Ubuntu
tetex-bin package

Bug #14171
Comment #2

Comment 2 for bug 14171

Revision history for this message

Debian Bug Importer (debzilla) wrote on 2005-03-18:

Message-ID: <20050318091619.GD2460@preusse>
Date: Fri, 18 Mar 2005 10:16:19 +0100
From: Hilmar Preusse <email address hidden>
To: Debian Bug Tracking System <email address hidden>
Subject: tetex-bin still vulnerable to CAN-2004-0888 (CAN-2005-0206)

--69pVuxX8awAiJ7fD
Content-Type: multipart/mixed; boundary="i9LlY+UWpKt15+FH"
Content-Disposition: inline

--i9LlY+UWpKt15+FH
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Package: tetex-bin
Version: 2.0.2-26
Severity: critical
Tags: security

Hi all,

As recently discovered the patch, which fixed CAN-2004-0888, seems to
be broken on all 64bit platforms (tested only on ia64 though).[1]

Attched are two patches, which should fix that. They are simply
stolen from the RedHat BTS.[2]

[1] e.g.: http://www.auscert.org.au/render.html?it=3D4887
[2] https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=3D135393
--=20
sigmentation fault

--i9LlY+UWpKt15+FH
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="CAN-2005-0206-1.diff"

@@ -186,6 +192,11 @@
       }
       if (start >= pagesSize) {
        pagesSize += 32;
+ if (pagesSize*(int)sizeof(Page *)/sizeof(Page *) != pagesSize ||
+ pagesSize*(int)sizeof(Ref)/sizeof(Ref) != pagesSize) {
+ error(-1, "Invalid 'pagesSize' parameter.");
+ goto err3;
+ }

--i9LlY+UWpKt15+FH
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="CAN-2005-0206.diff"
Content-Transfer-Encoding: quoted-printable

--- XRef.cc.orig 2004-09-17 23:54:38.000000000 -0700
+++ XRef.cc 2004-09-25 17:59:36.000000000 -0700
@@ -76,6 +76,12 @@
=20
   // trailer is ok - read the xref table
   } else {
+ if (size*(int)sizeof(XRefEntry)/sizeof(XRefEntry) !=3D size) {
+ error(-1, "Invalid 'size' inside xref table.");
+ ok =3D gFalse;
+ errCode =3D errDamaged;
+ return;
+ }
     entries =3D (XRefEntry *)gmalloc(size * sizeof(XRefEntry));
     for (i =3D 0; i < size; ++i) {
       entries[i].offset =3D 0xffffffff;
@@ -267,6 +273,10 @@
     // table size
     if (first + n > size) {
       newSize =3D size + 256;
+ if (newSize*(int)sizeof(XRefEntry)/sizeof(XRefEntry) !=3D newSize) {
+ error(-1, "Invalid 'newSize'");
+ goto err2;
+ }
       entries =3D (XRefEntry *)grealloc(entries, newSize * sizeof(XRefEntr=
y));
       for (i =3D size; i < newSize; ++i) {
  entries[i].offset =3D 0xffffffff;
@@ -410,6 +420,10 @@
      if (!strncmp(p, "obj", 3)) {
        if (num >=3D size) {
   newSize =3D (num + 1 + 255) & ~255;
+ if (newSize*(int)sizeof(XRefEntry)/sizeof(XRefEntry) !=3D newSize=
) {
+ error(-1, "Invalid 'obj' parameters.");
+ return gFalse;
+ }
   entries =3D (XRefEntry *)
               grealloc(entries, newSize * sizeof(XRefEntry));
   for (i =3D size; i < newSize; ++i) {
@@ -431,6 +445,11 @@
     } else if (!strncmp(p, "endstream", 9)) {
       if (streamEndsLen =3D=3D streamEndsSize) {
  streamEndsSize +=3D 64;
+ if (streamEndsSize*(int)sizeof(int)/sizeof(int) !=3D streamEndsSiz=
e) {
+ error(-1, "Invalid 'endstream' parameter.");
+ return gFalse;
+ }
+
  streamEnds =3D (Guint *)grealloc(streamEnds,
            streamEndsSize * sizeof(int));
       }
--- Catalog.cc.orig 2004-09-18 00:14:15.000000000 -0700
+++ Catalog.cc 2004-09-25 18:19:55.000000000 -0700
@@ -63,6 +63,12 @@
   }
   pagesSize =3D numPages0 =3D obj.getInt();
   obj.free();
+ if (pagesSize*(int)sizeof(Page *)/sizeof(Page *) !=3D pagesSize ||
+ pagesSize*(int)sizeof(Ref)/sizeof(Ref) !=3D pagesSize) {
+ error(-1, "Invalid 'pagesSize'");
+ ok =3D gFalse;
+ return;
+ }
   pages =3D (Page **)gmalloc(pagesSize * sizeof(Page *));
   pageRefs =3D (Ref *)gmalloc(pagesSize * sizeof(Ref));
   for (i =3D 0; i < pagesSize; ++i) {
@@ -190,6 +196,10 @@
       }
       if (start >=3D pagesSize) {
  pagesSize +=3D 32;
+ if (pagesSize*(int)sizeof(Page *)/sizeof(Page *) !=3D pagesSize) {
+ error(-1, "Invalid 'pagesSize' parameter.");
+ goto err3;
+ }
  pages =3D (Page **)grealloc(pages, pagesSize * sizeof(Page *));
  pageRefs =3D (Ref *)grealloc(pageRefs, pagesSize * sizeof(Ref));
  for (j =3D pagesSize - 32; j < pagesSize; ++j) {

--i9LlY+UWpKt15+FH--

--69pVuxX8awAiJ7fD
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (Cygwin)

iQB1AwUBQjqcYjwKFtukZhFxAQJAOAMAlgvHmkWGZrgGbMLVeGaiCQeejtE+qrpu
wn32afijizSTDe+RMWNEyZ106ucUQQneYpRGASy7la3LcwvEvWA8WH/MGnoSmKPS
Vl/2CJS4t6vYtK3q6rWxtSDWRG2lcAcq
=NL70
-----END PGP SIGNATURE-----

--69pVuxX8awAiJ7fD--

Message-ID: <20050318091619.GD2460@preusse>
Date: Fri, 18 Mar 2005 10:16:19 +0100
From: Hilmar Preusse <hille42@web.de>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: tetex-bin still vulnerable to CAN-2004-0888 (CAN-2005-0206)

--69pVuxX8awAiJ7fD
Content-Type: multipart/mixed; boundary="i9LlY+UWpKt15+FH"
Content-Disposition: inline

--i9LlY+UWpKt15+FH
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Package: tetex-bin
Version: 2.0.2-26
Severity: critical
Tags: security

Hi all,

As recently discovered the patch, which fixed CAN-2004-0888, seems to
be broken on all 64bit platforms (tested only on ia64 though).[1]

Attched are two patches, which should fix that. They are simply
stolen from the RedHat BTS.[2]

[1] e.g.: http://www.auscert.org.au/render.html?it=3D4887
[2] https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=3D135393
--=20
sigmentation fault

--i9LlY+UWpKt15+FH
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="CAN-2005-0206-1.diff"

@@ -186,6 +192,11 @@
       }
       if (start >= pagesSize) {
        pagesSize += 32;
+        if (pagesSize*(int)sizeof(Page *)/sizeof(Page *) != pagesSize ||
+            pagesSize*(int)sizeof(Ref)/sizeof(Ref) != pagesSize) {
+          error(-1, "Invalid 'pagesSize' parameter.");
+          goto err3;
+        }

--i9LlY+UWpKt15+FH
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="CAN-2005-0206.diff"
Content-Transfer-Encoding: quoted-printable

--- XRef.cc.orig	2004-09-17 23:54:38.000000000 -0700
+++ XRef.cc	2004-09-25 17:59:36.000000000 -0700
@@ -76,6 +76,12 @@
=20
   // trailer is ok - read the xref table
   } else {
+    if (size*(int)sizeof(XRefEntry)/sizeof(XRefEntry) !=3D size) {
+      error(-1, "Invalid 'size' inside xref table.");
+      ok =3D gFalse;
+      errCode =3D errDamaged;
+      return;
+    }
     entries =3D (XRefEntry *)gmalloc(size * sizeof(XRefEntry));
     for (i =3D 0; i < size; ++i) {
       entries[i].offset =3D 0xffffffff;
@@ -267,6 +273,10 @@
     // table size
     if (first + n > size) {
       newSize =3D size + 256;
+      if (newSize*(int)sizeof(XRefEntry)/sizeof(XRefEntry) !=3D newSize) {
+        error(-1, "Invalid 'newSize'");
+        goto err2;
+      }
       entries =3D (XRefEntry *)grealloc(entries, newSize * sizeof(XRefEntr=
y));
       for (i =3D size; i < newSize; ++i) {
 	entries[i].offset =3D 0xffffffff;
@@ -410,6 +420,10 @@
 	    if (!strncmp(p, "obj", 3)) {
 	      if (num >=3D size) {
 		newSize =3D (num + 1 + 255) & ~255;
+	        if (newSize*(int)sizeof(XRefEntry)/sizeof(XRefEntry) !=3D newSize=
) {
+	          error(-1, "Invalid 'obj' parameters.");
+	          return gFalse;
+	        }
 		entries =3D (XRefEntry *)
 		            grealloc(entries, newSize * sizeof(XRefEntry));
 		for (i =3D size; i < newSize; ++i) {
@@ -431,6 +445,11 @@
     } else if (!strncmp(p, "endstream", 9)) {
       if (streamEndsLen =3D=3D streamEndsSize) {
 	streamEndsSize +=3D 64;
+        if (streamEndsSize*(int)sizeof(int)/sizeof(int) !=3D streamEndsSiz=
e) {
+          error(-1, "Invalid 'endstream' parameter.");
+          return gFalse;
+        }
+
 	streamEnds =3D (Guint *)grealloc(streamEnds,
 				       streamEndsSize * sizeof(int));
       }
--- Catalog.cc.orig	2004-09-18 00:14:15.000000000 -0700
+++ Catalog.cc	2004-09-25 18:19:55.000000000 -0700
@@ -63,6 +63,12 @@
   }
   pagesSize =3D numPages0 =3D obj.getInt();
   obj.free();
+  if (pagesSize*(int)sizeof(Page *)/sizeof(Page *) !=3D pagesSize ||
+      pagesSize*(int)sizeof(Ref)/sizeof(Ref) !=3D pagesSize) {
+    error(-1, "Invalid 'pagesSize'");
+    ok =3D gFalse;
+    return;
+  }
   pages =3D (Page **)gmalloc(pagesSize * sizeof(Page *));
   pageRefs =3D (Ref *)gmalloc(pagesSize * sizeof(Ref));
   for (i =3D 0; i < pagesSize; ++i) {
@@ -190,6 +196,10 @@
       }
       if (start >=3D pagesSize) {
 	pagesSize +=3D 32;
+        if (pagesSize*(int)sizeof(Page *)/sizeof(Page *) !=3D pagesSize) {
+          error(-1, "Invalid 'pagesSize' parameter.");
+          goto err3;
+        }
 	pages =3D (Page **)grealloc(pages, pagesSize * sizeof(Page *));
 	pageRefs =3D (Ref *)grealloc(pageRefs, pagesSize * sizeof(Ref));
 	for (j =3D pagesSize - 32; j < pagesSize; ++j) {

--i9LlY+UWpKt15+FH--

--69pVuxX8awAiJ7fD
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (Cygwin)

iQB1AwUBQjqcYjwKFtukZhFxAQJAOAMAlgvHmkWGZrgGbMLVeGaiCQeejtE+qrpu
wn32afijizSTDe+RMWNEyZ106ucUQQneYpRGASy7la3LcwvEvWA8WH/MGnoSmKPS
Vl/2CJS4t6vYtK3q6rWxtSDWRG2lcAcq
=NL70
-----END PGP SIGNATURE-----

--69pVuxX8awAiJ7fD--

Ubuntutetex-bin package

Comment 2 for bug 14171

Ubuntu
tetex-bin package