pdftex and xpdf (and its security bugs): What about a libxpdf?
Dear pdftex developers, during the last months security support for software containing xpdf code was a nightmare - not only that there were many security issues discovered, moreover everybody used a different patch, it was unclear to what extent older versions were affected, and so forth. This was also a problem for us, the teTeX maintainer in Debian, which currently has three versions of pdftex with three different versions of the xpdf code. What would you think about creating a shared library, "libxpdf", and using that for pdftex, either linked dynamically (for Linux/Unix distributions) or statically (for TeX-live and friends)? There is already such a library, libpoppler, a fork of the xpdf code (http://poppler.freedesktop.org/). However, I do not know whether the xpdf author, Derek B. Noonburg, is generally unwilling to create a shared library, or whether people simply didn't ask him. Personally I would prefer to have as little a number of versions of the same code, and thus to get a shared library from xpdf proper. If you agree, I would be oblidged if one of you would contact Derek Noonburg (derekn@foolabs.com) and ask him. He seems to be a little unresponsive at times, and has not answered a similar question from the maintainer of the xpdf package in Debian for a couple of weeks now. Maybe we can convince him that this is a good idea if he is approached from different sides. Alternatively, if he is unwilling to make this change, do you think using libpoppler would be feasible? Many thanks in advance, Frank Küster -- Frank Küster Inst. f. Biochemie der Univ. Zürich Debian Developer
On 2005-03-30 14:00:38 +0200, Frank Küster wrote:
during the last months security support for software containing xpdf code was a nightmare - not only that there were many security issues discovered, moreover everybody used a different patch, it was unclear to what extent older versions were affected, and so forth. This was also a problem for us, the teTeX maintainer in Debian, which currently has three versions of pdftex with three different versions of the xpdf code.
I know; we even got contacted about some patches, which we didn't need to use -- a crash of pdfTeX is not really a security problem. :-)
What would you think about creating a shared library, "libxpdf", and using that for pdftex, either linked dynamically (for Linux/Unix distributions) or statically (for TeX-live and friends)?
Much. This actually was discussed at EuroTeX2005, but with a different focus: Having the xpdf functions for parsing pdf available for scripting languages like python and ruby.
There is already such a library, libpoppler, a fork of the xpdf code (http://poppler.freedesktop.org/). However, I do not know whether the xpdf author, Derek B. Noonburg, is generally unwilling to create a shared library, or whether people simply didn't ask him. Personally I would prefer to have as little a number of versions of the same code, and thus to get a shared library from xpdf proper.
poppler has a very different focus: rendering. We only need the parser of xpdf.
If you agree, I would be oblidged if one of you would contact Derek Noonburg (derekn@foolabs.com) and ask him. He seems to be a little unresponsive at times, and has not answered a similar question from the maintainer of the xpdf package in Debian for a couple of weeks now. Maybe we can convince him that this is a good idea if he is approached from different sides.
I'll do this eventually, but don't expect anything from me soon. Most likely not before Sarge. :-)
Alternatively, if he is unwilling to make this change, do you think using libpoppler would be feasible?
See above. I'll look into it. Best regards Martin -- http://www.tm.oneiros.de
Martin Schröder
On 2005-03-30 14:00:38 +0200, Frank Küster wrote:
during the last months security support for software containing xpdf code was a nightmare - not only that there were many security issues discovered, moreover everybody used a different patch, it was unclear to what extent older versions were affected, and so forth. This was also a problem for us, the teTeX maintainer in Debian, which currently has three versions of pdftex with three different versions of the xpdf code.
I know; we even got contacted about some patches, which we didn't need to use -- a crash of pdfTeX is not really a security problem. :-)
I do not agree here. If you are running pdftex as part of a service (people submit document source and get typeset documents or printouts), it could be used at least for a Denial of Service attack. And I am not sure that it has been investigated whether the buffer overflows could not also be used to execute malicious code; if you know the target system well, this might be possible.
If you agree, I would be oblidged if one of you would contact Derek Noonburg (derekn@foolabs.com) and ask him. He seems to be a little unresponsive at times, and has not answered a similar question from the maintainer of the xpdf package in Debian for a couple of weeks now. Maybe we can convince him that this is a good idea if he is approached from different sides.
I'll do this eventually, but don't expect anything from me soon. Most likely not before Sarge. :-)
Derek has now answered to Hamish Moffats (the Debian xpdf maintainer) mail. The relevant part of his answer is: ,---- | I haven't thought about doing it myself, but (as you say) poppler is | doing pretty much that. | | I don't know of a good way to do it, frankly. Everyone seems to be | using different parts of Xpdf, so there's no simple, concise API that | would be useful. You can just export all of the symbols, but since it's | written in C++, that will make it heavily dependent on the compiler used | (or more specifically, on the name mangling scheme). `---- So if we could come up with a decent technical proposal, he seems to be open to a change. If we could. My knowledge of C++ is neglegible, I fear I won't be of much help here. I have not yet looked at poppler (there's a Debian package in NEW, have asked the uploader whether he can give me the packages), so I do not know if they excluded the parsing part or just don't care much about it. Regards, Frank -- Frank Küster Inst. f. Biochemie der Univ. Zürich Debian Developer
On 2005-03-31 09:19:47 +0200, Frank Küster wrote:
I have not yet looked at poppler (there's a Debian package in NEW, have asked the uploader whether he can give me the packages), so I do not know if they excluded the parsing part or just don't care much about it.
In the meantime they have; see http://bugs.debian.org/252104 http://people.debian.org/~frank/patch-poppler http://lists.freedesktop.org/archives/poppler/2006-January/001519.html Best Martin -- http://www.tm.oneiros.de
participants (2)
-
frank@kuesterei.ch -
Martin Schröder