Frank K=FCster [2005-12-08 13:17 +0100]:
> Martin Pitt <email address hidden> wrote:
>=20
> > Hi!
> >
> > I'm currently preparing Ubuntu security updates for these issues, and
> > I noticed that the upstream provided patch is wrong. I sent the mail
> > below to upstream (and some others).
> >
> > Can you please check that you indeed fixed (tetex-bin)/will fix
> > (poppler) DCTStream::readProgressiveSOF(), too?
> [...]
> > It seems that the patch linked from these advisories [1] is a little
> > bit flawed: it checks numComps twice in DCTStream::readBaselineSOF(),
> > but does not check it in DCTStream::readProgressiveSOF().
>=20
> We have the same flaw in our upload. Would you be so kind and check the
> updated patch at=20
>=20
> http://svn.debian.org/wsvn/pkg-tetex/tetex-bin/trunk/debian/patches/patch=
-CVE-2005-3191+2+3?op=3Dfile&rev=3D0&sc=3D0
After discovering that the same flawed multiplication is also present
in upstream's other two patches, I decided to completely rework the
patch.
I attach the debdiff with separated out changelog. Florian, maybe you
can peer-review the patch?
Message-ID: <email address hidden> 1?Q?K=FCster? = <email address hidden>
Date: Fri, 9 Dec 2005 17:21:14 +0100
From: Martin Pitt <email address hidden>
To: Frank =?iso-8859-
Cc: Martin Pitt <email address hidden>, <email address hidden>,
Florian Weimer <email address hidden>
Subject: Re: Bug#342292: Fwd: Re: [vendor-sec] xpdf update - patch wrong?
--QHhm1I6mwQR20oIa "IUSVF+ LtaR4kWxuH" Disposition: inline
Content-Type: multipart/mixed; boundary=
Content-
--IUSVF+LtaR4kWxuH Disposition: inline Transfer- Encoding: quoted-printable
Content-Type: text/plain; charset=iso-8859-1
Content-
Content-
Hi Frank, hi Florian!
Frank K=FCster [2005-12-08 13:17 +0100]: :readProgressiv eSOF(), too? :readBaselineSO F(), :readProgressiv eSOF(). svn.debian. org/wsvn/ pkg-tetex/ tetex-bin/ trunk/debian/ patches/ patch= 3191+2+ 3?op=3Dfile& rev=3D0& sc=3D0
> Martin Pitt <email address hidden> wrote:
>=20
> > Hi!
> >
> > I'm currently preparing Ubuntu security updates for these issues, and
> > I noticed that the upstream provided patch is wrong. I sent the mail
> > below to upstream (and some others).
> >
> > Can you please check that you indeed fixed (tetex-bin)/will fix
> > (poppler) DCTStream:
> [...]
> > It seems that the patch linked from these advisories [1] is a little
> > bit flawed: it checks numComps twice in DCTStream:
> > but does not check it in DCTStream:
>=20
> We have the same flaw in our upload. Would you be so kind and check the
> updated patch at=20
>=20
> http://
-CVE-2005-
After discovering that the same flawed multiplication is also present
in upstream's other two patches, I decided to completely rework the
patch.
I attach the debdiff with separated out changelog. Florian, maybe you
can peer-review the patch?
Thanks!
Martin www.piware. de www.ubuntu. com www.debian. org
--=20
Martin Pitt http://
Ubuntu Developer http://
Debian Developer http://
In a world without walls and fences, who needs Windows and Gates?
--IUSVF+LtaR4kWxuH Disposition: attachment; filename= "tetex- bin.CVE- 2005-3191_ 2_3.diff" Transfer- Encoding: quoted-printable
Content-Type: text/plain; charset=us-ascii
Content-
Content-
* SECURITY UPDATE: Multiple integer/buffer overflows in embedded xpdf code. patches/ patch-CVE- 2005-3191+ 2+3.patch: :readBaselineSO F(), :readProgressiv eSOF(), DCTStream: :readScanInfo( ): www.idefense. com/application /poi/display? id=3D342& type=3Dvulner= ::StreamPredict or(): www.idefense. com/application /poi/display? id=3D344& type=3Dvulner= :readCodestream (): www.idefense. com/application /poi/display? id=3D345& type=3Dvulne=
* Add debian/
* xpdf/Stream.cc, DCTStream:
DCTStream:
- Check numComps for invalid values.
- http://
abilities
- CVE-2005-3191
* xpdf/Stream.cc, StreamPredictor
- Check rowBytes for invalid values.
- http://
abilities
- CVE-2005-3192
* xpdf/JPXStream.cc, JPXStream:
- Check img.nXTiles * img.nYTiles * sizeof for integer overflow.
- http://
rabilities
- CVE-2005-3193
diff -u tetex-bin- 3.0/debian/ patches/ series tetex-bin- 3.0/debian/ patches/ se= 3.0/debian/ patches/ series 3.0/debian/ patches/ series CVE-2005- 3191+2+ 3 3.0.orig/ debian/ patches/ patch-CVE- 2005-3191+ 2+3 3.0/debian/ patches/ patch-CVE- 2005-3191+ 2+3 3.0/libs/ xpdf/xpdf/ JPXStream. cc 3.0.new/ libs/xpdf/ xpdf/JPXStream. cc 3D=3D=3D= 3D=3D=3D= 3D=3D=3D= 3D=3D=3D= 3D=3D=3D= 3D=3D=3D= 3D=3D=3D= 3D=3D=3D= 3D=3D=3D= 3D=3D=3D= 3D=3D=3D= 3D=3D=3D= 3D=3D=3D= 3D=3D=3D= 3D=3D= 3D=3D=3D= 3D=3D=3D= 3D=3D=3D= 3D=3D=3D= 3D=3D=3D= 3D=3D=3D= 3D=3D=3D= 3D :readCodestream (Guint le :readCodestream (Guint le img.nXTiles * img.nYTiles * img.nYTiles) { sizeof( JPXTile) ) { i].tileComps =3D (JPXTileComp *)gmalloc( img.nComps * JPXTileComp) ); 3.0/libs/ xpdf/xpdf/ Stream. cc 3.0.new/ libs/xpdf/ xpdf/Stream. cc ::StreamPredict or(Stream= 20 nComps/ nBits) { rowBytes) ; ::~StreamPredic tor() { :LZWStream( Stream *strA, int p (this, predictor, columns, colors, bits); :readBaselineSO F() { :readProgressiv eSOF() { :readScanInfo( ) { :FlateStream( Stream *strA, i (this, predictor, columns, colors, bits); 3.0/libs/ xpdf/xpdf/ Stream. h 3.0.new/ libs/xpdf/ xpdf/Stream. h ------- ------- ------- ------- ------- ------- ------- ------- ------- ----
ries
--- tetex-bin-
+++ tetex-bin-
@@ -11,0 +12 @@
+patch-
--- tetex-bin-
+++ tetex-bin-
@@ -0,0 +1,153 @@
+--- tetex-bin-
++++ tetex-bin-
+@@ -7,6 +7,7 @@
+ //=3D=3D=
=3D=3D=
=3D=3D=
+=20
+ #include <aconf.h>
++#include <limits.h>
+=20
+ #ifdef USE_GCC_PRAGMAS
+ #pragma implementation
+@@ -666,7 +667,7 @@ GBool JPXStream:
+ int segType;
+ GBool haveSIZ, haveCOD, haveQCD, haveSOT;
+ Guint precinctSize, style;
+- Guint segLen, capabilities, comp, i, j, r;
++ Guint segLen, capabilities, nTiles, comp, i, j, r;
+=20
+ //----- main header
+ haveSIZ =3D haveCOD =3D haveQCD =3D haveSOT =3D gFalse;
+@@ -701,8 +702,18 @@ GBool JPXStream:
+ / img.xTileSize;
+ img.nYTiles =3D (img.ySize - img.yTileOffset + img.yTileSize - 1)
+ / img.yTileSize;
+- img.tiles =3D (JPXTile *)gmalloc(
+- sizeof(JPXTile));
++ // check for overflow before allocating memory
++ if (img.nXTiles <=3D 0 || img.nYTiles <=3D 0 ||
++ img.nXTiles >=3D INT_MAX/
++ error(getPos(), "Bad tile count in JPX SIZ marker segment");
++ return gFalse;
++ }
++ nTiles =3D img.nXTiles * img.nYTiles;
++ if (nTiles >=3D INT_MAX/
++ error(getPos(), "Bad tile count in JPX SIZ marker segment");
++ return gFalse;
++ }
++ img.tiles =3D (JPXTile *)gmalloc(nTiles * sizeof(JPXTile));
+ for (i =3D 0; i < img.nXTiles * img.nYTiles; ++i) {
+ img.tiles[
+ sizeof(
+--- tetex-bin-
++++ tetex-bin-
+@@ -15,6 +15,7 @@
+ #include <stdio.h>
+ #include <stdlib.h>
+ #include <stddef.h>
++#include <limits.h>
+ #ifndef WIN32
+ #include <unistd.h>
+ #endif
+@@ -412,13 +413,28 @@ StreamPredictor
+ width =3D widthA;
+ nComps =3D nCompsA;
+ nBits =3D nBitsA;
++ predLine =3D NULL;
++ ok =3D gFalse;
+=20
++ if (width <=3D 0 || nComps <=3D 0 || nBits <=3D 0 ||
++ nComps >=3D INT_MAX/nBits ||
++ width >=3D INT_MAX/
++ return;
++ }
+ nVals =3D width * nComps;
++ if (nVals + 7 <=3D 0) {
++ return;
++ }
+ pixBytes =3D (nComps * nBits + 7) >> 3;
+ rowBytes =3D ((nVals * nBits + 7) >> 3) + pixBytes;
++ if (rowBytes < 0) {
++ return;
++ }
+ predLine =3D (Guchar *)gmalloc(
+ memset(predLine, 0, rowBytes);
+ predIdx =3D rowBytes;
++
++ ok =3D gTrue;
+ }
+=20
+ StreamPredictor
+@@ -1012,6 +1028,10 @@ LZWStream:
+ FilterStream(strA) {
+ if (predictor !=3D 1) {
+ pred =3D new StreamPredictor
++ if (!pred->isOk()) {
++ delete pred;
++ pred =3D NULL;
++ }
+ } else {
+ pred =3D NULL;
+ }
+@@ -2897,6 +2917,10 @@ GBool DCTStream:
+ height =3D read16();
+ width =3D read16();
+ numComps =3D str->getChar();
++ if (numComps <=3D 0 || numComps > 4) {
++ error(getPos(), "Bad number of components in DCT stream", prec);
++ return gFalse;
++ }
+ if (prec !=3D 8) {
+ error(getPos(), "Bad DCT precision %d", prec);
+ return gFalse;
+@@ -2923,6 +2947,10 @@ GBool DCTStream:
+ height =3D read16();
+ width =3D read16();
+ numComps =3D str->getChar();
++ if (numComps <=3D 0 || numComps > 4) {
++ error(getPos(), "Bad number of components in DCT stream", prec);
++ return gFalse;
++ }
+ if (prec !=3D 8) {
+ error(getPos(), "Bad DCT precision %d", prec);
+ return gFalse;
+@@ -2945,6 +2973,10 @@ GBool DCTStream:
+=20
+ length =3D read16() - 2;
+ scanInfo.numComps =3D str->getChar();
++ if (scanInfo.numComps <=3D 0 || scanInfo.numComps > 4) {
++ error(getPos(), "Bad number of components in DCT stream");
++ return gFalse;
++ }
+ --length;
+ if (length !=3D 2 * scanInfo.numComps + 3) {
+ error(getPos(), "Bad DCT scan info block");
+@@ -3255,6 +3287,10 @@ FlateStream:
+ FilterStream(strA) {
+ if (predictor !=3D 1) {
+ pred =3D new StreamPredictor
++ if (!pred->isOk()) {
++ delete pred;
++ pred =3D NULL;
++ }
+ } else {
+ pred =3D NULL;
+ }
+--- tetex-bin-
++++ tetex-bin-
+@@ -233,6 +233,8 @@ public:
+=20
+ ~StreamPredictor();
+=20
++ GBool isOk() { return ok; }
++
+ int lookChar();
+ int getChar();
+=20
+@@ -250,6 +252,7 @@ private:
+ int rowBytes; // bytes per line
+ Guchar *predLine; // line buffer
+ int predIdx; // current index in predLine
++ GBool ok;
+ };
+=20
+ //-----
--IUSVF+ LtaR4kWxuH- -
--QHhm1I6mwQR20oIa pgp-signature; name="signature .asc" Description: Digital signature Disposition: inline
Content-Type: application/
Content-
Content-
-----BEGIN PGP SIGNATURE-----
nbV4Fd/ IRAqSrAKCq+ vg9iCJtK31RkRPP 0PPn2Ge7dgCg0Lo f VeQnJQmw=
Version: GnuPG v1.4.2 (GNU/Linux)
iD8DBQFDma75Dec
6ULJusvtLiYlDrS
=rCdS
-----END PGP SIGNATURE-----
--QHhm1I6mwQR20 oIa--