in the current tetex-bin package? debian/patches/patch-CAN-2004-0888
already has correct patches. Also, "advanced static code analysis"
shows that the wrong approach is not used:
At the time the patch was fixed, the new CAN number was not yet
assigned, so it does not appear in the changelog. So it would be nice
to add the CAN to the changelog.
This was the relevant upload (I think):
tetex-bin (2.0.2-24) unstable; urgency=3Dhigh
* SECURITY UPDATE: more buffer overflows in xpdf library, thanks to
Martin Pitt <email address hidden> for the tetex-bin-specific patch, which
fixes more integer overflows discovered by Markus Meissner
<email address hidden>, thanks to him for discovering this.
* Added debian/patches/patch-CAN-2004-0888. This patch contains the
first fix included in the last upload, as well as the additional fixes
from this upload, which are:
[...]
Message-ID: <email address hidden>
Date: Mon, 21 Mar 2005 10:09:36 +0100
From: Martin Pitt <email address hidden>
To: <email address hidden>
Subject: Re: tetex-bin still vulnerable to CAN-2004-0888 (CAN-2005-0206)
--k1lZvvs/B4yU6o8G Disposition: inline Transfer- Encoding: quoted-printable
Content-Type: text/plain; charset=us-ascii
Content-
Content-
Hi!
Hilmar, where did you see patches like
+ if (pagesSize* (int)sizeof( Page *)/sizeof(Page *) !=3D pagesSize || (int)sizeof( Ref)/sizeof( Ref) !=3D pagesSize) {
+ pagesSize*
in the current tetex-bin package? debian/ patches/ patch-CAN- 2004-0888
already has correct patches. Also, "advanced static code analysis"
shows that the wrong approach is not used:
~/tex/tetex- bin-2.0. 2 $ grep -r 'pagesSize.*sizeof' . xpdf/xpdf/ Catalog. cc: pages =3D (Page **)gmalloc( pagesSize * size= xpdf/xpdf/ Catalog. cc: pageRefs =3D (Ref *)gmalloc(pagesSize * siz= xpdf/xpdf/ Catalog. cc: pages =3D (Page **)grealloc(pages, pagesS= xpdf/xpdf/ Catalog. cc: pageRefs =3D (Ref *)grealloc( pageRefs, pa= patches/ patch-CAN- 2004-0888: + if (pagesSize >=3D INT_MAX/sizeof= patches/ patch-CAN- 2004-0888: + pagesSize >=3D INT_MAX/sizeof= patches/ patch-CAN- 2004-0888: pages =3D (Page **)gmalloc(pagesS= patches/ patch-CAN- 2004-0888: pageRefs =3D (Ref *)gmalloc(pages= patches/ patch-CAN- 2004-0888: + if (pagesSize >=3D INT_MAX/= patches/ patch-CAN- 2004-0888: + pagesSize >=3D INT_MAX/= patches/ patch-CAN- 2004-0888: pages =3D (Page **)grealloc(pages= patches/ patch-CAN- 2004-0888: pageRefs =3D (Ref *)grealloc(page=
=2E/libs/
of(Page *));
=2E/libs/
eof(Ref));
=2E/libs/
ize * sizeof(Page *));
=2E/libs/
gesSize * sizeof(Ref));
=2E/debian/
(Page *) ||
=2E/debian/
(Ref)) {
=2E/debian/
ize * sizeof(Page *));
=2E/debian/
Size * sizeof(Ref));
=2E/debian/
sizeof(Page *) ||
=2E/debian/
sizeof(Ref)) {
=2E/debian/
, pagesSize * sizeof(Page *));
=2E/debian/
Refs, pagesSize * sizeof(Ref));
At the time the patch was fixed, the new CAN number was not yet
assigned, so it does not appear in the changelog. So it would be nice
to add the CAN to the changelog.
This was the relevant upload (I think):
tetex-bin (2.0.2-24) unstable; urgency=3Dhigh
* SECURITY UPDATE: more buffer overflows in xpdf library, thanks to patches/ patch-CAN- 2004-0888. This patch contains the
Martin Pitt <email address hidden> for the tetex-bin-specific patch, which
fixes more integer overflows discovered by Markus Meissner
<email address hidden>, thanks to him for discovering this.
* Added debian/
first fix included in the last upload, as well as the additional fixes
from this upload, which are:
[...]
Please close this bug.
Martin
--=20 www.piware. de www.ubuntulinux .org www.debian. org
Martin Pitt http://
Ubuntu Developer http://
Debian GNU/Linux Developer http://
--k1lZvvs/B4yU6o8G pgp-signature; name="signature .asc" Description: Digital signature Disposition: inline
Content-Type: application/
Content-
Content-
-----BEGIN PGP SIGNATURE-----
nbV4Fd/ IRAmp8AKCzqlbeY +sXs6DdrSO+ YKZPShnPwgCdGPD g mZ7f8hsaTKIgMQ=
Version: GnuPG v1.2.5 (GNU/Linux)
iD8DBQFCPo9QDec
ujfOgg0b+
=8nIL
-----END PGP SIGNATURE-----
--k1lZvvs/ B4yU6o8G- -