Bug#1011333: marked as done (/usr/bin/pdftosrc: CVE-2021-27548 - null-pointer deference in XFAScanner::scanNode used by pdftosrc)
Your message dated Tue, 24 May 2022 18:00:21 +0000
with message-id <E1ntYpR-0004kS-FT@fasolo.debian.org>
and subject line Bug#1011333: fixed in texlive-bin 2022.20220321.62855-2
has caused the Debian Bug report #1011333,
regarding /usr/bin/pdftosrc: CVE-2021-27548 - null-pointer deference in XFAScanner::scanNode used by pdftosrc
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)
--
1011333: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1011333
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message ---
Package: texlive-binaries
Version: 2022.20220321.62855-1
Severity: important
File: /usr/bin/pdftosrc
Tags: security
X-Debbugs-Cc: codehelp@debian.org, Debian Security Team <team@security.debian.org>
texlive-binaries in unstable, experimental and bookworm embeds
xpdfreader 4.03 and the code is exposed via the pdftosrc binary.
The PoC file from the CVE triggers a segmentation fault in pdftosrc.
pdftosrc from bullseye (correctly) reports a broken PDF without
crashing as texlive-binaries in bullseye embeds xpdfreader 4.02.
https://sources.debian.org/src/texlive-bin/2021.20210626.59705-1/libs/xpdf/ChangeLog/
https://sources.debian.org/src/texlive-bin/2021.20210626.59705-1/libs/xpdf/xpdf-src/xpdf/XFAScanner.cc/?hl=243#L243
The following vulnerability was published for texlive-binaries.
CVE-2021-27548[0]:
| There is a Null Pointer Dereference vulnerability in the
| XFAScanner::scanNode() function in XFAScanner.cc in xpdf 4.03.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2021-27548
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27548
Please adjust the affected versions in the BTS as needed.
-- System Information:
Debian Release: bookworm/sid
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 5.17.0-2-amd64 (SMP w/16 CPU threads; PREEMPT)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages texlive-binaries depends on:
ii libc6 2.34-0experimental2
ii libcairo2 1.16.0-5
ii libfontconfig1 2.13.1-4.4
ii libfreetype6 2.12.1+dfsg-1
ii libgcc-s1 12.1.0-2
ii libgraphite2-3 1.3.14-1
ii libharfbuzz0b 2.7.4-1+b1
ii libicu71 71.1-3
ii libkpathsea6 2022.20220321.62855-1
ii libmpfr6 4.1.0-3
ii libpaper1 1.1.28+b1
ii libpixman-1-0 0.40.0-1
ii libpng16-16 1.6.37-5
ii libptexenc1 2022.20220321.62855-1
ii libstdc++6 12.1.0-2
ii libsynctex2 2022.20220321.62855-1
ii libteckit0 2.5.11+ds1-1
ii libtexlua53 2022.20220321.62855-1
ii libtexluajit2 2022.20220321.62855-1
ii libx11-6 2:1.7.5-1
ii libxaw7 2:1.0.14-1
ii libxi6 2:1.8-1
ii libxmu6 2:1.1.3-3
ii libxpm4 1:3.5.12-1
ii libxt6 1:1.2.1-1
ii libzzip-0-13 0.13.72+dfsg.1-1.1
ii perl 5.34.0-4
ii t1utils 1.41-4
ii tex-common 6.17
ii zlib1g 1:1.2.11.dfsg-4
Versions of packages texlive-binaries recommends:
ii dvisvgm 2.13.4-1
ii texlive-base 2021.20220204-1
texlive-binaries suggests no packages.
-- no debconf information
--- End Message ---
--- Begin Message ---
Source: texlive-bin
Source-Version: 2022.20220321.62855-2
Done: Hilmar Preusse <hille42@web.de>
We believe that the bug you reported is fixed in the latest version of
texlive-bin, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1011333@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Hilmar Preusse <hille42@web.de> (supplier of updated texlive-bin package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 22 May 2022 23:34:38 +0200
Source: texlive-bin
Binary: libkpathsea-dev libkpathsea6 libkpathsea6-dbgsym libptexenc-dev libptexenc1 libptexenc1-dbgsym libsynctex-dev libsynctex2 libsynctex2-dbgsym libtexlua-dev libtexlua53 libtexlua53-5 libtexlua53-5-dbgsym libtexlua53-dev texlive-binaries texlive-binaries-dbgsym
Architecture: source arm64 all
Version: 2022.20220321.62855-2
Distribution: experimental
Urgency: medium
Maintainer: Debian TeX Task Force <debian-tex-maint@lists.debian.org>
Changed-By: Hilmar Preusse <hille42@web.de>
Description:
libkpathsea-dev - TeX Live: path search library for TeX (development part)
libkpathsea6 - TeX Live: path search library for TeX (runtime part)
libptexenc-dev - TeX Live: ptex encoding library (development part)
libptexenc1 - TeX Live: pTeX encoding library
libsynctex-dev - TeX Live: SyncTeX parser library (development part)
libsynctex2 - TeX Live: SyncTeX parser library
libtexlua-dev - TeX Live: Lua 5.3, modified for use with LuaTeX (development part
libtexlua53 - transitional package (lib)
libtexlua53-5 - TeX Live: Lua 5.3, modified for use with LuaTeX
libtexlua53-dev - transitional package (dev)
texlive-binaries - Binaries for TeX Live
Closes: 1011333
Changes:
texlive-bin (2022.20220321.62855-2) experimental; urgency=medium
.
* Upgrade xpdf code to 4.04 to solve CVE-2021-27548
(Closes: #1011333).
* Lintian:
- Remove obsolete: source-is-missing
- Add (in general): very-long-line-length-in-source-file
- Fix spelling errors in manual pages.
- W: libtexlua53: package-name-doesnt-match-sonames libtexlua53-5
renamed: libtexlua53-dev -> libtexlua-dev.
renamed: libtexlua53 -> libtexlua53-5
- W: bad-whatis-entry usr/share/man/man1/xml2pmx.1.gz
- W: wrong-manual-section usr/share/man/man1/axohelp.1.gz:1 1 != 1.4
Checksums-Sha1:
597cf0dd91e6475e947d3be19dff76cb16bf7a8f 3146 texlive-bin_2022.20220321.62855-2.dsc
da27ea428fd770196b4545e170c09ff952b5c643 120744 texlive-bin_2022.20220321.62855-2.debian.tar.xz
e977cf4d1d9498ac4f359a8296a2e587d76a2a9f 200684 libkpathsea-dev_2022.20220321.62855-2_arm64.deb
dc60c8b18790f53edd826a1d9e9d8aa9ddd42205 102924 libkpathsea6-dbgsym_2022.20220321.62855-2_arm64.deb
51aa27f40d0cb4a122248fcf8148bd14deb486cc 171164 libkpathsea6_2022.20220321.62855-2_arm64.deb
b658bc83ff6e6d77f51e2f93f12bfc862821b096 65140 libptexenc-dev_2022.20220321.62855-2_arm64.deb
d796790b41b4cc14e308db561410a5ecb3208e0a 30956 libptexenc1-dbgsym_2022.20220321.62855-2_arm64.deb
2f99859f3ca385ed2c686c8e68e36ea7acb30106 64568 libptexenc1_2022.20220321.62855-2_arm64.deb
b57fcafcd35604d29dcf9f6c872bd90c629f3b67 82152 libsynctex-dev_2022.20220321.62855-2_arm64.deb
44cc36fd22627697110d851b7de363a0462a2f5d 179892 libsynctex2-dbgsym_2022.20220321.62855-2_arm64.deb
06e674539d289fcdcbbcdd8da303e917e62878be 78092 libsynctex2_2022.20220321.62855-2_arm64.deb
a5f648323a31ca185def94d223ced4ee6fa3d228 154316 libtexlua-dev_2022.20220321.62855-2_arm64.deb
2795b9112a2bd9bce8f4675be38877896c773641 336180 libtexlua53-5-dbgsym_2022.20220321.62855-2_arm64.deb
fd974c70f721dadcdb05b0c38d1d949272ef2384 124592 libtexlua53-5_2022.20220321.62855-2_arm64.deb
3c485a18382b2fa1bf856f548b025815a6bbb437 40708 libtexlua53-dev_2022.20220321.62855-2_all.deb
0ed90b78aa36cd30230a57343ab70f24921f1f50 40692 libtexlua53_2022.20220321.62855-2_all.deb
de27fa9a4f26ef9c90aad0d58a36fe169bddbfdb 13963 texlive-bin_2022.20220321.62855-2_arm64.buildinfo
a8d83aac8744939176b27be8dc4173eceaf11d7b 26411172 texlive-binaries-dbgsym_2022.20220321.62855-2_arm64.deb
857281cf15830da923d46aee13f1c8e45b46422f 7939808 texlive-binaries_2022.20220321.62855-2_arm64.deb
Checksums-Sha256:
cfe91ef67cf6eebf56261dd937474c583232e4466b086a52bf8b2d0d8aace000 3146 texlive-bin_2022.20220321.62855-2.dsc
3b940a777732ab028a418b2e743a4c10e2d23d017c99eecd9a2fa8fe81c5e9e4 120744 texlive-bin_2022.20220321.62855-2.debian.tar.xz
8c723a0fccf7c1ceee152f44ba1672b6c66cecc5c6d13054714125c50b0b0f63 200684 libkpathsea-dev_2022.20220321.62855-2_arm64.deb
10aa9e989a2697a9b7c0dbc60f7de5a2f9f9e9d565f4941205f335f00ed2058d 102924 libkpathsea6-dbgsym_2022.20220321.62855-2_arm64.deb
b3558b4d4938bda73d546f4d541441718fd866e2454940052b37f4a9b1dd1761 171164 libkpathsea6_2022.20220321.62855-2_arm64.deb
4a7b56bb58118d2aace77b5680eaebb76febed1d110a2b4a2979ee606c868cd3 65140 libptexenc-dev_2022.20220321.62855-2_arm64.deb
69c59cd3253fcfffd37f457ce09b4b58944800bf071531be778087bce554701b 30956 libptexenc1-dbgsym_2022.20220321.62855-2_arm64.deb
561eef77fb0acecb7eb910a598f45088869b6c6e1d87c39530b9eac0984b9035 64568 libptexenc1_2022.20220321.62855-2_arm64.deb
5a5a5fd10ced5805f6b9812271e9b38b34afb9f82b53085f392fb404b3c04c2b 82152 libsynctex-dev_2022.20220321.62855-2_arm64.deb
987529bd5d15b0611a244adcb5497a7cd25cf96430318eb70e33691ab40ae352 179892 libsynctex2-dbgsym_2022.20220321.62855-2_arm64.deb
a82464180c7141119a9f0ac84611b184e42a6436e5bf6832ffd812a6710bc4f4 78092 libsynctex2_2022.20220321.62855-2_arm64.deb
6ce0f92100de48fb93383bc247f0c112a1b33778b7eaf88a344aa65f271a6838 154316 libtexlua-dev_2022.20220321.62855-2_arm64.deb
bd9ae3fe9bc7667d3c44fdbb35ce21469ceb0ee3a95e41f3c2fa34ad3f13953a 336180 libtexlua53-5-dbgsym_2022.20220321.62855-2_arm64.deb
3302e553e6f71e4a10c7013b6680af69cda5264f372a20f75eea7531437da183 124592 libtexlua53-5_2022.20220321.62855-2_arm64.deb
56f72a273c9176e63938ee78e27e8dce64b0dc52a9dc00c4c3ced96b796517ea 40708 libtexlua53-dev_2022.20220321.62855-2_all.deb
0084e66a26eb22faf9f28ea8f85aa5d21d72493f625f7b7d7ea84c442e36176c 40692 libtexlua53_2022.20220321.62855-2_all.deb
b418a380290c0a6918873a27834d92bc0c99166aff11b6ad29705dc8f6596fb6 13963 texlive-bin_2022.20220321.62855-2_arm64.buildinfo
49ba814c5ecdef622f139a2c02967c2d1c74393318ac5cf3ebce618b7b64a99a 26411172 texlive-binaries-dbgsym_2022.20220321.62855-2_arm64.deb
364eae4a0472f73c91b97e5afa6084ed3591e99c7d8c985c6f89cab14b8e2ff7 7939808 texlive-binaries_2022.20220321.62855-2_arm64.deb
Files:
da4e6fb1d7c1a68d49cec515a1d138a1 3146 tex optional texlive-bin_2022.20220321.62855-2.dsc
a3aafad995a8837e4be33bd629c9ebc7 120744 tex optional texlive-bin_2022.20220321.62855-2.debian.tar.xz
edf3ba87ca650a0396c26f11e65ab609 200684 libdevel optional libkpathsea-dev_2022.20220321.62855-2_arm64.deb
2145add0629fc6a747765fc2274e2af6 102924 debug optional libkpathsea6-dbgsym_2022.20220321.62855-2_arm64.deb
0ac4cbb1cb44280349c72925a7791a04 171164 libs optional libkpathsea6_2022.20220321.62855-2_arm64.deb
5db6e121e28e53fa6a004bf13938b4fa 65140 libdevel optional libptexenc-dev_2022.20220321.62855-2_arm64.deb
f986e0513f69593954085b5cbe52cfac 30956 debug optional libptexenc1-dbgsym_2022.20220321.62855-2_arm64.deb
5515cba08156181146e6d3d0650b1b31 64568 libs optional libptexenc1_2022.20220321.62855-2_arm64.deb
7ff73dc4d891e7170f426425ae91371e 82152 libdevel optional libsynctex-dev_2022.20220321.62855-2_arm64.deb
10f3849fdb24df208de1dae333ac29d6 179892 debug optional libsynctex2-dbgsym_2022.20220321.62855-2_arm64.deb
dd7e7441af4dbab2e68c610808a9cbd6 78092 libs optional libsynctex2_2022.20220321.62855-2_arm64.deb
7bd9935eb304971ad651718100efe9a8 154316 libdevel optional libtexlua-dev_2022.20220321.62855-2_arm64.deb
4158f567b991037c261557937f176630 336180 debug optional libtexlua53-5-dbgsym_2022.20220321.62855-2_arm64.deb
a901267f95631323fd54432d568c76a6 124592 libs optional libtexlua53-5_2022.20220321.62855-2_arm64.deb
fe640c20352f2ca00794a5755e0c79bc 40708 oldlibs optional libtexlua53-dev_2022.20220321.62855-2_all.deb
2aef3a4c8db1657b5e596dc853038dcf 40692 oldlibs optional libtexlua53_2022.20220321.62855-2_all.deb
a0eb7f66c8103707a91199c90f5dfa4b 13963 tex optional texlive-bin_2022.20220321.62855-2_arm64.buildinfo
6f1efb4261caafbcb4290b2323b80337 26411172 debug optional texlive-binaries-dbgsym_2022.20220321.62855-2_arm64.deb
274694f707bf2c194337673e21598d81 7939808 tex optional texlive-binaries_2022.20220321.62855-2_arm64.deb
-----BEGIN PGP SIGNATURE-----
iQHEBAEBCgAuFiEEQGIgyLhVKAI3jM5BH1x6i0VWQxQFAmKLXYQQHGJhZ2VAZGVi
aWFuLm9yZwAKCRAfXHqLRVZDFJjRC/4mDnOsPUiHOzcWjaSP6+qS2yBVjybpZNW4
8Oh+HZl0hrrkVN/z1oOQhT/xN1BvwxRPNjxAERBWtCjh1XOy0ZTRMJB/TYV8KHYZ
SPasLztaxx5HnvLOpYzet7OU/wgFFNALhy7hXbvAWXMrj54ngHD7uu4vRJBuXP2i
lJFZ8c/VVvdOTzT89Xd/OoM9okjCyUXpFB1GQ8e9w/A7Tuckf5gN9kswHzCP4CqL
ICjYB8kJLZdXlRmlaH2+TdSllXydJYliKPUp/3VzDCuxFajaIcdUYx5R6WKcDv9R
vy3ijgY9Um0/TbZStlBE7DSP5D7yfc17yxfiLSMUBulyal5oMkSukP6hSProHmyC
Ka92mR9jjR6GyOHY1RBWnQ5cr33r/z5bbueS530zAz7avSiICIEU1WsIg1Ell4Lz
8p7SCyI8ceY6RZ+9N+D998IfQ/jJKSb3cP8n/EZT+R+SpqV4ePDetPCydeY7vyCZ
BcqsAHpnk0NBNF0PbJG+CbWDUPMGcDw=
=UUSO
-----END PGP SIGNATURE-----
--- End Message ---
Reply to: