[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1011333: marked as done (/usr/bin/pdftosrc: CVE-2021-27548 - null-pointer deference in XFAScanner::scanNode used by pdftosrc)

Your message dated Tue, 24 May 2022 18:00:21 +0000
with message-id <E1ntYpR-0004kS-FT@fasolo.debian.org>
and subject line Bug#1011333: fixed in texlive-bin 2022.20220321.62855-2
has caused the Debian Bug report #1011333,
regarding /usr/bin/pdftosrc: CVE-2021-27548 - null-pointer deference in XFAScanner::scanNode used by pdftosrc
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1011333: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1011333
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: texlive-binaries
Version: 2022.20220321.62855-1
Severity: important
File: /usr/bin/pdftosrc
Tags: security
X-Debbugs-Cc: codehelp@debian.org, Debian Security Team <team@security.debian.org>

texlive-binaries in unstable, experimental and bookworm embeds
xpdfreader 4.03 and the code is exposed via the pdftosrc binary.

The PoC file from the CVE triggers a segmentation fault in pdftosrc.
pdftosrc from bullseye (correctly) reports a broken PDF without
crashing as texlive-binaries in bullseye embeds xpdfreader 4.02.

https://sources.debian.org/src/texlive-bin/2021.20210626.59705-1/libs/xpdf/ChangeLog/
https://sources.debian.org/src/texlive-bin/2021.20210626.59705-1/libs/xpdf/xpdf-src/xpdf/XFAScanner.cc/?hl=243#L243

The following vulnerability was published for texlive-binaries.

CVE-2021-27548[0]:
| There is a Null Pointer Dereference vulnerability in the
| XFAScanner::scanNode() function in XFAScanner.cc in xpdf 4.03.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2021-27548
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27548

Please adjust the affected versions in the BTS as needed.



-- System Information:
Debian Release: bookworm/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 5.17.0-2-amd64 (SMP w/16 CPU threads; PREEMPT)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages texlive-binaries depends on:
ii  libc6           2.34-0experimental2
ii  libcairo2       1.16.0-5
ii  libfontconfig1  2.13.1-4.4
ii  libfreetype6    2.12.1+dfsg-1
ii  libgcc-s1       12.1.0-2
ii  libgraphite2-3  1.3.14-1
ii  libharfbuzz0b   2.7.4-1+b1
ii  libicu71        71.1-3
ii  libkpathsea6    2022.20220321.62855-1
ii  libmpfr6        4.1.0-3
ii  libpaper1       1.1.28+b1
ii  libpixman-1-0   0.40.0-1
ii  libpng16-16     1.6.37-5
ii  libptexenc1     2022.20220321.62855-1
ii  libstdc++6      12.1.0-2
ii  libsynctex2     2022.20220321.62855-1
ii  libteckit0      2.5.11+ds1-1
ii  libtexlua53     2022.20220321.62855-1
ii  libtexluajit2   2022.20220321.62855-1
ii  libx11-6        2:1.7.5-1
ii  libxaw7         2:1.0.14-1
ii  libxi6          2:1.8-1
ii  libxmu6         2:1.1.3-3
ii  libxpm4         1:3.5.12-1
ii  libxt6          1:1.2.1-1
ii  libzzip-0-13    0.13.72+dfsg.1-1.1
ii  perl            5.34.0-4
ii  t1utils         1.41-4
ii  tex-common      6.17
ii  zlib1g          1:1.2.11.dfsg-4

Versions of packages texlive-binaries recommends:
ii  dvisvgm       2.13.4-1
ii  texlive-base  2021.20220204-1

texlive-binaries suggests no packages.

-- no debconf information

--- End Message ---
--- Begin Message --- 
Source: texlive-bin
Source-Version: 2022.20220321.62855-2
Done: Hilmar Preusse <hille42@web.de>

We believe that the bug you reported is fixed in the latest version of
texlive-bin, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1011333@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Hilmar Preusse <hille42@web.de> (supplier of updated texlive-bin package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sun, 22 May 2022 23:34:38 +0200
Source: texlive-bin
Binary: libkpathsea-dev libkpathsea6 libkpathsea6-dbgsym libptexenc-dev libptexenc1 libptexenc1-dbgsym libsynctex-dev libsynctex2 libsynctex2-dbgsym libtexlua-dev libtexlua53 libtexlua53-5 libtexlua53-5-dbgsym libtexlua53-dev texlive-binaries texlive-binaries-dbgsym
Architecture: source arm64 all
Version: 2022.20220321.62855-2
Distribution: experimental
Urgency: medium
Maintainer: Debian TeX Task Force <debian-tex-maint@lists.debian.org>
Changed-By: Hilmar Preusse <hille42@web.de>
Description:
 libkpathsea-dev - TeX Live: path search library for TeX (development part)
 libkpathsea6 - TeX Live: path search library for TeX (runtime part)
 libptexenc-dev - TeX Live: ptex encoding library (development part)
 libptexenc1 - TeX Live: pTeX encoding library
 libsynctex-dev - TeX Live: SyncTeX parser library (development part)
 libsynctex2 - TeX Live: SyncTeX parser library
 libtexlua-dev - TeX Live: Lua 5.3, modified for use with LuaTeX (development part
 libtexlua53 - transitional package (lib)
 libtexlua53-5 - TeX Live: Lua 5.3, modified for use with LuaTeX
 libtexlua53-dev - transitional package (dev)
 texlive-binaries - Binaries for TeX Live
Closes: 1011333
Changes:
 texlive-bin (2022.20220321.62855-2) experimental; urgency=medium
 .
   * Upgrade xpdf code to 4.04 to solve CVE-2021-27548
     (Closes: #1011333).
   * Lintian:
     - Remove obsolete: source-is-missing
     - Add (in general): very-long-line-length-in-source-file
     - Fix spelling errors in manual pages.
     - W: libtexlua53: package-name-doesnt-match-sonames libtexlua53-5
       renamed: libtexlua53-dev -> libtexlua-dev.
       renamed: libtexlua53 -> libtexlua53-5
     - W: bad-whatis-entry usr/share/man/man1/xml2pmx.1.gz
     - W: wrong-manual-section usr/share/man/man1/axohelp.1.gz:1 1 != 1.4
Checksums-Sha1:
 597cf0dd91e6475e947d3be19dff76cb16bf7a8f 3146 texlive-bin_2022.20220321.62855-2.dsc
 da27ea428fd770196b4545e170c09ff952b5c643 120744 texlive-bin_2022.20220321.62855-2.debian.tar.xz
 e977cf4d1d9498ac4f359a8296a2e587d76a2a9f 200684 libkpathsea-dev_2022.20220321.62855-2_arm64.deb
 dc60c8b18790f53edd826a1d9e9d8aa9ddd42205 102924 libkpathsea6-dbgsym_2022.20220321.62855-2_arm64.deb
 51aa27f40d0cb4a122248fcf8148bd14deb486cc 171164 libkpathsea6_2022.20220321.62855-2_arm64.deb
 b658bc83ff6e6d77f51e2f93f12bfc862821b096 65140 libptexenc-dev_2022.20220321.62855-2_arm64.deb
 d796790b41b4cc14e308db561410a5ecb3208e0a 30956 libptexenc1-dbgsym_2022.20220321.62855-2_arm64.deb
 2f99859f3ca385ed2c686c8e68e36ea7acb30106 64568 libptexenc1_2022.20220321.62855-2_arm64.deb
 b57fcafcd35604d29dcf9f6c872bd90c629f3b67 82152 libsynctex-dev_2022.20220321.62855-2_arm64.deb
 44cc36fd22627697110d851b7de363a0462a2f5d 179892 libsynctex2-dbgsym_2022.20220321.62855-2_arm64.deb
 06e674539d289fcdcbbcdd8da303e917e62878be 78092 libsynctex2_2022.20220321.62855-2_arm64.deb
 a5f648323a31ca185def94d223ced4ee6fa3d228 154316 libtexlua-dev_2022.20220321.62855-2_arm64.deb
 2795b9112a2bd9bce8f4675be38877896c773641 336180 libtexlua53-5-dbgsym_2022.20220321.62855-2_arm64.deb
 fd974c70f721dadcdb05b0c38d1d949272ef2384 124592 libtexlua53-5_2022.20220321.62855-2_arm64.deb
 3c485a18382b2fa1bf856f548b025815a6bbb437 40708 libtexlua53-dev_2022.20220321.62855-2_all.deb
 0ed90b78aa36cd30230a57343ab70f24921f1f50 40692 libtexlua53_2022.20220321.62855-2_all.deb
 de27fa9a4f26ef9c90aad0d58a36fe169bddbfdb 13963 texlive-bin_2022.20220321.62855-2_arm64.buildinfo
 a8d83aac8744939176b27be8dc4173eceaf11d7b 26411172 texlive-binaries-dbgsym_2022.20220321.62855-2_arm64.deb
 857281cf15830da923d46aee13f1c8e45b46422f 7939808 texlive-binaries_2022.20220321.62855-2_arm64.deb
Checksums-Sha256:
 cfe91ef67cf6eebf56261dd937474c583232e4466b086a52bf8b2d0d8aace000 3146 texlive-bin_2022.20220321.62855-2.dsc
 3b940a777732ab028a418b2e743a4c10e2d23d017c99eecd9a2fa8fe81c5e9e4 120744 texlive-bin_2022.20220321.62855-2.debian.tar.xz
 8c723a0fccf7c1ceee152f44ba1672b6c66cecc5c6d13054714125c50b0b0f63 200684 libkpathsea-dev_2022.20220321.62855-2_arm64.deb
 10aa9e989a2697a9b7c0dbc60f7de5a2f9f9e9d565f4941205f335f00ed2058d 102924 libkpathsea6-dbgsym_2022.20220321.62855-2_arm64.deb
 b3558b4d4938bda73d546f4d541441718fd866e2454940052b37f4a9b1dd1761 171164 libkpathsea6_2022.20220321.62855-2_arm64.deb
 4a7b56bb58118d2aace77b5680eaebb76febed1d110a2b4a2979ee606c868cd3 65140 libptexenc-dev_2022.20220321.62855-2_arm64.deb
 69c59cd3253fcfffd37f457ce09b4b58944800bf071531be778087bce554701b 30956 libptexenc1-dbgsym_2022.20220321.62855-2_arm64.deb
 561eef77fb0acecb7eb910a598f45088869b6c6e1d87c39530b9eac0984b9035 64568 libptexenc1_2022.20220321.62855-2_arm64.deb
 5a5a5fd10ced5805f6b9812271e9b38b34afb9f82b53085f392fb404b3c04c2b 82152 libsynctex-dev_2022.20220321.62855-2_arm64.deb
 987529bd5d15b0611a244adcb5497a7cd25cf96430318eb70e33691ab40ae352 179892 libsynctex2-dbgsym_2022.20220321.62855-2_arm64.deb
 a82464180c7141119a9f0ac84611b184e42a6436e5bf6832ffd812a6710bc4f4 78092 libsynctex2_2022.20220321.62855-2_arm64.deb
 6ce0f92100de48fb93383bc247f0c112a1b33778b7eaf88a344aa65f271a6838 154316 libtexlua-dev_2022.20220321.62855-2_arm64.deb
 bd9ae3fe9bc7667d3c44fdbb35ce21469ceb0ee3a95e41f3c2fa34ad3f13953a 336180 libtexlua53-5-dbgsym_2022.20220321.62855-2_arm64.deb
 3302e553e6f71e4a10c7013b6680af69cda5264f372a20f75eea7531437da183 124592 libtexlua53-5_2022.20220321.62855-2_arm64.deb
 56f72a273c9176e63938ee78e27e8dce64b0dc52a9dc00c4c3ced96b796517ea 40708 libtexlua53-dev_2022.20220321.62855-2_all.deb
 0084e66a26eb22faf9f28ea8f85aa5d21d72493f625f7b7d7ea84c442e36176c 40692 libtexlua53_2022.20220321.62855-2_all.deb
 b418a380290c0a6918873a27834d92bc0c99166aff11b6ad29705dc8f6596fb6 13963 texlive-bin_2022.20220321.62855-2_arm64.buildinfo
 49ba814c5ecdef622f139a2c02967c2d1c74393318ac5cf3ebce618b7b64a99a 26411172 texlive-binaries-dbgsym_2022.20220321.62855-2_arm64.deb
 364eae4a0472f73c91b97e5afa6084ed3591e99c7d8c985c6f89cab14b8e2ff7 7939808 texlive-binaries_2022.20220321.62855-2_arm64.deb
Files:
 da4e6fb1d7c1a68d49cec515a1d138a1 3146 tex optional texlive-bin_2022.20220321.62855-2.dsc
 a3aafad995a8837e4be33bd629c9ebc7 120744 tex optional texlive-bin_2022.20220321.62855-2.debian.tar.xz
 edf3ba87ca650a0396c26f11e65ab609 200684 libdevel optional libkpathsea-dev_2022.20220321.62855-2_arm64.deb
 2145add0629fc6a747765fc2274e2af6 102924 debug optional libkpathsea6-dbgsym_2022.20220321.62855-2_arm64.deb
 0ac4cbb1cb44280349c72925a7791a04 171164 libs optional libkpathsea6_2022.20220321.62855-2_arm64.deb
 5db6e121e28e53fa6a004bf13938b4fa 65140 libdevel optional libptexenc-dev_2022.20220321.62855-2_arm64.deb
 f986e0513f69593954085b5cbe52cfac 30956 debug optional libptexenc1-dbgsym_2022.20220321.62855-2_arm64.deb
 5515cba08156181146e6d3d0650b1b31 64568 libs optional libptexenc1_2022.20220321.62855-2_arm64.deb
 7ff73dc4d891e7170f426425ae91371e 82152 libdevel optional libsynctex-dev_2022.20220321.62855-2_arm64.deb
 10f3849fdb24df208de1dae333ac29d6 179892 debug optional libsynctex2-dbgsym_2022.20220321.62855-2_arm64.deb
 dd7e7441af4dbab2e68c610808a9cbd6 78092 libs optional libsynctex2_2022.20220321.62855-2_arm64.deb
 7bd9935eb304971ad651718100efe9a8 154316 libdevel optional libtexlua-dev_2022.20220321.62855-2_arm64.deb
 4158f567b991037c261557937f176630 336180 debug optional libtexlua53-5-dbgsym_2022.20220321.62855-2_arm64.deb
 a901267f95631323fd54432d568c76a6 124592 libs optional libtexlua53-5_2022.20220321.62855-2_arm64.deb
 fe640c20352f2ca00794a5755e0c79bc 40708 oldlibs optional libtexlua53-dev_2022.20220321.62855-2_all.deb
 2aef3a4c8db1657b5e596dc853038dcf 40692 oldlibs optional libtexlua53_2022.20220321.62855-2_all.deb
 a0eb7f66c8103707a91199c90f5dfa4b 13963 tex optional texlive-bin_2022.20220321.62855-2_arm64.buildinfo
 6f1efb4261caafbcb4290b2323b80337 26411172 debug optional texlive-binaries-dbgsym_2022.20220321.62855-2_arm64.deb
 274694f707bf2c194337673e21598d81 7939808 tex optional texlive-binaries_2022.20220321.62855-2_arm64.deb

-----BEGIN PGP SIGNATURE-----

iQHEBAEBCgAuFiEEQGIgyLhVKAI3jM5BH1x6i0VWQxQFAmKLXYQQHGJhZ2VAZGVi
aWFuLm9yZwAKCRAfXHqLRVZDFJjRC/4mDnOsPUiHOzcWjaSP6+qS2yBVjybpZNW4
8Oh+HZl0hrrkVN/z1oOQhT/xN1BvwxRPNjxAERBWtCjh1XOy0ZTRMJB/TYV8KHYZ
SPasLztaxx5HnvLOpYzet7OU/wgFFNALhy7hXbvAWXMrj54ngHD7uu4vRJBuXP2i
lJFZ8c/VVvdOTzT89Xd/OoM9okjCyUXpFB1GQ8e9w/A7Tuckf5gN9kswHzCP4CqL
ICjYB8kJLZdXlRmlaH2+TdSllXydJYliKPUp/3VzDCuxFajaIcdUYx5R6WKcDv9R
vy3ijgY9Um0/TbZStlBE7DSP5D7yfc17yxfiLSMUBulyal5oMkSukP6hSProHmyC
Ka92mR9jjR6GyOHY1RBWnQ5cr33r/z5bbueS530zAz7avSiICIEU1WsIg1Ell4Lz
8p7SCyI8ceY6RZ+9N+D998IfQ/jJKSb3cP8n/EZT+R+SpqV4ePDetPCydeY7vyCZ
BcqsAHpnk0NBNF0PbJG+CbWDUPMGcDw=
=UUSO
-----END PGP SIGNATURE-----

--- End Message ---
Reply to: