a8040dc6d1a71e38e599 tetex-2.0.2-14.3.legacy.src.rpm ddf1616849f63203f4b20735736bdba0d26c0b70 tetex-2.0.2-8.1.legacy.src.rpm -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQFELMMrGHbTkzxSL7QRAhq1AKCyfyCJ7vFHm3cLPkC1Rk+vDPtMvwCfZsdQ d+6a0RxVg9+GtGmOJe0suOU= =kjg0 -----END PGP SIGNATURE----- Sorry to butt in at this late hour, but I am wondering, Donald -- did you perhaps mix up the FC1 and FC2 packages? From my listings, the latest released FC1 version of tetex is tetex-2.0.2-8, and the latest released FC2 version of tetex is tetex-2.0.2-14FC2.2, but the packages you proposed were tetex-2.0.2-14.3.legacy for FC1 and tetex-2.0.2-8.1.legacy for FC2 ? Packages were pushed to updates-testing Timeout 2 weeks from packages being pushed to updates-testing. Timeout over. Packages were released to updates. |