according to Ubuntu Security Notice USN-9-1, pdflatex has the same vulnerable code from xpdf that was described in CAN-2004-0888. i assume the version shipped with rh73 and others is vulnerable? === [beej@tenet beej]$ rpm -qf /usr/bin/pdflatex tetex-latex-1.0.7-47 === ------- Additional Comments From rob.myers.edu 2005-01-04 05:17:37 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 here are updated packages to QA for fc1: - - patches from FC-2 fix CAN-2004-0888, CAN-2004-1125 - - rpm-build-compare.sh shows lots of differences. i hope they are negligible but someone should look closely at them. - - it seems exceedingly ugly to have the package as a BuildRequire of itself. is there a better way? changelog: * Tue Jan 4 2004 Rob Myers <rob.myers.edu> 2.0.2-8.1.legacy - - add patches for CAN-2004-1125 CAN-2004-0888 (FL# 2334) - - added BuildPreReq: libtool, ed, tetex, tetex-latex, tetex-xdvi, tetex-dvips, tetex-afm, tetex-fonts this file is available at: http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/2334.txt.asc files: http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/tetex-2.0.2-8.1.legacy.src.rpm http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/tetex-2.0.2-8.1.legacy.i386.rpm http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/tetex-afm-2.0.2-8.1.legacy.i386.rpm http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/tetex-debuginfo-2.0.2-8.1.legacy.i386.rpm http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/tetex-doc-2.0.2-8.1.legacy.i386.rpm http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/tetex-dvips-2.0.2-8.1.legacy.i386.rpm http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/tetex-fonts-2.0.2-8.1.legacy.i386.rpm http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/tetex-latex-2.0.2-8.1.legacy.i386.rpm http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/tetex-xdvi-2.0.2-8.1.legacy.i386.rpm sha1sums: 85a8e9d861f37ca7dfa2f116dbfd721b8d154231 tetex-2.0.2-8.1.legacy.i386.rpm a34c4be0a81e17152d1caa61708f36f843e6a0ba tetex-2.0.2-8.1.legacy.src.rpm ca7337149dae2682cbebc42a46b7b2c4f5021c66 tetex-afm-2.0.2-8.1.legacy.i386.rpm fd9ba99d69fc537276e8e7cfedf227ec79250c5b tetex-debuginfo-2.0.2-8.1.legacy.i386.rpm b37fb2d6e0aa3417f8bccc74ea5a154cceca2456 tetex-doc-2.0.2-8.1.legacy.i386.rpm 306fcb227202d18187635718c723a77ea5df7423 tetex-dvips-2.0.2-8.1.legacy.i386.rpm 228b5b4c1af4a267a7638f064a000efd3eb06671 tetex-fonts-2.0.2-8.1.legacy.i386.rpm 6e2dca8eaba0bb35eb8dee015655fb7398428ee3 tetex-latex-2.0.2-8.1.legacy.i386.rpm 5362684c9bb2c6277ca3f68ce4ec81e95189094f tetex-xdvi-2.0.2-8.1.legacy.i386.rpm -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQFB2rMwtU2XAt1OWnsRAh1+AKDjtrG8G2fPP7CuQ0CWFDcZt0IYqACgulmR cqU/HszjEVCSHe57vRZ1YoM= =/odU -----END PGP SIGNATURE----- ------- Additional Comments From rob.myers.edu 2005-01-04 05:20:53 ---- of course that changelog should be 4 Jan 2005! ------- Additional Comments From rob.myers.edu 2005-01-19 05:42:14 ---- *** Bug 2373 has been marked as a duplicate of this bug. *** ------- Additional Comments From rob.myers.edu 2005-01-19 08:27:25 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 here is an updated package to QA for fc1: - - patches from FC-2 fix CAN-2004-0888, CAN-2004-1125, CAN-2005-0064 - - rpm-build-compare.sh shows lots of differences. i hope they are negligible but someone should look closely at them. - - it seems exceedingly ugly to have the package as a BuildRequire of itself. is there a better way? - - someone else should look at the rh73/rh90 packages as i do not intend to fix them. changelog: * Wed Jan 19 2005 Rob Myers <rob.myers.edu> 2.0.2-8.2.legacy - - add patch for xpdf buffer overflow CAN-2005-0064 * Tue Jan 4 2004 Rob Myers <rob.myers.edu> 2.0.2-8.1.legacy - - add patches for CAN-2004-1125 CAN-2004-0888 (FL# 2334) - - added BuildPreReq: libtool, ed, tetex, tetex-latex, tetex-xdvi, tetex-dvips, tetex-afm, tetex-fonts this file is available at: http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/2334.txt.asc files: http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/tetex-2.0.2-8.2.legacy.src.rpm http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/tetex-2.0.2-8.2.legacy.i386.rpm http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/tetex-afm-2.0.2-8.2.legacy.i386.rpm http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/tetex-debuginfo-2.0.2-8.2.legacy.i386.rpm http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/tetex-doc-2.0.2-8.2.legacy.i386.rpm http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/tetex-dvips-2.0.2-8.2.legacy.i386.rpm http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/tetex-fonts-2.0.2-8.2.legacy.i386.rpm http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/tetex-latex-2.0.2-8.2.legacy.i386.rpm http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/tetex-xdvi-2.0.2-8.2.legacy.i386.rpm sha1sums: b52621314275bd431b6f19bf73d4c5dff82917b4 tetex-2.0.2-8.2.legacy.i386.rpm 4d973cb1ff6f6d22ce196be04bf76ec2a571f92c tetex-2.0.2-8.2.legacy.src.rpm cd2310fb0cc65dfd5aaee6fbd9f055b092c51908 tetex-afm-2.0.2-8.2.legacy.i386.rpm 869585ac0c45ca5162caeaefc73f0e8010c1a3f0 tetex-debuginfo-2.0.2-8.2.legacy.i386.rpm b1bbb9fad0fbbe4611c9bd74135bb15f61a44ea9 tetex-doc-2.0.2-8.2.legacy.i386.rpm 0b83490fe8c91fafaa2f05d506282fd318a560dc tetex-dvips-2.0.2-8.2.legacy.i386.rpm 8c224b3e5e25a5e442c8192abba6bb41445b7468 tetex-fonts-2.0.2-8.2.legacy.i386.rpm a15f93767884c3a77ae18275b80e8e4fdc982971 tetex-latex-2.0.2-8.2.legacy.i386.rpm 6434e01ee784053c5abe8cf7bcb68a444456745d tetex-xdvi-2.0.2-8.2.legacy.i386.rpm -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQFB7qWVtU2XAt1OWnsRAszSAKCh9+WSNJy0TXMwWimU3tI/l+g/vQCeMSIZ p4V0ZjdbSe+1cXOCXBIcZSk= =QBFV -----END PGP SIGNATURE----- ------- Additional Comments From michal 2005-02-15 18:37:00 ---- Created an attachment (id=998) patch to fix security issues in pdftex from teTeX-1.0 This is a patch which carries over relavant parts of xpdf security fixes to teTeX-1.0 as showing in RH73. A really ancient xpdf-0.80 is used in guts of that. Frankly, anybody who cares about that should have update their teTeX installation to something more modern a long time ago. That is likely why Red Hat never bothered with corresponding updates to teTeX in RHEL 2.1 Patches for CAN-2004-1125 and CAN-2005-0064 do not apply here at all as the code in question simply does not exist in any form. ------- Bug moved to this database by dkl 2005-03-30 18:30 ------- This bug previously known as bug 2334 at https://bugzilla.fedora.us/ https://bugzilla.fedora.us/show_bug.cgi?id=2334 Originally filed under the Fedora Legacy product and Package request component. Attachments: patch to fix security issues in pdftex from teTeX-1.0 https://bugzilla.fedora.us/attachment.cgi?action=view&id=998 Unknown priority P2. Setting to default priority "normal". Unknown platform PC. Setting to default platform "All". Unknown operating system Windows XP. Setting to default OS "Linux". The original reporter of this bug does not have an account here. Reassigning to the person who moved it here, dkl. Previous reporter was bugzilla.fedora.us. Setting qa contact to the default for this product. This bug either had no qa contact or an invalid one.
CAN-2004-1125, CAN-2005-0064, CAN-2004-0888, CVE-2005-3191, CVE-2005-3192, CVE-2005-3193 seem to be the outstanding issues with teTeX. Rob's packages seem to be no longer available for a PUBLISH vote.
Oh, and these apply to fc2 as well.
files should be available now if it helps.
I've already rolled new ones for fc1. Thanks, though. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I have created packages that address the following issues: CAN-2004-1125, CAN-2005-0064, CAN-2004-0888, CVE-2005-3191, CVE-2005-3192, CVE-2005-3193 rh73: 60ee63a23abbfb38dc62c9d3fb917cff762102f5 http://lance.maner.org/tetex-1.0.7-47.1.legacy.src.rpm rh9: 1bf76267a9b494f98f84a9c99773aa5354a28efc http://lance.maner.org/tetex-1.0.7-66.1.legacy.src.rpm fc1: 36bb2c55d8b0e729ea98a8040dc6d1a71e38e599 http://lance.maner.org/tetex-2.0.2-14.3.legacy.src.rpm fc2: ddf1616849f63203f4b20735736bdba0d26c0b70 http://lance.maner.org/tetex-2.0.2-8.1.legacy.src.rpm -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (GNU/Linux) iD8DBQFEGdtypxMPKJzn2lIRAu3lAJ9Z1UidKD8NvcpLIXE90SJJVqv+1QCeMhWa 3VVJX7Yv5RDAB2N1zykbG4k= =9QWT -----END PGP SIGNATURE-----
Hmm.. you appear to have missed the fact that Red Hat put out an updated tetex package for RHL73 in 2002. Patches look mostly good. However, tetex 1.0.7 patches don't use the same approach as RHEL21's tetex 1.0.7 patch. How were the patches derived? You should probably use a script like follows to ease finding out whether there has been a security update for an SRPM or not: https://www.redhat.com/archives/fedora-legacy-list/2005-June/msg00097.html
Thanks for the link. The fact that I don't remember exactly where I pulled them from is a good indication that I better just pull from RHAS 2.1, which I didn't do. I probably backported from RHEL3. So, let's try 7.3 again, this time based off 1.0.7-47.1 from 7.3 update. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Below is another try with patches taken from RHAS 2.1 rh73: 1762a1c05903c66c5f8884da4a2f8cf97bb75f76 http://lance.maner.org/tetex-1.0.7-47.2.legacy.src.rpm -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (GNU/Linux) iD8DBQFEGxIwpxMPKJzn2lIRAl3DAJoCd7ptu4ONafJl1nSNViIWBLsfHwCfebvp EgpMaxjgEjEWIUBLtfHm7I4= =S4kJ -----END PGP SIGNATURE-----
RHL73 looks good. I noted that RHL9 tetex is lacking the CESA patch (*xpdf.patch). Was it dropped out by accident, or was that intentional? Sorry for not noticing this earlier.
Ok, got a new package made for RH9. Thanks for noticing that, Pekka, I missed it too. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Package redone with CESA patch for rh9: 40227c80e65a2b833e05646fe5b803eaa6470870 http://lance.maner.org/tetex-1.0.7-66.1.legacy.src.rpm -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (GNU/Linux) iD8DBQFELKkZpxMPKJzn2lIRAoDNAJsH4OLQmPBsrFHQUNxr16bpk8uJgwCeJn1M GTIToFzb4KIzXcpIdJbPYQo= =N2Ak -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 QA w/ rpm-build-compare.sh: - source integrity good - spec file changes minimal - patches verified to come or be derived from upstream Comment: it would have been good to bump the RHL9 tetex version number so that the wrong package (with the same name) won't get build in updates-testing by accident. +PUBLISH RHL73, RHL9, FC1, FC2 1762a1c05903c66c5f8884da4a2f8cf97bb75f76 tetex-1.0.7-47.2.legacy.src.rpm 40227c80e65a2b833e05646fe5b803eaa6470870 tetex-1.0.7-66.1.legacy.src.rpm.1 36bb2c55d8b0e729ea98a8040dc6d1a71e38e599 tetex-2.0.2-14.3.legacy.src.rpm ddf1616849f63203f4b20735736bdba0d26c0b70 tetex-2.0.2-8.1.legacy.src.rpm -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQFELMMrGHbTkzxSL7QRAhq1AKCyfyCJ7vFHm3cLPkC1Rk+vDPtMvwCfZsdQ d+6a0RxVg9+GtGmOJe0suOU= =kjg0 -----END PGP SIGNATURE-----
Sorry to butt in at this late hour, but I am wondering, Donald -- did you perhaps mix up the FC1 and FC2 packages? From my listings, the latest released FC1 version of tetex is tetex-2.0.2-8, and the latest released FC2 version of tetex is tetex-2.0.2-14FC2.2, but the packages you proposed were tetex-2.0.2-14.3.legacy for FC1 and tetex-2.0.2-8.1.legacy for FC2 ?
Packages were pushed to updates-testing
Timeout 2 weeks from packages being pushed to updates-testing.
Timeout over.
Packages were released to updates.