Your message dated Fri, 29 Jul 2011 18:19:46 +0000
with message-id <e1qmrf0-0008bj...@franck.debian.org>
and subject line Bug#635849: fixed in xpdf 3.02-19
has caused the Debian Bug report #635849,
regarding xpdf: crafted .pdf.gz file name can delete any single-letter-named
file
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
635849: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=635849
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: xpdf
Version: 3.02-18
Severity: critical
Justification: causes serious data loss
Using a crafted .pdf.gz file name (which could be sent from a Web
server to a browser, for example), xpdf can be fooled into deleting an
unrelated file as long as its name is a single letter.
$ touch y # The unrelated victim file
$ gzip -c </dev/null >'" y ".pdf.gz' # Create a .pdf.gz file
$ xpdf '" y ".pdf.gz' # View it using xpdf
Error: May not be a PDF file (continuing anyway)
Error: PDF file is damaged - attempting to reconstruct xref table...
Error: Couldn't find trailer dictionary
Error: Couldn't read xref table
rm: cannot remove `/tmp/': Is a directory
$ ls -l y # The victim file is gone!
ls: cannot access y: No such file or directory
Thanks,
Ken
-- System Information:
Debian Release: wheezy/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.39 (SMP w/4 CPU cores)
Locale: LANG=zh_TW.UTF-8, LC_CTYPE=zh_TW.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages xpdf depends on:
ii lesstif2 1:0.95.2-1 OSF/Motif 2.1 implementation relea
ii libc6 2.13-11 Embedded GNU C Library: Shared lib
ii libgcc1 1:4.6.1-5 GCC support library
ii libpoppler13 0.16.7-2 PDF rendering library
ii libstdc++6 4.6.1-5 GNU Standard C++ Library v3
ii libx11-6 2:1.4.3-3 X11 client-side library
ii libxt6 1:1.1.1-2 X11 toolkit intrinsics library
Versions of packages xpdf recommends:
ii gsfonts-x11 0.22 Make Ghostscript fonts available t
ii poppler-data 0.4.4-1 Encoding data for the poppler PDF
ii poppler-utils 0.16.7-2 PDF utilities (based on Poppler)
xpdf suggests no packages.
-- no debconf information
--
Edit this signature at http://www.digitas.harvard.edu/cgi-bin/ken/sig
I'll let a train be my feet if it's too far to walk to you
Train don't go there, I'll get a jet or a bus, I'm gonna find you
You're mine and I know that I'll find you
And my head is my only house unless it rains
signature.asc
Description: Digital signature
--- End Message ---
--- Begin Message ---
Source: xpdf
Source-Version: 3.02-19
We believe that the bug you reported is fixed in the latest version of
xpdf, which is due to be installed in the Debian FTP archive:
xpdf_3.02-19.debian.tar.gz
to main/x/xpdf/xpdf_3.02-19.debian.tar.gz
xpdf_3.02-19.dsc
to main/x/xpdf/xpdf_3.02-19.dsc
xpdf_3.02-19_amd64.deb
to main/x/xpdf/xpdf_3.02-19_amd64.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 635...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Michael Gilbert <michael.s.gilb...@gmail.com> (supplier of updated xpdf package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Fri, 29 Jul 2011 14:02:05 -0400
Source: xpdf
Binary: xpdf
Architecture: source amd64
Version: 3.02-19
Distribution: unstable
Urgency: high
Maintainer: Michael Gilbert <michael.s.gilb...@gmail.com>
Changed-By: Michael Gilbert <michael.s.gilb...@gmail.com>
Description:
xpdf - Portable Document Format (PDF) reader
Closes: 635849
Changes:
xpdf (3.02-19) unstable; urgency=high
.
* Fix insecure tempfile usage (closes: #635849).
Checksums-Sha1:
35d493498199bef8fc3af3e4b95e31779e25364c 2579 xpdf_3.02-19.dsc
ca88cc8c8930e66fdf22b0c9add1e128254a7263 37642 xpdf_3.02-19.debian.tar.gz
f9f67763ab9c8339773100b8ef6b1cc340948b28 177878 xpdf_3.02-19_amd64.deb
Checksums-Sha256:
54d9077926f301b4ebc181a6afdabcd85dce544dd2bce7108b093dc501bb6cba 2579
xpdf_3.02-19.dsc
6bc6cbfd248e0146982baff472ca2f13be143b0dc0e715a25a5f18493c47059c 37642
xpdf_3.02-19.debian.tar.gz
5010b6934f524479a8c396602c235271e9652903a39bc10b1f079d4738c41331 177878
xpdf_3.02-19_amd64.deb
Files:
fc66dfcfb13fbbc6912f23b1fe24e14b 2579 text optional xpdf_3.02-19.dsc
197aba42aba101e1bb9fd85f1a30b85f 37642 text optional xpdf_3.02-19.debian.tar.gz
bdebc21b2d58570ee7bf5cae389a6896 177878 text optional xpdf_3.02-19_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iQQcBAEBCAAGBQJOMvY0AAoJELjWss0C1vRzN34gAIq8NDsW/ltLQvljp4yLDWFD
FzN9s/w3DIb0PHZq/rZk5XBLc6Ug4bKTKU30l0FLV4YS2Mopaww87m27qVsGbv9i
61IRQ3giQfxJKBpTrd5UNEov1sX3BGIi1r3r33XmJo6V9UutxuCYxwDF11BR1yeJ
U7gnQ9cFENtytb7DzV67fmftM50NoLuRcFlUp4ChfzBoZl07c+kAZaQSOrVtgcxq
Qn+vYZs4jBrMT9rpolgKoa3/JlH1CVq4HFzGo9ffZURWlHMIQ6f2bEAiI/tjvmcQ
0S3jqDe59rO8C0ukxxzAF3d0nlMI0eHrMJxVmmmVFSBdwlLhfJot+jIa76F05zmI
O1PvXUib33jSa0gxgbhkP0gNErmPUU4E8uayyFbsInrUWoxfpuM9LfyjonpINbQZ
uAorQiaFVnOmeD4CJJQDw2LBzyR1ShxMfQl36SlLqUR5sTEjqvCItOb0Jlxa2fWZ
mIbhp1+U6KKmBQdPsUyD6PftmWl7QEi/fmouEXQDcnlpLtmvWGAiIQ+4VZ4QMM8r
du6yOtk2ZKZjPhBJwWermaQrYXKIoHOgRdq69wbyPva2lFo8an1MNh/TG8rF57Xx
ADt63cO9belb0kw6dKinT11mMnb5nPw9Wp0uqsYKmKXsXH1ei0JMNR/pl2bONE43
JL8Km0KRTlMbSIFSgVuZOGYfST/Rr1Ri+R+4zFROYmSI1tVB3AAhff6X7b2WzLC+
YusU+cS+2l72uxrB6nMpmwlNgWleTihg7m5GtbHPsLKMCe3WQyZETzR1ykHWShpK
t/AVBXKMv6GHjvLCyG1gvM7amTtzSz1r4AWA3JE2rmJs3ZZGhpoFKGfQjTqNIz80
WopqJ3bVEPzyyo7qlqAv92v9HuBSQUDt81vzS15X4u/kLMtJED4AffvPUGts4O8K
ZgnIL1oLsNpWSunEvODemyAuu9jX3PPlT23snWBDb5UjAWkaaZX5k9rSzDSgjJ8x
fbEILzLA4QN9GBMadOZ47fKB6ukExIl9Z7QqBlxII0vfGDvyRe9caAZeU5WStgCm
sptDpJoVR5BtFYEr9o8F6S0/9ovQh8zugPmVJwk06uvsnywhkUwADW34+LO4J0a0
obzf4oEN64wOZ9HppU5jAZKiQP7NSBRWka7b24Ar07ZOb1NDZUnPNFXEOOtR/zDK
/YM9AobLGuHxaAdOSCQN6lzi0jnqfYdS6eJ/a3oAyoCDf9V5pIWUKb2DLZN49Bk7
Wf8Rxi60SGcMCDhXIwCB2zhGOcJHqxlaRKYB1sO56gffA9VX8vx154OId+QuXSR3
FcqnuZRdAaS+kDJMK5jTszDmSDk64kX/jyk0EfX+tRVMe8LLJUWAiVHltOKCMbM=
=HkaT
-----END PGP SIGNATURE-----
--- End Message ---
