Debian
tetex-bin package

Bug #26650
Comment #37

Comment 37 for bug 26650

Revision history for this message

Debian Bug Importer (debzilla) wrote on 2005-12-09:

#37

Message-ID: <email address hidden>
Date: Fri, 9 Dec 2005 10:19:51 +0100
From: Martin Pitt <email address hidden>
To: Frank =?iso-8859-1?Q?K=FCster?= <email address hidden>
Cc: <email address hidden>
Subject: Re: Bug#342292: Fwd: Re: [vendor-sec] xpdf update - patch wrong?

--+jhVVhN62yS6hEJ8
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Hi Frank!

Frank K=FCster [2005-12-08 13:17 +0100]:
> Martin Pitt <email address hidden> wrote:
>=20
> > Hi!
> >
> > I'm currently preparing Ubuntu security updates for these issues, and
> > I noticed that the upstream provided patch is wrong. I sent the mail
> > below to upstream (and some others).
> >
> > Can you please check that you indeed fixed (tetex-bin)/will fix
> > (poppler) DCTStream::readProgressiveSOF(), too?
> [...]
> > It seems that the patch linked from these advisories [1] is a little
> > bit flawed: it checks numComps twice in DCTStream::readBaselineSOF(),
> > but does not check it in DCTStream::readProgressiveSOF().
>=20
> We have the same flaw in our upload. Would you be so kind and check the
> updated patch at=20
>=20
> http://svn.debian.org/wsvn/pkg-tetex/tetex-bin/trunk/debian/patches/patch=
-CVE-2005-3191+2+3?op=3Dfile&rev=3D0&sc=3D0
>=20
> I'm completely illerate in C++, and would like to make sure this is
> correct. =20

Bad news. A further review of Streams.cc revealed a third place where
numComps goes unchecked (I checked the whole file now, it's really the
last one). So you additionally need this hunk:

@@ -2947,6 +2974,10 @@ GBool DCTStream::readScanInfo() {

   length =3D read16() - 2;
   scanInfo.numComps =3D str->getChar();
+ if (scanInfo.numComps <=3D 0 || scanInfo.numComps > 4) {
+ error(getPos(), "Bad number of components in DCT stream");
+ return gFalse;
+ }
   --length;
   if (length !=3D 2 * scanInfo.numComps + 3) {
     error(getPos(), "Bad DCT scan info block");

Martin
--=20
Martin Pitt http://www.piware.de
Ubuntu Developer http://www.ubuntu.com
Debian Developer http://www.debian.org

In a world without walls and fences, who needs Windows and Gates?

--+jhVVhN62yS6hEJ8
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iD8DBQFDmUw3DecnbV4Fd/IRAt7+AJ9pMDVGX9iAVYm32Kth2vIaF1RLQgCdG7Fs
DWxut0KwwqiiFdtA2Ye430U=
=PtJ0
-----END PGP SIGNATURE-----

--+jhVVhN62yS6hEJ8--

Message-ID: <20051209091951.GG4985@piware.de>
Date: Fri, 9 Dec 2005 10:19:51 +0100
From: Martin Pitt <mpitt@debian.org>
To: Frank =?iso-8859-1?Q?K=FCster?= <frank@debian.org>
Cc: 342292@bugs.debian.org
Subject: Re: Bug#342292: Fwd: Re: [vendor-sec] xpdf update - patch wrong?

--+jhVVhN62yS6hEJ8
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Hi Frank!

Frank K=FCster [2005-12-08 13:17 +0100]:
> Martin Pitt <martin.pitt@canonical.com> wrote:
>=20
> > Hi!
> >
> > I'm currently preparing Ubuntu security updates for these issues, and
> > I noticed that the upstream provided patch is wrong. I sent the mail
> > below to upstream (and some others).
> >
> > Can you please check that you indeed fixed (tetex-bin)/will fix
> > (poppler) DCTStream::readProgressiveSOF(), too?
> [...]
> > It seems that the patch linked from these advisories [1] is a little
> > bit flawed: it checks numComps twice in DCTStream::readBaselineSOF(),
> > but does not check it in DCTStream::readProgressiveSOF().
>=20
> We have the same flaw in our upload.  Would you be so kind and check the
> updated patch at=20
>=20
> http://svn.debian.org/wsvn/pkg-tetex/tetex-bin/trunk/debian/patches/patch=
-CVE-2005-3191+2+3?op=3Dfile&rev=3D0&sc=3D0
>=20
> I'm completely illerate in C++, and would like to make sure this is
> correct. =20

Bad news. A further review of Streams.cc revealed a third place where
numComps goes unchecked (I checked the whole file now, it's really the
last one). So you additionally need this hunk:

@@ -2947,6 +2974,10 @@ GBool DCTStream::readScanInfo() {

length =3D read16() - 2;
   scanInfo.numComps =3D str->getChar();
+  if (scanInfo.numComps <=3D 0 || scanInfo.numComps > 4) {
+    error(getPos(), "Bad number of components in DCT stream");
+    return gFalse;
+  }
   --length;
   if (length !=3D 2 * scanInfo.numComps + 3) {
     error(getPos(), "Bad DCT scan info block");

Martin
--=20
Martin Pitt        http://www.piware.de
Ubuntu Developer   http://www.ubuntu.com
Debian Developer   http://www.debian.org

In a world without walls and fences, who needs Windows and Gates?

--+jhVVhN62yS6hEJ8
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iD8DBQFDmUw3DecnbV4Fd/IRAt7+AJ9pMDVGX9iAVYm32Kth2vIaF1RLQgCdG7Fs
DWxut0KwwqiiFdtA2Ye430U=
=PtJ0
-----END PGP SIGNATURE-----

--+jhVVhN62yS6hEJ8--

Debiantetex-bin package

Comment 37 for bug 26650

Debian
tetex-bin package