Ubuntu
dvipdfmx package

dvipdfmx does not work on 9.04 (It killed by GCC Stack Smashing Protector)

Bug #372217 reported by Fumihito YOSHIDA
22
This bug affects 2 people
Affects Status Importance Assigned to Milestone
dvipdfmx (Debian)
Fix Released
Unknown
dvipdfmx (Ubuntu)
Fix Released
Undecided
Unassigned
Jaunty
Fix Released
High
Unassigned
Karmic
Fix Released
Undecided
Unassigned

Bug Description

Binary package hint: dvipdfmx

Original Information is here(notes: it wrote in Japanese).
https://forums.ubuntulinux.jp/viewtopic.php?id=4615

[Description]
dvipdfmx does not work anymore. exec dvipdsmx, that killed by gcc-SSP.
-----------------------------------------------------
[1*** stack smashing detected ***: dvipdfmx terminated
======= Backtrace: =========
/lib/tls/i686/cmov/libc.so.6(__fortify_fail+0x48)[0xb7e9ada8]
/lib/tls/i686/cmov/libc.so.6(__fortify_fail+0x0)[0xb7e9ad60]
dvipdfmx[0x805cdc5]
(snip)
-----------------------------------------------------

It caused by something missed array handling, this is not security vuln..
This is coding bug.
-----------------------------------------------------
in dvipdfmx-20080607/src/cmap_read.c :
-----------------------------------------------------
#define INPUT_BUF_SIZE 4096
#define CMAP_SIG_MAX 64
int
CMap_parse_check_sig (FILE *fp)
{
  int result = -1;
  char sig[CMAP_SIG_MAX+1]; /* array size is "CMAP_SIG_MAX+1" */

  if (!fp)
    return -1;

  rewind(fp);
  if (fread(sig, sizeof(char), CMAP_SIG_MAX, fp) != CMAP_SIG_MAX)
    result = -1;
  else {
    sig[CMAP_SIG_MAX+1] = 0; /* Access "sig[CMAP_SIG_MAX+1]" <= missed access! */
    if (strncmp(sig, "%!PS", 4))
      result = -1;
    else if (strstr(sig+4, "Resource-CMap"))
      result = 0;
  }
  rewind(fp);

  return result;
}
-----------------------------------------------------
[How to Fix]
Apply patch.

[Notes]
9.04 -> Process killed by GCC Stack Smashing Protector
8.10, 8.04 -> Process is still lived, but 1bite missed allign overwrite cauesed...

[Appendix]
This bug still there in latest uprestreams(snapshot 20090501).
http://project.ktug.or.kr/pipermail/dvipdfmx/2009-May/000077.html
I'll contact original author(s).

Revision history for this message
Fumihito YOSHIDA (hito) wrote :

here is patch.

Revision history for this message
Fumihito YOSHIDA (hito) wrote :

here is debdiff for jaunty.

Revision history for this message
Hideki Yamane (henrich) wrote :

forwarded to Debian BTS.
see http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=527086

Revision history for this message
Brian Murray (brian-murray) wrote :

Looking at the attachments in this bug report, I noticed that "patch_for_dvipdfmx.patch.txt" was not flagged as a patch. A patch contains changes to an Ubuntu package that will resolve a bug and this attachment is one! Subsequently, I've checked the patch flag for it. In the future when submitting patches please use the patch checkbox as there are some Launchpad searches that use this feature. You can learn more about patch workflow at https://wiki.ubuntu.com/Bugs/Patches. Thanks for your contribution Fumihito YOSHIDA!

Bug Watch Updater (bug-watch-updater)
Changed in dvipdfmx (Debian):
status: Unknown → New
Revision history for this message
Fumihito YOSHIDA (hito) wrote :

fixed in upstream;
http://project.ktug.or.kr/dvipdfmx/ChangeLog
http://cvs.ktug.or.kr/viewcvs/dvipdfmx/src/cmap_read.c?r1=1.3&r2=1.4&sortby=date

so, ill re-make debdiffs.

Changed in dvipdfmx (Ubuntu):
status: New → Confirmed
Revision history for this message
Ikuya Awashiro (ikuya-fruitsbasket) wrote :

Hi.
I re-made a debdiff.
Please apply it.

Revision history for this message
Fumihito YOSHIDA (hito) wrote :

This bug fixed in sid, Karmic will fix automatically by sync before sid's uploaded.
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=527086#15

This problem is critical for CJK TeX users, they cannot create any PDF,
please proceed SRU.

Bug Watch Updater (bug-watch-updater)
Changed in dvipdfmx (Debian):
status: New → Fix Released
Revision history for this message
Martin Pitt (pitti) wrote :

Synced to Karmic now:

dvipdfmx | 1:20090115-1.2 | karmic | source, amd64, i386

Changed in dvipdfmx (Ubuntu):
status: Confirmed → Fix Released
tags: added: regression-release
Revision history for this message
Martin Pitt (pitti) wrote :

Sponsored.

Changed in dvipdfmx (Ubuntu Jaunty):
importance: Undecided → High
status: New → In Progress
status: In Progress → Fix Committed
tags: added: verification-needed
Revision history for this message
Martin Pitt (pitti) wrote :

Accepted into jaunty-proposed, the package will build now and be available in a few hours. Please test and give feedback here. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance!

Revision history for this message
Fumihito YOSHIDA (hito) wrote :

I send call for testing to Japanese LoCo, and I receive feedbacks that -propose solve problem.

-proposed works for us, its Good.

Martin Pitt (pitti)
tags: added: verification-done
removed: verification-needed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package dvipdfmx - 1:20080607-1ubuntu1

---------------
dvipdfmx (1:20080607-1ubuntu1) jaunty-proposed; urgency=low

  * Fix wrong access CMAP_SIG_MAX array (LP: #372217)

 -- Ikuya Awashiro <email address hidden> Tue, 12 May 2009 12:59:49 +0000

Changed in dvipdfmx (Ubuntu Jaunty):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Bug attachments

Remote bug watches

Bug watches keep track of this bug in other bug trackers.