From: Michal H. <ms...@gm...> - 2008-04-18 12:51:01
|
On Fri, Apr 18, 2008 at 02:25:03PM +0200, Martin Petricek wrote: > This is weird. > > Debian security says: > > CVE-2008-1693 > > Xpdf's handling of embedded fonts lacks sufficient validation > and type checking. If a maliciously-crafted PDF file is opened, > the vulnerability may allow the execution of arbitrary code with > the privileges of the user running xpdf. > > For the stable distribution (etch), these problems have been fixed in > version 3.01-9.1+etch3. > > For the unstable distribution (sid), these problems were fixed in > version 3.02-1.2. > > But if I look at debian changelog, there is no mention of the fix: > http://packages.debian.org/changelogs/pool/main/x/xpdf/xpdf_3.02-1.3/changelog > > Well, I poked into > ftp://updates.redhat.com/enterprise/4AS/en/os/SRPMS/xpdf-3.00-16.el4.src.rpm > which is mentioned in redhat security update. And I found file > xpdf-3-CVE-2008-1693.diff in the RPM. I am attaching it, but when I > examined the source, it seems xpdf 3.02 already contain this fix. Maybe > it is vulnerability only in older XPDF code (probably 3.01)? > > I guess this one will end up as no-op, as it probably applies only to > older XPDF code. Thanks Martin. You are right. We already have this fix. I have just seen security advisory from Redhat (from yesterday) and CVE entry is not public, so I thought that it is a new xpdf bug. This email was intended to keep this issue on my radar. Nevertheless, it is rather weird, because Redhat guys are one of the most active in keeping xpdf code alive and provide many security bug fixes. This patch is already incorporated in xpdf-3.02 tar ball! > > Martin Petricek > > Michal Hocko wrote: >> Redhat has announced security fixes for xpdf (with Important severity). >> Unfortunatelly, patches are not publicly available at the moment and CVE >> entry is locked. >> We have to wait for few days, so this is here as reminder, to not forget >> about it. -- Michal Hocko |