Package: texlive-binaries Version: 2022.20220321.62855-1 Severity: important File: /usr/bin/pdftosrc Tags: security X-Debbugs-Cc: codeh...@debian.org, Debian Security Team <t...@security.debian.org>
texlive-binaries in unstable, experimental and bookworm embeds xpdfreader 4.03 and the code is exposed via the pdftosrc binary. The PoC file from the CVE triggers a segmentation fault in pdftosrc. pdftosrc from bullseye (correctly) reports a broken PDF without crashing as texlive-binaries in bullseye embeds xpdfreader 4.02. https://sources.debian.org/src/texlive-bin/2021.20210626.59705-1/libs/xpdf/ChangeLog/ https://sources.debian.org/src/texlive-bin/2021.20210626.59705-1/libs/xpdf/xpdf-src/xpdf/XFAScanner.cc/?hl=243#L243 The following vulnerability was published for texlive-binaries. CVE-2021-27548[0]: | There is a Null Pointer Dereference vulnerability in the | XFAScanner::scanNode() function in XFAScanner.cc in xpdf 4.03. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2021-27548 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27548 Please adjust the affected versions in the BTS as needed. -- System Information: Debian Release: bookworm/sid APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 5.17.0-2-amd64 (SMP w/16 CPU threads; PREEMPT) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB:en Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages texlive-binaries depends on: ii libc6 2.34-0experimental2 ii libcairo2 1.16.0-5 ii libfontconfig1 2.13.1-4.4 ii libfreetype6 2.12.1+dfsg-1 ii libgcc-s1 12.1.0-2 ii libgraphite2-3 1.3.14-1 ii libharfbuzz0b 2.7.4-1+b1 ii libicu71 71.1-3 ii libkpathsea6 2022.20220321.62855-1 ii libmpfr6 4.1.0-3 ii libpaper1 1.1.28+b1 ii libpixman-1-0 0.40.0-1 ii libpng16-16 1.6.37-5 ii libptexenc1 2022.20220321.62855-1 ii libstdc++6 12.1.0-2 ii libsynctex2 2022.20220321.62855-1 ii libteckit0 2.5.11+ds1-1 ii libtexlua53 2022.20220321.62855-1 ii libtexluajit2 2022.20220321.62855-1 ii libx11-6 2:1.7.5-1 ii libxaw7 2:1.0.14-1 ii libxi6 2:1.8-1 ii libxmu6 2:1.1.3-3 ii libxpm4 1:3.5.12-1 ii libxt6 1:1.2.1-1 ii libzzip-0-13 0.13.72+dfsg.1-1.1 ii perl 5.34.0-4 ii t1utils 1.41-4 ii tex-common 6.17 ii zlib1g 1:1.2.11.dfsg-4 Versions of packages texlive-binaries recommends: ii dvisvgm 2.13.4-1 ii texlive-base 2021.20220204-1 texlive-binaries suggests no packages. -- no debconf information