Message-ID: <20050318091619.GD2460@preusse> Date: Fri, 18 Mar 2005 10:16:19 +0100 From: Hilmar Preusse <email address hidden> To: Debian Bug Tracking System <email address hidden> Subject: tetex-bin still vulnerable to CAN-2004-0888 (CAN-2005-0206)
--69pVuxX8awAiJ7fD Content-Type: multipart/mixed; boundary="i9LlY+UWpKt15+FH" Content-Disposition: inline
--i9LlY+UWpKt15+FH Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable
Package: tetex-bin Version: 2.0.2-26 Severity: critical Tags: security
Hi all,
As recently discovered the patch, which fixed CAN-2004-0888, seems to be broken on all 64bit platforms (tested only on ia64 though).[1]
Attched are two patches, which should fix that. They are simply stolen from the RedHat BTS.[2]
H.
[1] e.g.: http://www.auscert.org.au/render.html?it=3D4887 [2] https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=3D135393 --=20 sigmentation fault
--i9LlY+UWpKt15+FH Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename="CAN-2005-0206-1.diff"
@@ -186,6 +192,11 @@ } if (start >= pagesSize) { pagesSize += 32; + if (pagesSize*(int)sizeof(Page *)/sizeof(Page *) != pagesSize || + pagesSize*(int)sizeof(Ref)/sizeof(Ref) != pagesSize) { + error(-1, "Invalid 'pagesSize' parameter."); + goto err3; + }
--i9LlY+UWpKt15+FH Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename="CAN-2005-0206.diff" Content-Transfer-Encoding: quoted-printable
--- XRef.cc.orig 2004-09-17 23:54:38.000000000 -0700 +++ XRef.cc 2004-09-25 17:59:36.000000000 -0700 @@ -76,6 +76,12 @@ =20 // trailer is ok - read the xref table } else { + if (size*(int)sizeof(XRefEntry)/sizeof(XRefEntry) !=3D size) { + error(-1, "Invalid 'size' inside xref table."); + ok =3D gFalse; + errCode =3D errDamaged; + return; + } entries =3D (XRefEntry *)gmalloc(size * sizeof(XRefEntry)); for (i =3D 0; i < size; ++i) { entries[i].offset =3D 0xffffffff; @@ -267,6 +273,10 @@ // table size if (first + n > size) { newSize =3D size + 256; + if (newSize*(int)sizeof(XRefEntry)/sizeof(XRefEntry) !=3D newSize) { + error(-1, "Invalid 'newSize'"); + goto err2; + } entries =3D (XRefEntry *)grealloc(entries, newSize * sizeof(XRefEntr= y)); for (i =3D size; i < newSize; ++i) { entries[i].offset =3D 0xffffffff; @@ -410,6 +420,10 @@ if (!strncmp(p, "obj", 3)) { if (num >=3D size) { newSize =3D (num + 1 + 255) & ~255; + if (newSize*(int)sizeof(XRefEntry)/sizeof(XRefEntry) !=3D newSize= ) { + error(-1, "Invalid 'obj' parameters."); + return gFalse; + } entries =3D (XRefEntry *) grealloc(entries, newSize * sizeof(XRefEntry)); for (i =3D size; i < newSize; ++i) { @@ -431,6 +445,11 @@ } else if (!strncmp(p, "endstream", 9)) { if (streamEndsLen =3D=3D streamEndsSize) { streamEndsSize +=3D 64; + if (streamEndsSize*(int)sizeof(int)/sizeof(int) !=3D streamEndsSiz= e) { + error(-1, "Invalid 'endstream' parameter."); + return gFalse; + } + streamEnds =3D (Guint *)grealloc(streamEnds, streamEndsSize * sizeof(int)); } --- Catalog.cc.orig 2004-09-18 00:14:15.000000000 -0700 +++ Catalog.cc 2004-09-25 18:19:55.000000000 -0700 @@ -63,6 +63,12 @@ } pagesSize =3D numPages0 =3D obj.getInt(); obj.free(); + if (pagesSize*(int)sizeof(Page *)/sizeof(Page *) !=3D pagesSize || + pagesSize*(int)sizeof(Ref)/sizeof(Ref) !=3D pagesSize) { + error(-1, "Invalid 'pagesSize'"); + ok =3D gFalse; + return; + } pages =3D (Page **)gmalloc(pagesSize * sizeof(Page *)); pageRefs =3D (Ref *)gmalloc(pagesSize * sizeof(Ref)); for (i =3D 0; i < pagesSize; ++i) { @@ -190,6 +196,10 @@ } if (start >=3D pagesSize) { pagesSize +=3D 32; + if (pagesSize*(int)sizeof(Page *)/sizeof(Page *) !=3D pagesSize) { + error(-1, "Invalid 'pagesSize' parameter."); + goto err3; + } pages =3D (Page **)grealloc(pages, pagesSize * sizeof(Page *)); pageRefs =3D (Ref *)grealloc(pageRefs, pagesSize * sizeof(Ref)); for (j =3D pagesSize - 32; j < pagesSize; ++j) {
--i9LlY+UWpKt15+FH--
--69pVuxX8awAiJ7fD Content-Type: application/pgp-signature Content-Disposition: inline
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (Cygwin) iQB1AwUBQjqcYjwKFtukZhFxAQJAOAMAlgvHmkWGZrgGbMLVeGaiCQeejtE+qrpu wn32afijizSTDe+RMWNEyZ106ucUQQneYpRGASy7la3LcwvEvWA8WH/MGnoSmKPS Vl/2CJS4t6vYtK3q6rWxtSDWRG2lcAcq =NL70 -----END PGP SIGNATURE-----
--69pVuxX8awAiJ7fD--
Message-ID: <20050318091619 .GD2460@ preusse>
Date: Fri, 18 Mar 2005 10:16:19 +0100
From: Hilmar Preusse <email address hidden>
To: Debian Bug Tracking System <email address hidden>
Subject: tetex-bin still vulnerable to CAN-2004-0888 (CAN-2005-0206)
--69pVuxX8awAiJ7fD "i9LlY+ UWpKt15+ FH" Disposition: inline
Content-Type: multipart/mixed; boundary=
Content-
--i9LlY+UWpKt15+FH Disposition: inline Transfer- Encoding: quoted-printable
Content-Type: text/plain; charset=us-ascii
Content-
Content-
Package: tetex-bin
Version: 2.0.2-26
Severity: critical
Tags: security
Hi all,
As recently discovered the patch, which fixed CAN-2004-0888, seems to
be broken on all 64bit platforms (tested only on ia64 though).[1]
Attched are two patches, which should fix that. They are simply
stolen from the RedHat BTS.[2]
H.
[1] e.g.: http:// www.auscert. org.au/ render. html?it= 3D4887 /bugzilla. redhat. com/bugzilla/ show_bug. cgi?id= 3D135393
[2] https:/
--=20
sigmentation fault
--i9LlY+UWpKt15+FH Disposition: attachment; filename= "CAN-2005- 0206-1. diff"
Content-Type: text/plain; charset=us-ascii
Content-
@@ -186,6 +192,11 @@ (int)sizeof( Page *)/sizeof(Page *) != pagesSize || (int)sizeof( Ref)/sizeof( Ref) != pagesSize) {
}
if (start >= pagesSize) {
pagesSize += 32;
+ if (pagesSize*
+ pagesSize*
+ error(-1, "Invalid 'pagesSize' parameter.");
+ goto err3;
+ }
--i9LlY+UWpKt15+FH Disposition: attachment; filename= "CAN-2005- 0206.diff" Transfer- Encoding: quoted-printable
Content-Type: text/plain; charset=us-ascii
Content-
Content-
--- XRef.cc.orig 2004-09-17 23:54:38.000000000 -0700 int)sizeof( XRefEntry) /sizeof( XRefEntry) !=3D size) {
entries[ i].offset =3D 0xffffffff; (int)sizeof( XRefEntry) /sizeof( XRefEntry) !=3D newSize) { (int)sizeof( XRefEntry) /sizeof( XRefEntry) !=3D newSize=
grealloc( entries, newSize * sizeof(XRefEntry)); *(int)sizeof( int)/sizeof( int) !=3D streamEndsSiz= streamEnds,
streamEnds Size * sizeof(int)); (int)sizeof( Page *)/sizeof(Page *) !=3D pagesSize || (int)sizeof( Ref)/sizeof( Ref) !=3D pagesSize) { pagesSize * sizeof(Page *)); (int)sizeof( Page *)/sizeof(Page *) !=3D pagesSize) { pageRefs, pagesSize * sizeof(Ref));
+++ XRef.cc 2004-09-25 17:59:36.000000000 -0700
@@ -76,6 +76,12 @@
=20
// trailer is ok - read the xref table
} else {
+ if (size*(
+ error(-1, "Invalid 'size' inside xref table.");
+ ok =3D gFalse;
+ errCode =3D errDamaged;
+ return;
+ }
entries =3D (XRefEntry *)gmalloc(size * sizeof(XRefEntry));
for (i =3D 0; i < size; ++i) {
@@ -267,6 +273,10 @@
// table size
if (first + n > size) {
newSize =3D size + 256;
+ if (newSize*
+ error(-1, "Invalid 'newSize'");
+ goto err2;
+ }
entries =3D (XRefEntry *)grealloc(entries, newSize * sizeof(XRefEntr=
y));
for (i =3D size; i < newSize; ++i) {
entries[i].offset =3D 0xffffffff;
@@ -410,6 +420,10 @@
if (!strncmp(p, "obj", 3)) {
if (num >=3D size) {
newSize =3D (num + 1 + 255) & ~255;
+ if (newSize*
) {
+ error(-1, "Invalid 'obj' parameters.");
+ return gFalse;
+ }
entries =3D (XRefEntry *)
for (i =3D size; i < newSize; ++i) {
@@ -431,6 +445,11 @@
} else if (!strncmp(p, "endstream", 9)) {
if (streamEndsLen =3D=3D streamEndsSize) {
streamEndsSize +=3D 64;
+ if (streamEndsSize
e) {
+ error(-1, "Invalid 'endstream' parameter.");
+ return gFalse;
+ }
+
streamEnds =3D (Guint *)grealloc(
}
--- Catalog.cc.orig 2004-09-18 00:14:15.000000000 -0700
+++ Catalog.cc 2004-09-25 18:19:55.000000000 -0700
@@ -63,6 +63,12 @@
}
pagesSize =3D numPages0 =3D obj.getInt();
obj.free();
+ if (pagesSize*
+ pagesSize*
+ error(-1, "Invalid 'pagesSize'");
+ ok =3D gFalse;
+ return;
+ }
pages =3D (Page **)gmalloc(
pageRefs =3D (Ref *)gmalloc(pagesSize * sizeof(Ref));
for (i =3D 0; i < pagesSize; ++i) {
@@ -190,6 +196,10 @@
}
if (start >=3D pagesSize) {
pagesSize +=3D 32;
+ if (pagesSize*
+ error(-1, "Invalid 'pagesSize' parameter.");
+ goto err3;
+ }
pages =3D (Page **)grealloc(pages, pagesSize * sizeof(Page *));
pageRefs =3D (Ref *)grealloc(
for (j =3D pagesSize - 32; j < pagesSize; ++j) {
--i9LlY+ UWpKt15+ FH--
--69pVuxX8awAiJ7fD pgp-signature Disposition: inline
Content-Type: application/
Content-
-----BEGIN PGP SIGNATURE-----
KFtukZhFxAQJAOA MAlgvHmkWGZrgGb MLVeGaiCQeejtE+ qrpu RMWNEyZ106ucUQQ neYpRGASy7la3Lc wvEvWA8WH/ MGnoSmKPS q6rWxtSDWRG2lcA cq
Version: GnuPG v1.4.0 (Cygwin)
iQB1AwUBQjqcYjw
wn32afijizSTDe+
Vl/2CJS4t6vYtK3
=NL70
-----END PGP SIGNATURE-----
--69pVuxX8awAiJ 7fD--