[Bug 240180] New: tetex(xpdf denial of service vulnerability)
https://bugzilla.novell.com/show_bug.cgi?id=240180 Summary: tetex(xpdf denial of service vulnerability) Product: openSUSE 10.2 Version: Final Platform: Other OS/Version: Other Status: NEW Severity: Normal Priority: P5 - None Component: Other AssignedTo: bnc-team-screening@forge.provo.novell.com ReportedBy: takezou040728@yahoo.co.jp QAContact: qa@suse.de I think that there is vulnerability that originates in the source code of xpdf in tetex. # Factory has not fixed yet. (tetex-3.0-62.nosrc.rpm) References: CVE-2007-0104 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=240180 mhorvath@novell.com changed: What |Removed |Added ---------------------------------------------------------------------------- AssignedTo|bnc-team- |werner@novell.com |screening@forge.provo.novell| |.com | -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=240180 werner@novell.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |NEEDINFO Info Provider| |takezou040728@yahoo.co.jp ------- Comment #1 from werner@novell.com 2007-01-31 10:35 MST ------- Tell me _how_ the programs of tetex can be crashed with a pdf file? AFAIK the programs of tetex only produce pdf files with the help of the xpdf librar, they never read a pdf file and therefore can not be crashed or run into a denial of service attack. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=240180 ------- Comment #2 from takezou040728@yahoo.co.jp 2007-02-01 03:33 MST ------- I confirmed there was a vulnerability in the source code of tetex package(tetex-3.0-62.nosrc.rpm). There might be a case to do core dump if an illegal pdf file is inserted in the tex file with a tool of letex(pdflatex). # Please give time to me for a while. (I also verify it. ) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=240180 ------- Comment #3 from werner@novell.com 2007-02-01 03:41 MST ------- AFAIK any included pdf code is never readed by pdflatex, isn't it? Only acroread, xpdf, ghostscript will read and expand such code. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=240180 ------- Comment #4 from werner@novell.com 2007-02-02 04:21 MST ------- ping ... any news? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=240180 ------- Comment #5 from takezou040728@yahoo.co.jp 2007-02-04 20:53 MST ------- In another Distoro(vine linux), Update package(Security) was released. # for tetex-src-3.0.tar.bz2(tetex-src-3.0/libs/xpdf) http://vinelinux.org/errata/4x/20070201-4.html (in jppanese) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=240180 ------- Comment #6 from werner@novell.com 2007-02-05 02:45 MST ------- This was _not_ the question, security releases due marketing effects may be nice but I do not have the time to do such things. The question is: does such a security release make sence at all for a package only writing out pdf files. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=240180 werner@novell.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |RESOLVED Info Provider|takezou040728@yahoo.co.jp | Resolution| |WORKSFORME ------- Comment #7 from werner@novell.com 2007-04-25 08:22 MST ------- See bugzilla #178727, the TeXLive collection I use is patched to be able to link with external libpoppler. With this a security update of the libpoppler provides the fixes also to TeXLive. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
participants (1)
-
bugzilla_noreply@novell.com