> it might be interesting for you to get the CVE numbers in the
> changelog right. (Please do mention the CVE numbers to ease tracking.)
Thanks, sorry that I forgot it in the upload.
But I have more bad news. While looking at the patches, I noticed that
the patch for CAN-2004-0888 in tetex 3.0 still has the flaws in the
upstream/KDE/whoever patch. It does buffer overflow checks that some
compilers will simply optimize away ( if (size * sizeof(int)/sizeof(int)
!=3D size) and the like). In the upload to unstable back then, which was
2.0.2, we changed this to size >=3DMAX_INT / sizeof(int), but I obviously
did not do this in our copy.
however since the codebase differs I cannot simply use the patch from
tetex 2.0.2. Unfortunately, I don't have the original patch against 3.00
left, and I also cannot find it on the net.
It also seems that there are some buffer overflows in 3.00 that do not
have any tests, e.g. in XRef.cc, line 391 after patch-CAN-2004-0888 has
been applied. Or is such a check
if (newSize < 0) {
goto err1;
}
enough to detect an integer overflow, because newSize is signed? 3.01
uses greallocn there.
Regards, Frank
--=20
Frank K=FCster
Inst. f. Biochemie der Univ. Z=FCrich
Debian Developer
Message-ID: <email address hidden> 1?q?Frank_ K=FCster? = <email address hidden>
Date: Thu, 08 Dec 2005 17:28:15 +0100
From: =?iso-8859-
To: Martin Pitt <email address hidden>
Cc: <email address hidden>
Subject: Re: Bug#342292: Fwd: Re: [vendor-sec] xpdf update - patch wrong?
Martin Pitt <email address hidden> wrote:
> OK, you can now find the 3.0 debdiff at=20 patches. ubuntu. com/patches/ tetex-bin. CVE-2005- 3191_2_ 3.diff
>
> http://
Thank you, I've added this.
> it might be interesting for you to get the CVE numbers in the
> changelog right. (Please do mention the CVE numbers to ease tracking.)
Thanks, sorry that I forgot it in the upload.
But I have more bad news. While looking at the patches, I noticed that KDE/whoever patch. It does buffer overflow checks that some int)/sizeof( int)
the patch for CAN-2004-0888 in tetex 3.0 still has the flaws in the
upstream/
compilers will simply optimize away ( if (size * sizeof(
!=3D size) and the like). In the upload to unstable back then, which was
2.0.2, we changed this to size >=3DMAX_INT / sizeof(int), but I obviously
did not do this in our copy.
I have started to fix this, see
http:// svn.debian. org/wsvn/ pkg-tetex/ tetex-bin/ trunk/debian/ patches/ patch-C= 0888?op= 3Ddiff& rev=3D0& sc=3D0
AN-2004-
however since the codebase differs I cannot simply use the patch from
tetex 2.0.2. Unfortunately, I don't have the original patch against 3.00
left, and I also cannot find it on the net.
It also seems that there are some buffer overflows in 3.00 that do not
have any tests, e.g. in XRef.cc, line 391 after patch-CAN-2004-0888 has
been applied. Or is such a check
if (newSize < 0) {
goto err1;
}
enough to detect an integer overflow, because newSize is signed? 3.01
uses greallocn there.
Regards, Frank
--=20
Frank K=FCster
Inst. f. Biochemie der Univ. Z=FCrich
Debian Developer