Package: tetex-bin
Version: 2.0.2-27
Severity: grave
Tags: security patch
Justification: user security hole
Dear TeX maintainers,
the patch you used to fix CAN-2005-0064 in -26 seems to have been derived from
xpdf 3.00-12, which unfortunately was missing a portion of the security fix
(the one that is referenced as xpdf 3.00pl3 at the xpdf website, this has been
fixed in xpdf 3.00-13). Attached patch provides the necessary fix for the
tetex-bin package.
Cheers,
Moritz
-- System Information:
Debian Release: 3.1
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.11
Locale: LANG=C, [EMAIL PROTECTED] (charmap=ISO-8859-15)
Versions of packages tetex-bin depends on:
ii debconf 1.4.47 Debian configuration management sy
ii debianutils 2.13.2 Miscellaneous utilities specific t
ii dpkg 1.10.27 Package maintenance system for Deb
ii ed 0.2-20 The classic unix line editor
ii libc6 2.3.2.ds1-20 GNU C Library: Shared libraries an
ii libgcc1 1:4.0-0pre2 GCC support library
ii libice6 4.3.0.dfsg.1-12.0.1 Inter-Client Exchange library
ii libkpathsea3 2.0.2-27 path search library for teTeX (run
ii libpaper1 1.1.14-3 Library for handling paper charact
ii libpng12-0 1.2.8rel-1 PNG library - runtime
ii libsm6 4.3.0.dfsg.1-12.0.1 X Window System Session Management
ii libstdc++5 1:3.3.5-12 The GNU Standard C++ Library v3
ii libt1-5 5.0.2-3 Type 1 font rasterizer library - r
ii libwww0 5.4.0-9 The W3C WWW library
ii libx11-6 4.3.0.dfsg.1-12.0.1 X Window System protocol client li
ii libxaw7 4.3.0.dfsg.1-12.0.1 X Athena widget set library
ii libxext6 4.3.0.dfsg.1-12.0.1 X Window System miscellaneous exte
ii libxmu6 4.3.0.dfsg.1-12.0.1 X Window System miscellaneous util
ii libxt6 4.3.0.dfsg.1-12.0.1 X Toolkit Intrinsics
ii mime-support 3.31-1 MIME files 'mime.types' & 'mailcap
ii perl 5.8.4-8 Larry Wall's Practical Extraction
ii sed 4.1.4-2 The GNU sed stream editor
ii tetex-base 2.0.2c-7 Basic library files of teTeX
ii ucf 1.17 Update Configuration File: preserv
ii xlibs 4.3.0.dfsg.1-12 X Keyboard Extension (XKB) configu
ii zlib1g 1:1.2.2-4 compression library - runtime
-- debconf information excluded
diff -Naur tetex-bin-2.0.2.orig/libs/xpdf/xpdf/XRef.cc
tetex-bin-2.0.2/libs/xpdf/xpdf/XRef.cc
--- tetex-bin-2.0.2.orig/libs/xpdf/xpdf/XRef.cc 2002-11-03 23:15:37.000000000
+0100
+++ tetex-bin-2.0.2/libs/xpdf/xpdf/XRef.cc 2005-04-05 21:46:31.000000000
+0200
@@ -481,6 +481,9 @@
} else {
keyLength = 5;
}
+ if (keyLength > 16) {
+ keyLength = 16;
+ }
permFlags = permissions.getInt();
if (encVersion >= 1 && encVersion <= 2 &&
encRevision >= 2 && encRevision <= 3) {
