Ubuntu
tetex-bin package

  1. Bug #14171
  2. Comment #13

Comment 13 for bug 14171

Revision history for this message
Debian Bug Importer (debzilla) wrote :

Message-ID: <email address hidden>
Date: Mon, 21 Mar 2005 10:09:36 +0100
From: Martin Pitt <email address hidden>
To: <email address hidden>
Subject: Re: tetex-bin still vulnerable to CAN-2004-0888 (CAN-2005-0206)

--k1lZvvs/B4yU6o8G
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Hi!

Hilmar, where did you see patches like

+ if (pagesSize*(int)sizeof(Page *)/sizeof(Page *) !=3D pagesSize ||
+ pagesSize*(int)sizeof(Ref)/sizeof(Ref) !=3D pagesSize) {

in the current tetex-bin package? debian/patches/patch-CAN-2004-0888
already has correct patches. Also, "advanced static code analysis"
shows that the wrong approach is not used:

~/tex/tetex-bin-2.0.2 $ grep -r 'pagesSize.*sizeof' .
=2E/libs/xpdf/xpdf/Catalog.cc: pages =3D (Page **)gmalloc(pagesSize * size=
of(Page *));
=2E/libs/xpdf/xpdf/Catalog.cc: pageRefs =3D (Ref *)gmalloc(pagesSize * siz=
eof(Ref));
=2E/libs/xpdf/xpdf/Catalog.cc: pages =3D (Page **)grealloc(pages, pagesS=
ize * sizeof(Page *));
=2E/libs/xpdf/xpdf/Catalog.cc: pageRefs =3D (Ref *)grealloc(pageRefs, pa=
gesSize * sizeof(Ref));
=2E/debian/patches/patch-CAN-2004-0888:+ if (pagesSize >=3D INT_MAX/sizeof=
(Page *) ||
=2E/debian/patches/patch-CAN-2004-0888:+ pagesSize >=3D INT_MAX/sizeof=
(Ref)) {
=2E/debian/patches/patch-CAN-2004-0888: pages =3D (Page **)gmalloc(pagesS=
ize * sizeof(Page *));
=2E/debian/patches/patch-CAN-2004-0888: pageRefs =3D (Ref *)gmalloc(pages=
Size * sizeof(Ref));
=2E/debian/patches/patch-CAN-2004-0888:+ if (pagesSize >=3D INT_MAX/=
sizeof(Page *) ||
=2E/debian/patches/patch-CAN-2004-0888:+ pagesSize >=3D INT_MAX/=
sizeof(Ref)) {
=2E/debian/patches/patch-CAN-2004-0888: pages =3D (Page **)grealloc(pages=
, pagesSize * sizeof(Page *));
=2E/debian/patches/patch-CAN-2004-0888: pageRefs =3D (Ref *)grealloc(page=
Refs, pagesSize * sizeof(Ref));

At the time the patch was fixed, the new CAN number was not yet
assigned, so it does not appear in the changelog. So it would be nice
to add the CAN to the changelog.

This was the relevant upload (I think):

tetex-bin (2.0.2-24) unstable; urgency=3Dhigh

  * SECURITY UPDATE: more buffer overflows in xpdf library, thanks to
    Martin Pitt <email address hidden> for the tetex-bin-specific patch, which
    fixes more integer overflows discovered by Markus Meissner
    <email address hidden>, thanks to him for discovering this.
  * Added debian/patches/patch-CAN-2004-0888. This patch contains the
    first fix included in the last upload, as well as the additional fixes
    from this upload, which are:
  [...]

Please close this bug.

Martin

--=20
Martin Pitt http://www.piware.de
Ubuntu Developer http://www.ubuntulinux.org
Debian GNU/Linux Developer http://www.debian.org

--k1lZvvs/B4yU6o8G
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)

iD8DBQFCPo9QDecnbV4Fd/IRAmp8AKCzqlbeY+sXs6DdrSO+YKZPShnPwgCdGPDg
ujfOgg0b+mZ7f8hsaTKIgMQ=
=8nIL
-----END PGP SIGNATURE-----

--k1lZvvs/B4yU6o8G--