Secure testing team - Jan 2006 - r3297 - data/CVE

Author: jmm-guest
Date: 2006-01-15 12:03:20 +0000 (Sun, 15 Jan 2006)
New Revision: 3297

Modified:
   data/CVE/list
Log:
new kernel issue
add tetex as not-affected


Modified: data/CVE/list
==================================================================---
data/CVE/list	2006-01-14 17:00:45 UTC (rev 3296)
+++ data/CVE/list	2006-01-15 12:03:20 UTC (rev 3297)
@@ -2826,6 +2826,7 @@
 CVE-2005-3627 (Stream.cc in Xpdf, as used in products such as gpdf, kpdf,
pdftohtml, ...)
 	{DSA-940-1 DSA-938-1 DSA-937-1 DSA-936-1 DSA-932-1 DSA-931-1}
 	- poppler 0.4.4-1 (bug #346076)
+	- tetex <not-affected> (Links dynamically to poppler)
 	- kdegraphics 3.5.0-3
 	- gpdf <unfixed>
 	- xpdf 3.01-4
@@ -2842,6 +2843,7 @@
 CVE-2005-3625 (Xpdf, as used in products such as gpdf, kpdf, pdftohtml,
poppler, ...)
 	{DSA-940-1 DSA-938-1 DSA-937-1 DSA-936-1 DSA-932-1 DSA-931-1}
 	- poppler 0.4.4-1 (bug #346076)
+	- tetex <not-affected> (Links dynamically to poppler)
 	- kdegraphics 3.5.0-3
 	- xpdf 3.01-4
 	- gpdf <unfixed>
@@ -2850,6 +2852,7 @@
 CVE-2005-3624 (The CCITTFaxStream::CCITTFaxStream function in Stream.cc for
xpdf, ...)
 	{DSA-940-1 DSA-938-1 DSA-937-1 DSA-936-1 DSA-932-1 DSA-931-1}
 	- poppler 0.4.4-1 (bug #346076)
+	- tetex <not-affected> (Links dynamically to poppler)
 	- gpdf <unfixed>
 	- kdegraphics 3.5.0-3
 	- xpdf 3.01-4
@@ -3736,8 +3739,9 @@
 	TODO: check 2.4
 CVE-2005-3357 (mod_ssl in Apache 2.0 up to 2.0.55, when configured with an SSL
vhost ...)
 	TODO: check
-CVE-2005-3356
+CVE-2005-3356 [kernel DoS, see patch-tracking for details]
 	RESERVED
+	- linux-2.6 <unfixed>
 CVE-2005-3355 (Directory traversal vulnerability in GNU Gnump3d before 2.9.8
has ...)
 	{DSA-901-1}
 	- gnump3d 2.9.8-1

Florian Weimer wrote:
> >>
==================================================================> >>
--- data/CVE/list	2006-01-14 17:00:45 UTC (rev 3296)
> >> +++ data/CVE/list	2006-01-15 12:03:20 UTC (rev 3297)
> >> @@ -2826,6 +2826,7 @@
> >>  CVE-2005-3627 (Stream.cc in Xpdf, as used in products such as
gpdf, kpdf, pdftohtml, ...)
> >>  	{DSA-940-1 DSA-938-1 DSA-937-1 DSA-936-1 DSA-932-1 DSA-931-1}
> >>  	- poppler 0.4.4-1 (bug #346076)
> >> +	- tetex <not-affected> (Links dynamically to poppler)
> 
> > Possibly, this is true for the version in unstable, but not testing.
> 
> Exactly.  This is why you should list the version which started
> linking dynamically against poppler as the "fixed" version.  It
is
> more or less necessary if there ever will be a DSA released for this
> issue.
There''ll be a DSA soon, but I fail to see why this should cause
problems.
- foo
is after all nothing more than a short form for
[sid] - foo

Cheers,
        Moritz

* Moritz Muehlenhoff:
>> Exactly.  This is why you should list the version which started
>> linking dynamically against poppler as the "fixed" version. 
It is
>> more or less necessary if there ever will be a DSA released for this
>> issue.
>
> There''ll be a DSA soon, but I fail to see why this should cause
problems.
> - foo
> is after all nothing more than a short form for
> [sid] - foo
No, it isn''t. 8-)

The former means "all versions, including those in various releases,
are vulnerable".  The latter means "only the sid release is
vulnerable".  debsecan relies heavily on that: The main decision is
controlled by the sid version, and an explicit list of fixed versions
on other branches is provided (to handle DSAs and DTSAs).  The
explicit list includes all known versions of this package (based on
all notes for the package, and what is available from the archive).

If you think we need complete independence of sid and the other
branches, we need a known-bad list for the release branches.
Unfortunately, this means that we need a complete list of all package
versions which have been ever published on a release branch (be it a
security update or not).  This list is not readily available, and I
only know how to construct it for sarge.

I plan to document all those tricky interactions some day, but I''m
currently busy with university stuff (and debsecan bugs have higher
priority anyway).

Moritz Muehlenhoff wrote:
> Modified: data/CVE/list
> ==================================================================> ---
data/CVE/list	2006-01-14 17:00:45 UTC (rev 3296)
> +++ data/CVE/list	2006-01-15 12:03:20 UTC (rev 3297)
> @@ -2826,6 +2826,7 @@
>  CVE-2005-3627 (Stream.cc in Xpdf, as used in products such as gpdf, kpdf,
pdftohtml, ...)
>  	{DSA-940-1 DSA-938-1 DSA-937-1 DSA-936-1 DSA-932-1 DSA-931-1}
>  	- poppler 0.4.4-1 (bug #346076)
> +	- tetex <not-affected> (Links dynamically to poppler)
Are you sure? Neither tetex-bin nor tetex-extra Depends: on libpoppler,
and while I''m not sure which program(s) in TeTex use xpdf code,
pdflatex
certainly doesn''t link to poppler:

$ ldd `which pdflatex `
        libpng12.so.0 => /usr/lib/libpng12.so.0 (0x00002aaaaabc3000)
        libz.so.1 => /usr/lib/libz.so.1 (0x00002aaaaace7000)
        libkpathsea.so.3 => /usr/lib/libkpathsea.so.3 (0x00002aaaaadfe000)
        libstdc++.so.6 => /usr/lib/libstdc++.so.6 (0x00002aaaaaf12000)
        libm.so.6 => /lib/libm.so.6 (0x00002aaaab10f000)
        libgcc_s.so.1 => /lib/libgcc_s.so.1 (0x00002aaaab295000)
        libc.so.6 => /lib/libc.so.6 (0x00002aaaab3a2000)
        /lib64/ld-linux-x86-64.so.2 (0x00002aaaaaaab000)


$ dpkg -s tetex-bin | grep Version
Version: 2.0.2-31

Possibly, this is true for the version in unstable, but not testing.

* Anthony DeRobertis:
> Moritz Muehlenhoff wrote:
>> Modified: data/CVE/list
>>
==================================================================>> ---
data/CVE/list	2006-01-14 17:00:45 UTC (rev 3296)
>> +++ data/CVE/list	2006-01-15 12:03:20 UTC (rev 3297)
>> @@ -2826,6 +2826,7 @@
>>  CVE-2005-3627 (Stream.cc in Xpdf, as used in products such as gpdf,
kpdf, pdftohtml, ...)
>>  	{DSA-940-1 DSA-938-1 DSA-937-1 DSA-936-1 DSA-932-1 DSA-931-1}
>>  	- poppler 0.4.4-1 (bug #346076)
>> +	- tetex <not-affected> (Links dynamically to poppler)
> Possibly, this is true for the version in unstable, but not testing.
Exactly.  This is why you should list the version which started
linking dynamically against poppler as the "fixed" version.  It is
more or less necessary if there ever will be a DSA released for this
issue.