Bug 152868 - xpdf code in pdflatex is exploitable, CAN-2004-1125, CAN-2005-0064, CAN-2004-0888, CVE-2005-3191, CVE-2005-3192, CVE-2005-3193
xpdf code in pdflatex is exploitable, CAN-2004-1125, CAN-2005-0064, CAN-2004-...
Status: CLOSED ERRATA
Product: Fedora Legacy
Classification: Retired
Component: tetex (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Fedora Legacy Bugs
http://www.ubuntulinux.org/support/do...
1, 2, rh73, rh90
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2004-12-08 13:51 EST by David Lawrence
Modified: 2007-04-18 13:22 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-05-12 20:50:51 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description David Lawrence 2005-03-30 18:30:17 EST
according to Ubuntu Security Notice USN-9-1, pdflatex has the same vulnerable
code from xpdf that was described in CAN-2004-0888.

i assume the version shipped with rh73 and others is vulnerable?
===
[beej@tenet beej]$ rpm -qf /usr/bin/pdflatex
tetex-latex-1.0.7-47
===



------- Additional Comments From rob.myers@gtri.gatech.edu 2005-01-04 05:17:37 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
here are updated packages to QA for fc1:
 
- - patches from FC-2 fix CAN-2004-0888, CAN-2004-1125
- - rpm-build-compare.sh shows lots of differences.  i hope they
  are negligible but someone should look closely at them.
- - it seems exceedingly ugly to have the package as a BuildRequire
  of itself.  is there a better way?
 
changelog:
* Tue Jan  4 2004 Rob Myers <rob.myers@gtri.gatech.edu> 2.0.2-8.1.legacy
- - add patches for CAN-2004-1125 CAN-2004-0888 (FL# 2334)
- - added BuildPreReq: libtool, ed, tetex, tetex-latex, tetex-xdvi,
  tetex-dvips, tetex-afm, tetex-fonts
 
this file is available at:
http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/2334.txt.asc
 
files:
http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/tetex-2.0.2-8.1.legacy.src.rpm
http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/tetex-2.0.2-8.1.legacy.i386.rpm
http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/tetex-afm-2.0.2-8.1.legacy.i386.rpm
http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/tetex-debuginfo-2.0.2-8.1.legacy.i386.rpm
http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/tetex-doc-2.0.2-8.1.legacy.i386.rpm
http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/tetex-dvips-2.0.2-8.1.legacy.i386.rpm
http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/tetex-fonts-2.0.2-8.1.legacy.i386.rpm
http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/tetex-latex-2.0.2-8.1.legacy.i386.rpm
http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/tetex-xdvi-2.0.2-8.1.legacy.i386.rpm
 
sha1sums:
85a8e9d861f37ca7dfa2f116dbfd721b8d154231  tetex-2.0.2-8.1.legacy.i386.rpm
a34c4be0a81e17152d1caa61708f36f843e6a0ba  tetex-2.0.2-8.1.legacy.src.rpm
ca7337149dae2682cbebc42a46b7b2c4f5021c66  tetex-afm-2.0.2-8.1.legacy.i386.rpm
fd9ba99d69fc537276e8e7cfedf227ec79250c5b  tetex-debuginfo-2.0.2-8.1.legacy.i386.rpm
b37fb2d6e0aa3417f8bccc74ea5a154cceca2456  tetex-doc-2.0.2-8.1.legacy.i386.rpm
306fcb227202d18187635718c723a77ea5df7423  tetex-dvips-2.0.2-8.1.legacy.i386.rpm
228b5b4c1af4a267a7638f064a000efd3eb06671  tetex-fonts-2.0.2-8.1.legacy.i386.rpm
6e2dca8eaba0bb35eb8dee015655fb7398428ee3  tetex-latex-2.0.2-8.1.legacy.i386.rpm
5362684c9bb2c6277ca3f68ce4ec81e95189094f  tetex-xdvi-2.0.2-8.1.legacy.i386.rpm
 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
 
iD8DBQFB2rMwtU2XAt1OWnsRAh1+AKDjtrG8G2fPP7CuQ0CWFDcZt0IYqACgulmR
cqU/HszjEVCSHe57vRZ1YoM=
=/odU
-----END PGP SIGNATURE-----




------- Additional Comments From rob.myers@gtri.gatech.edu 2005-01-04 05:20:53 ----

of course that changelog should be 4 Jan 2005!



------- Additional Comments From rob.myers@gtri.gatech.edu 2005-01-19 05:42:14 ----

*** Bug 2373 has been marked as a duplicate of this bug. ***



------- Additional Comments From rob.myers@gtri.gatech.edu 2005-01-19 08:27:25 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
here is an updated package to QA for fc1:
 
- - patches from FC-2 fix CAN-2004-0888, CAN-2004-1125, CAN-2005-0064
- - rpm-build-compare.sh shows lots of differences.  i hope they
  are negligible but someone should look closely at them.
- - it seems exceedingly ugly to have the package as a BuildRequire
  of itself.  is there a better way?
- - someone else should look at the rh73/rh90 packages as i do not
  intend to fix them.
 
changelog:
* Wed Jan 19 2005 Rob Myers <rob.myers@gtri.gatech.edu> 2.0.2-8.2.legacy
- - add patch for xpdf buffer overflow CAN-2005-0064
 
* Tue Jan  4 2004 Rob Myers <rob.myers@gtri.gatech.edu> 2.0.2-8.1.legacy
- - add patches for CAN-2004-1125 CAN-2004-0888 (FL# 2334)
- - added BuildPreReq: libtool, ed, tetex, tetex-latex, tetex-xdvi,
  tetex-dvips, tetex-afm, tetex-fonts
 
this file is available at:
http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/2334.txt.asc
 
files:
http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/tetex-2.0.2-8.2.legacy.src.rpm
http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/tetex-2.0.2-8.2.legacy.i386.rpm
http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/tetex-afm-2.0.2-8.2.legacy.i386.rpm
http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/tetex-debuginfo-2.0.2-8.2.legacy.i386.rpm
http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/tetex-doc-2.0.2-8.2.legacy.i386.rpm
http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/tetex-dvips-2.0.2-8.2.legacy.i386.rpm
http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/tetex-fonts-2.0.2-8.2.legacy.i386.rpm
http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/tetex-latex-2.0.2-8.2.legacy.i386.rpm
http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/tetex-xdvi-2.0.2-8.2.legacy.i386.rpm
 
sha1sums:
b52621314275bd431b6f19bf73d4c5dff82917b4  tetex-2.0.2-8.2.legacy.i386.rpm
4d973cb1ff6f6d22ce196be04bf76ec2a571f92c  tetex-2.0.2-8.2.legacy.src.rpm
cd2310fb0cc65dfd5aaee6fbd9f055b092c51908  tetex-afm-2.0.2-8.2.legacy.i386.rpm
869585ac0c45ca5162caeaefc73f0e8010c1a3f0  tetex-debuginfo-2.0.2-8.2.legacy.i386.rpm
b1bbb9fad0fbbe4611c9bd74135bb15f61a44ea9  tetex-doc-2.0.2-8.2.legacy.i386.rpm
0b83490fe8c91fafaa2f05d506282fd318a560dc  tetex-dvips-2.0.2-8.2.legacy.i386.rpm
8c224b3e5e25a5e442c8192abba6bb41445b7468  tetex-fonts-2.0.2-8.2.legacy.i386.rpm
a15f93767884c3a77ae18275b80e8e4fdc982971  tetex-latex-2.0.2-8.2.legacy.i386.rpm
6434e01ee784053c5abe8cf7bcb68a444456745d  tetex-xdvi-2.0.2-8.2.legacy.i386.rpm
 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
 
iD8DBQFB7qWVtU2XAt1OWnsRAszSAKCh9+WSNJy0TXMwWimU3tI/l+g/vQCeMSIZ
p4V0ZjdbSe+1cXOCXBIcZSk=
=QBFV
-----END PGP SIGNATURE-----




------- Additional Comments From michal@harddata.com 2005-02-15 18:37:00 ----

Created an attachment (id=998)
patch to fix security issues in pdftex from teTeX-1.0

This is a patch which carries over relavant parts of xpdf security fixes to
teTeX-1.0 as showing in RH73.  A really ancient xpdf-0.80 is used in guts of
that. Frankly, anybody who cares about that should have update their teTeX
installation to something more modern a long time ago.	That is likely why
Red Hat never bothered with corresponding updates to teTeX in RHEL 2.1

Patches for CAN-2004-1125 and CAN-2005-0064 do not apply here at all
as the code in question simply does not exist in any form.



------- Bug moved to this database by dkl@redhat.com 2005-03-30 18:30 -------

This bug previously known as bug 2334 at https://bugzilla.fedora.us/
https://bugzilla.fedora.us/show_bug.cgi?id=2334
Originally filed under the Fedora Legacy product and Package request component.

Attachments:
patch to fix security issues in pdftex from teTeX-1.0
https://bugzilla.fedora.us/attachment.cgi?action=view&id=998

Unknown priority P2. Setting to default priority "normal".
Unknown platform PC. Setting to default platform "All".
Unknown operating system Windows XP. Setting to default OS "Linux".
The original reporter of this bug does not have
   an account here. Reassigning to the person who moved
   it here, dkl@redhat.com.
   Previous reporter was bugzilla.fedora.us@beej.org.
Setting qa contact to the default for this product.
   This bug either had no qa contact or an invalid one.

Comment 1 Donald Maner 2006-03-16 13:06:15 EST
CAN-2004-1125, CAN-2005-0064, CAN-2004-0888, CVE-2005-3191, CVE-2005-3192,
CVE-2005-3193 seem to be the outstanding issues with teTeX.

Rob's packages seem to be no longer available for a PUBLISH vote.
Comment 2 Donald Maner 2006-03-16 13:07:09 EST
Oh, and these apply to fc2 as well.
Comment 3 rob 2006-03-16 15:20:02 EST
files should be available now if it helps.
Comment 4 Donald Maner 2006-03-16 16:35:36 EST
I've already rolled new ones for fc1.  Thanks, though.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I have created packages that address the following issues:

CAN-2004-1125, CAN-2005-0064, CAN-2004-0888, CVE-2005-3191, CVE-2005-3192,
CVE-2005-3193

rh73:
60ee63a23abbfb38dc62c9d3fb917cff762102f5  
http://lance.maner.org/tetex-1.0.7-47.1.legacy.src.rpm

rh9:
1bf76267a9b494f98f84a9c99773aa5354a28efc  
http://lance.maner.org/tetex-1.0.7-66.1.legacy.src.rpm

fc1:
36bb2c55d8b0e729ea98a8040dc6d1a71e38e599  
http://lance.maner.org/tetex-2.0.2-14.3.legacy.src.rpm

fc2:
ddf1616849f63203f4b20735736bdba0d26c0b70  
http://lance.maner.org/tetex-2.0.2-8.1.legacy.src.rpm

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)

iD8DBQFEGdtypxMPKJzn2lIRAu3lAJ9Z1UidKD8NvcpLIXE90SJJVqv+1QCeMhWa
3VVJX7Yv5RDAB2N1zykbG4k=
=9QWT
-----END PGP SIGNATURE-----
Comment 5 Pekka Savola 2006-03-17 05:19:39 EST
Hmm.. you appear to have missed the fact that Red Hat put out an updated tetex
package for RHL73 in 2002.

Patches look mostly good.  However, tetex 1.0.7 patches don't use the same
approach as RHEL21's tetex 1.0.7 patch.  How were the patches derived?

You should probably use a script like follows to ease finding out whether there
has been a security update for an SRPM or not:

https://www.redhat.com/archives/fedora-legacy-list/2005-June/msg00097.html
Comment 6 Donald Maner 2006-03-17 14:41:26 EST
Thanks for the link.

The fact that I don't remember exactly where I pulled them from is a good
indication that I better just pull from RHAS 2.1, which I didn't do.  I probably
backported from RHEL3.  So, let's try 7.3 again, this time based off 1.0.7-47.1
from 7.3 update.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Below is another try with patches taken from RHAS 2.1

rh73:
1762a1c05903c66c5f8884da4a2f8cf97bb75f76
http://lance.maner.org/tetex-1.0.7-47.2.legacy.src.rpm

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)

iD8DBQFEGxIwpxMPKJzn2lIRAl3DAJoCd7ptu4ONafJl1nSNViIWBLsfHwCfebvp
EgpMaxjgEjEWIUBLtfHm7I4=
=S4kJ
-----END PGP SIGNATURE-----
Comment 7 Pekka Savola 2006-03-18 01:10:32 EST
RHL73 looks good.

I noted that RHL9 tetex is lacking the CESA patch (*xpdf.patch).  Was it dropped
out by accident, or was that intentional?

Sorry for not noticing this earlier.
Comment 8 Donald Maner 2006-03-30 22:53:42 EST
Ok, got a new package made for RH9.  Thanks for noticing that, Pekka, I missed
it too.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Package redone with CESA patch for rh9:

40227c80e65a2b833e05646fe5b803eaa6470870
http://lance.maner.org/tetex-1.0.7-66.1.legacy.src.rpm

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)

iD8DBQFELKkZpxMPKJzn2lIRAoDNAJsH4OLQmPBsrFHQUNxr16bpk8uJgwCeJn1M
GTIToFzb4KIzXcpIdJbPYQo=
=N2Ak
-----END PGP SIGNATURE-----
Comment 9 Pekka Savola 2006-03-31 00:44:51 EST
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
                                                                               
                                                                         
QA w/ rpm-build-compare.sh:
 - source integrity good
 - spec file changes minimal
 - patches verified to come or be derived from upstream
                                                                               
                                                                         
Comment: it would have been good to bump the RHL9 tetex version number so
that the wrong package (with the same name) won't get build in
updates-testing by accident.
                                                                               
                                                                         
+PUBLISH RHL73, RHL9, FC1, FC2
                                                                               
                                                                         
1762a1c05903c66c5f8884da4a2f8cf97bb75f76  tetex-1.0.7-47.2.legacy.src.rpm
40227c80e65a2b833e05646fe5b803eaa6470870  tetex-1.0.7-66.1.legacy.src.rpm.1
36bb2c55d8b0e729ea98a8040dc6d1a71e38e599  tetex-2.0.2-14.3.legacy.src.rpm
ddf1616849f63203f4b20735736bdba0d26c0b70  tetex-2.0.2-8.1.legacy.src.rpm
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
                                                                               
                                                                         
iD8DBQFELMMrGHbTkzxSL7QRAhq1AKCyfyCJ7vFHm3cLPkC1Rk+vDPtMvwCfZsdQ
d+6a0RxVg9+GtGmOJe0suOU=
=kjg0
-----END PGP SIGNATURE-----
Comment 10 David Eisenstein 2006-04-14 07:26:47 EDT
Sorry to butt in at this late hour, but I am wondering, Donald -- did you
perhaps mix up the FC1 and FC2 packages?

From my listings, the latest released FC1 version of tetex is tetex-2.0.2-8,
and the latest released FC2 version of tetex is tetex-2.0.2-14FC2.2, 
but the packages you proposed were tetex-2.0.2-14.3.legacy for FC1 and
tetex-2.0.2-8.1.legacy for FC2 ?
Comment 11 Marc Deslauriers 2006-04-26 20:00:15 EDT
Packages were pushed to updates-testing
Comment 12 Pekka Savola 2006-05-02 14:39:44 EDT
Timeout 2 weeks from packages being pushed to updates-testing.
Comment 13 Pekka Savola 2006-05-11 01:51:31 EDT
Timeout over.
Comment 14 Marc Deslauriers 2006-05-12 20:50:51 EDT
Packages were released to updates.

Note You need to log in before you can comment on or make changes to this bug.