Debian
tetex-bin package

Bug #26650
Comment #52

Comment 52 for bug 26650

Revision history for this message

Debian Bug Importer (debzilla) wrote on 2005-12-09:

#52

Message-ID: <email address hidden>
Date: Fri, 9 Dec 2005 17:21:14 +0100
From: Martin Pitt <email address hidden>
To: Frank =?iso-8859-1?Q?K=FCster?= <email address hidden>
Cc: Martin Pitt <email address hidden>, <email address hidden>,
Florian Weimer <email address hidden>
Subject: Re: Bug#342292: Fwd: Re: [vendor-sec] xpdf update - patch wrong?

--QHhm1I6mwQR20oIa
Content-Type: multipart/mixed; boundary="IUSVF+LtaR4kWxuH"
Content-Disposition: inline

--IUSVF+LtaR4kWxuH
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Hi Frank, hi Florian!

Frank K=FCster [2005-12-08 13:17 +0100]:
> Martin Pitt <email address hidden> wrote:
>=20
> > Hi!
> >
> > I'm currently preparing Ubuntu security updates for these issues, and
> > I noticed that the upstream provided patch is wrong. I sent the mail
> > below to upstream (and some others).
> >
> > Can you please check that you indeed fixed (tetex-bin)/will fix
> > (poppler) DCTStream::readProgressiveSOF(), too?
> [...]
> > It seems that the patch linked from these advisories [1] is a little
> > bit flawed: it checks numComps twice in DCTStream::readBaselineSOF(),
> > but does not check it in DCTStream::readProgressiveSOF().
>=20
> We have the same flaw in our upload. Would you be so kind and check the
> updated patch at=20
>=20
> http://svn.debian.org/wsvn/pkg-tetex/tetex-bin/trunk/debian/patches/patch=
-CVE-2005-3191+2+3?op=3Dfile&rev=3D0&sc=3D0

After discovering that the same flawed multiplication is also present
in upstream's other two patches, I decided to completely rework the
patch.

I attach the debdiff with separated out changelog. Florian, maybe you
can peer-review the patch?

Thanks!

Martin
--=20
Martin Pitt http://www.piware.de
Ubuntu Developer http://www.ubuntu.com
Debian Developer http://www.debian.org

In a world without walls and fences, who needs Windows and Gates?

--IUSVF+LtaR4kWxuH
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="tetex-bin.CVE-2005-3191_2_3.diff"
Content-Transfer-Encoding: quoted-printable

* SECURITY UPDATE: Multiple integer/buffer overflows in embedded xpdf code.
* Add debian/patches/patch-CVE-2005-3191+2+3.patch:
* xpdf/Stream.cc, DCTStream::readBaselineSOF(),
   DCTStream::readProgressiveSOF(), DCTStream::readScanInfo():
   - Check numComps for invalid values.
   - http://www.idefense.com/application/poi/display?id=3D342&type=3Dvulner=
abilities
   - CVE-2005-3191
* xpdf/Stream.cc, StreamPredictor::StreamPredictor():
   - Check rowBytes for invalid values.
   - http://www.idefense.com/application/poi/display?id=3D344&type=3Dvulner=
abilities
   - CVE-2005-3192
  * xpdf/JPXStream.cc, JPXStream::readCodestream():
    - Check img.nXTiles * img.nYTiles * sizeof for integer overflow.
    - http://www.idefense.com/application/poi/display?id=3D345&type=3Dvulne=
rabilities
    - CVE-2005-3193

diff -u tetex-bin-3.0/debian/patches/series tetex-bin-3.0/debian/patches/se=
ries
--- tetex-bin-3.0/debian/patches/series
+++ tetex-bin-3.0/debian/patches/series
@@ -11,0 +12 @@
+patch-CVE-2005-3191+2+3
--- tetex-bin-3.0.orig/debian/patches/patch-CVE-2005-3191+2+3
+++ tetex-bin-3.0/debian/patches/patch-CVE-2005-3191+2+3
@@ -0,0 +1,153 @@
+--- tetex-bin-3.0/libs/xpdf/xpdf/JPXStream.cc
++++ tetex-bin-3.0.new/libs/xpdf/xpdf/JPXStream.cc
+@@ -7,6 +7,7 @@
+ //=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
+=20
+ #include <aconf.h>
++#include <limits.h>
+=20
+ #ifdef USE_GCC_PRAGMAS
+ #pragma implementation
+@@ -666,7 +667,7 @@ GBool JPXStream::readCodestream(Guint le
+ int segType;
+ GBool haveSIZ, haveCOD, haveQCD, haveSOT;
+ Guint precinctSize, style;
+- Guint segLen, capabilities, comp, i, j, r;
++ Guint segLen, capabilities, nTiles, comp, i, j, r;
+=20
+ //----- main header
+ haveSIZ =3D haveCOD =3D haveQCD =3D haveSOT =3D gFalse;
+@@ -701,8 +702,18 @@ GBool JPXStream::readCodestream(Guint le
+ / img.xTileSize;
+ img.nYTiles =3D (img.ySize - img.yTileOffset + img.yTileSize - 1)
+ / img.yTileSize;
+- img.tiles =3D (JPXTile *)gmalloc(img.nXTiles * img.nYTiles *
+- sizeof(JPXTile));
++ // check for overflow before allocating memory
++ if (img.nXTiles <=3D 0 || img.nYTiles <=3D 0 ||
++ img.nXTiles >=3D INT_MAX/img.nYTiles) {
++ error(getPos(), "Bad tile count in JPX SIZ marker segment");
++ return gFalse;
++ }
++ nTiles =3D img.nXTiles * img.nYTiles;
++ if (nTiles >=3D INT_MAX/sizeof(JPXTile)) {
++ error(getPos(), "Bad tile count in JPX SIZ marker segment");
++ return gFalse;
++ }
++ img.tiles =3D (JPXTile *)gmalloc(nTiles * sizeof(JPXTile));
+ for (i =3D 0; i < img.nXTiles * img.nYTiles; ++i) {
+ img.tiles[i].tileComps =3D (JPXTileComp *)gmalloc(img.nComps *
+ sizeof(JPXTileComp));
+--- tetex-bin-3.0/libs/xpdf/xpdf/Stream.cc
++++ tetex-bin-3.0.new/libs/xpdf/xpdf/Stream.cc
+@@ -15,6 +15,7 @@
+ #include <stdio.h>
+ #include <stdlib.h>
+ #include <stddef.h>
++#include <limits.h>
+ #ifndef WIN32
+ #include <unistd.h>
+ #endif
+@@ -412,13 +413,28 @@ StreamPredictor::StreamPredictor(Stream=20
+ width =3D widthA;
+ nComps =3D nCompsA;
+ nBits =3D nBitsA;
++ predLine =3D NULL;
++ ok =3D gFalse;
+=20
++ if (width <=3D 0 || nComps <=3D 0 || nBits <=3D 0 ||
++ nComps >=3D INT_MAX/nBits ||
++ width >=3D INT_MAX/nComps/nBits) {
++ return;
++ }
+ nVals =3D width * nComps;
++ if (nVals + 7 <=3D 0) {
++ return;
++ }
+ pixBytes =3D (nComps * nBits + 7) >> 3;
+ rowBytes =3D ((nVals * nBits + 7) >> 3) + pixBytes;
++ if (rowBytes < 0) {
++ return;
++ }
+ predLine =3D (Guchar *)gmalloc(rowBytes);
+ memset(predLine, 0, rowBytes);
+ predIdx =3D rowBytes;
++
++ ok =3D gTrue;
+ }
+=20
+ StreamPredictor::~StreamPredictor() {
+@@ -1012,6 +1028,10 @@ LZWStream::LZWStream(Stream *strA, int p
+ FilterStream(strA) {
+ if (predictor !=3D 1) {
+ pred =3D new StreamPredictor(this, predictor, columns, colors, bits);
++ if (!pred->isOk()) {
++ delete pred;
++ pred =3D NULL;
++ }
+ } else {
+ pred =3D NULL;
+ }
+@@ -2897,6 +2917,10 @@ GBool DCTStream::readBaselineSOF() {
+ height =3D read16();
+ width =3D read16();
+ numComps =3D str->getChar();
++ if (numComps <=3D 0 || numComps > 4) {
++ error(getPos(), "Bad number of components in DCT stream", prec);
++ return gFalse;
++ }
+ if (prec !=3D 8) {
+ error(getPos(), "Bad DCT precision %d", prec);
+ return gFalse;
+@@ -2923,6 +2947,10 @@ GBool DCTStream::readProgressiveSOF() {
+ height =3D read16();
+ width =3D read16();
+ numComps =3D str->getChar();
++ if (numComps <=3D 0 || numComps > 4) {
++ error(getPos(), "Bad number of components in DCT stream", prec);
++ return gFalse;
++ }
+ if (prec !=3D 8) {
+ error(getPos(), "Bad DCT precision %d", prec);
+ return gFalse;
+@@ -2945,6 +2973,10 @@ GBool DCTStream::readScanInfo() {
+=20
+ length =3D read16() - 2;
+ scanInfo.numComps =3D str->getChar();
++ if (scanInfo.numComps <=3D 0 || scanInfo.numComps > 4) {
++ error(getPos(), "Bad number of components in DCT stream");
++ return gFalse;
++ }
+ --length;
+ if (length !=3D 2 * scanInfo.numComps + 3) {
+ error(getPos(), "Bad DCT scan info block");
+@@ -3255,6 +3287,10 @@ FlateStream::FlateStream(Stream *strA, i
+ FilterStream(strA) {
+ if (predictor !=3D 1) {
+ pred =3D new StreamPredictor(this, predictor, columns, colors, bits);
++ if (!pred->isOk()) {
++ delete pred;
++ pred =3D NULL;
++ }
+ } else {
+ pred =3D NULL;
+ }
+--- tetex-bin-3.0/libs/xpdf/xpdf/Stream.h
++++ tetex-bin-3.0.new/libs/xpdf/xpdf/Stream.h
+@@ -233,6 +233,8 @@ public:
+=20
+ ~StreamPredictor();
+=20
++ GBool isOk() { return ok; }
++
+ int lookChar();
+ int getChar();
+=20
+@@ -250,6 +252,7 @@ private:
+ int rowBytes; // bytes per line
+ Guchar *predLine; // line buffer
+ int predIdx; // current index in predLine
++ GBool ok;
+ };
+=20
+ //------------------------------------------------------------------------

--IUSVF+LtaR4kWxuH--

--QHhm1I6mwQR20oIa
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iD8DBQFDma75DecnbV4Fd/IRAqSrAKCq+vg9iCJtK31RkRPP0PPn2Ge7dgCg0Lof
6ULJusvtLiYlDrSVeQnJQmw=
=rCdS
-----END PGP SIGNATURE-----

--QHhm1I6mwQR20oIa--

Message-ID: <20051209162113.GR4985@piware.de>
Date: Fri, 9 Dec 2005 17:21:14 +0100
From: Martin Pitt <mpitt@debian.org>
To: Frank =?iso-8859-1?Q?K=FCster?= <frank@debian.org>
Cc: Martin Pitt <martin.pitt@canonical.com>, 342292@bugs.debian.org,
	Florian Weimer <fw@deneb.enyo.de>
Subject: Re: Bug#342292: Fwd: Re: [vendor-sec] xpdf update - patch wrong?

--QHhm1I6mwQR20oIa
Content-Type: multipart/mixed; boundary="IUSVF+LtaR4kWxuH"
Content-Disposition: inline

--IUSVF+LtaR4kWxuH
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Hi Frank, hi Florian!

Frank K=FCster [2005-12-08 13:17 +0100]:
> Martin Pitt <martin.pitt@canonical.com> wrote:
>=20
> > Hi!
> >
> > I'm currently preparing Ubuntu security updates for these issues, and
> > I noticed that the upstream provided patch is wrong. I sent the mail
> > below to upstream (and some others).
> >
> > Can you please check that you indeed fixed (tetex-bin)/will fix
> > (poppler) DCTStream::readProgressiveSOF(), too?
> [...]
> > It seems that the patch linked from these advisories [1] is a little
> > bit flawed: it checks numComps twice in DCTStream::readBaselineSOF(),
> > but does not check it in DCTStream::readProgressiveSOF().
>=20
> We have the same flaw in our upload.  Would you be so kind and check the
> updated patch at=20
>=20
> http://svn.debian.org/wsvn/pkg-tetex/tetex-bin/trunk/debian/patches/patch=
-CVE-2005-3191+2+3?op=3Dfile&rev=3D0&sc=3D0

After discovering that the same flawed multiplication is also present
in upstream's other two patches, I decided to completely rework the
patch.

I attach the debdiff with separated out changelog. Florian, maybe you
can peer-review the patch?

Thanks!

Martin
--=20
Martin Pitt        http://www.piware.de
Ubuntu Developer   http://www.ubuntu.com
Debian Developer   http://www.debian.org

In a world without walls and fences, who needs Windows and Gates?

--IUSVF+LtaR4kWxuH
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="tetex-bin.CVE-2005-3191_2_3.diff"
Content-Transfer-Encoding: quoted-printable

* SECURITY UPDATE: Multiple integer/buffer overflows in embedded xpdf code.
 * Add debian/patches/patch-CVE-2005-3191+2+3.patch:
 * xpdf/Stream.cc, DCTStream::readBaselineSOF(),
   DCTStream::readProgressiveSOF(), DCTStream::readScanInfo():
   - Check numComps for invalid values.
   - http://www.idefense.com/application/poi/display?id=3D342&type=3Dvulner=
abilities
   - CVE-2005-3191
 * xpdf/Stream.cc, StreamPredictor::StreamPredictor():
   - Check rowBytes for invalid values.
   - http://www.idefense.com/application/poi/display?id=3D344&type=3Dvulner=
abilities
   - CVE-2005-3192
  * xpdf/JPXStream.cc, JPXStream::readCodestream():
    - Check img.nXTiles * img.nYTiles * sizeof for integer overflow.
    - http://www.idefense.com/application/poi/display?id=3D345&type=3Dvulne=
rabilities
    - CVE-2005-3193

diff -u tetex-bin-3.0/debian/patches/series tetex-bin-3.0/debian/patches/se=
ries
--- tetex-bin-3.0/debian/patches/series
+++ tetex-bin-3.0/debian/patches/series
@@ -11,0 +12 @@
+patch-CVE-2005-3191+2+3
--- tetex-bin-3.0.orig/debian/patches/patch-CVE-2005-3191+2+3
+++ tetex-bin-3.0/debian/patches/patch-CVE-2005-3191+2+3
@@ -0,0 +1,153 @@
+--- tetex-bin-3.0/libs/xpdf/xpdf/JPXStream.cc
++++ tetex-bin-3.0.new/libs/xpdf/xpdf/JPXStream.cc
+@@ -7,6 +7,7 @@
+ //=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
+=20
+ #include <aconf.h>
++#include <limits.h>
+=20
+ #ifdef USE_GCC_PRAGMAS
+ #pragma implementation
+@@ -666,7 +667,7 @@ GBool JPXStream::readCodestream(Guint le
+   int segType;
+   GBool haveSIZ, haveCOD, haveQCD, haveSOT;
+   Guint precinctSize, style;
+-  Guint segLen, capabilities, comp, i, j, r;
++  Guint segLen, capabilities, nTiles, comp, i, j, r;
+=20
+   //----- main header
+   haveSIZ =3D haveCOD =3D haveQCD =3D haveSOT =3D gFalse;
+@@ -701,8 +702,18 @@ GBool JPXStream::readCodestream(Guint le
+ 	            / img.xTileSize;
+       img.nYTiles =3D (img.ySize - img.yTileOffset + img.yTileSize - 1)
+ 	            / img.yTileSize;
+-      img.tiles =3D (JPXTile *)gmalloc(img.nXTiles * img.nYTiles *
+-				     sizeof(JPXTile));
++      // check for overflow before allocating memory
++      if (img.nXTiles <=3D 0 || img.nYTiles <=3D 0 ||
++              img.nXTiles >=3D INT_MAX/img.nYTiles) {
++          error(getPos(), "Bad tile count in JPX SIZ marker segment");
++          return gFalse;
++      }
++      nTiles =3D img.nXTiles * img.nYTiles;
++      if (nTiles >=3D INT_MAX/sizeof(JPXTile)) {
++       error(getPos(), "Bad tile count in JPX SIZ marker segment");
++       return gFalse;
++      }
++      img.tiles =3D (JPXTile *)gmalloc(nTiles * sizeof(JPXTile));
+       for (i =3D 0; i < img.nXTiles * img.nYTiles; ++i) {
+ 	img.tiles[i].tileComps =3D (JPXTileComp *)gmalloc(img.nComps *
+ 							sizeof(JPXTileComp));
+--- tetex-bin-3.0/libs/xpdf/xpdf/Stream.cc
++++ tetex-bin-3.0.new/libs/xpdf/xpdf/Stream.cc
+@@ -15,6 +15,7 @@
+ #include <stdio.h>
+ #include <stdlib.h>
+ #include <stddef.h>
++#include <limits.h>
+ #ifndef WIN32
+ #include <unistd.h>
+ #endif
+@@ -412,13 +413,28 @@ StreamPredictor::StreamPredictor(Stream=20
+   width =3D widthA;
+   nComps =3D nCompsA;
+   nBits =3D nBitsA;
++  predLine =3D NULL;
++  ok =3D gFalse;
+=20
++  if (width <=3D 0 || nComps <=3D 0 || nBits <=3D 0 ||
++      nComps >=3D INT_MAX/nBits ||
++      width >=3D INT_MAX/nComps/nBits) {
++    return;
++  }
+   nVals =3D width * nComps;
++  if (nVals + 7 <=3D 0) {
++    return;
++  }
+   pixBytes =3D (nComps * nBits + 7) >> 3;
+   rowBytes =3D ((nVals * nBits + 7) >> 3) + pixBytes;
++  if (rowBytes < 0) {
++    return;
++  }
+   predLine =3D (Guchar *)gmalloc(rowBytes);
+   memset(predLine, 0, rowBytes);
+   predIdx =3D rowBytes;
++
++  ok =3D gTrue;
+ }
+=20
+ StreamPredictor::~StreamPredictor() {
+@@ -1012,6 +1028,10 @@ LZWStream::LZWStream(Stream *strA, int p
+     FilterStream(strA) {
+   if (predictor !=3D 1) {
+     pred =3D new StreamPredictor(this, predictor, columns, colors, bits);
++    if (!pred->isOk()) {
++      delete pred;
++      pred =3D NULL;
++    }
+   } else {
+     pred =3D NULL;
+   }
+@@ -2897,6 +2917,10 @@ GBool DCTStream::readBaselineSOF() {
+   height =3D read16();
+   width =3D read16();
+   numComps =3D str->getChar();
++  if (numComps <=3D 0 || numComps > 4) {
++    error(getPos(), "Bad number of components in DCT stream", prec);
++    return gFalse;
++  }
+   if (prec !=3D 8) {
+     error(getPos(), "Bad DCT precision %d", prec);
+     return gFalse;
+@@ -2923,6 +2947,10 @@ GBool DCTStream::readProgressiveSOF() {
+   height =3D read16();
+   width =3D read16();
+   numComps =3D str->getChar();
++  if (numComps <=3D 0 || numComps > 4) {
++    error(getPos(), "Bad number of components in DCT stream", prec);
++    return gFalse;
++  }
+   if (prec !=3D 8) {
+     error(getPos(), "Bad DCT precision %d", prec);
+     return gFalse;
+@@ -2945,6 +2973,10 @@ GBool DCTStream::readScanInfo() {
+=20
+   length =3D read16() - 2;
+   scanInfo.numComps =3D str->getChar();
++  if (scanInfo.numComps <=3D 0 || scanInfo.numComps > 4) {
++    error(getPos(), "Bad number of components in DCT stream");
++    return gFalse;
++  }
+   --length;
+   if (length !=3D 2 * scanInfo.numComps + 3) {
+     error(getPos(), "Bad DCT scan info block");
+@@ -3255,6 +3287,10 @@ FlateStream::FlateStream(Stream *strA, i
+     FilterStream(strA) {
+   if (predictor !=3D 1) {
+     pred =3D new StreamPredictor(this, predictor, columns, colors, bits);
++    if (!pred->isOk()) {
++      delete pred;
++      pred =3D NULL;
++    }
+   } else {
+     pred =3D NULL;
+   }
+--- tetex-bin-3.0/libs/xpdf/xpdf/Stream.h
++++ tetex-bin-3.0.new/libs/xpdf/xpdf/Stream.h
+@@ -233,6 +233,8 @@ public:
+=20
+   ~StreamPredictor();
+=20
++  GBool isOk() { return ok; }
++
+   int lookChar();
+   int getChar();
+=20
+@@ -250,6 +252,7 @@ private:
+   int rowBytes;			// bytes per line
+   Guchar *predLine;		// line buffer
+   int predIdx;			// current index in predLine
++  GBool ok;
+ };
+=20
+ //------------------------------------------------------------------------

--IUSVF+LtaR4kWxuH--

--QHhm1I6mwQR20oIa
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iD8DBQFDma75DecnbV4Fd/IRAqSrAKCq+vg9iCJtK31RkRPP0PPn2Ge7dgCg0Lof
6ULJusvtLiYlDrSVeQnJQmw=
=rCdS
-----END PGP SIGNATURE-----

--QHhm1I6mwQR20oIa--

Debiantetex-bin package

Comment 52 for bug 26650

Debian
tetex-bin package