> it might be interesting for you to get the CVE numbers in the
> changelog right. (Please do mention the CVE numbers to ease tracking.)
Thanks, sorry that I forgot it in the upload.
But I have more bad news. While looking at the patches, I noticed that
the patch for CAN-2004-0888 in tetex 3.0 still has the flaws in the
upstream/KDE/whoever patch. It does buffer overflow checks that some
compilers will simply optimize away ( if (size * sizeof(int)/sizeof(int)
!= size) and the like). In the upload to unstable back then, which was
2.0.2, we changed this to size >=MAX_INT / sizeof(int), but I obviously
did not do this in our copy.
however since the codebase differs I cannot simply use the patch from
tetex 2.0.2. Unfortunately, I don't have the original patch against 3.00
left, and I also cannot find it on the net.
It also seems that there are some buffer overflows in 3.00 that do not
have any tests, e.g. in XRef.cc, line 391 after patch-CAN-2004-0888 has
been applied. Or is such a check
if (newSize < 0) {
goto err1;
}
enough to detect an integer overflow, because newSize is signed? 3.01
uses greallocn there.
Regards, Frank
--
Frank Küster
Inst. f. Biochemie der Univ. Zürich
Debian Developer
Martin Pitt <email address hidden> wrote:
> OK, you can now find the 3.0 debdiff at patches. ubuntu. com/patches/ tetex-bin. CVE-2005- 3191_2_ 3.diff
>
> http://
Thank you, I've added this.
> it might be interesting for you to get the CVE numbers in the
> changelog right. (Please do mention the CVE numbers to ease tracking.)
Thanks, sorry that I forgot it in the upload.
But I have more bad news. While looking at the patches, I noticed that KDE/whoever patch. It does buffer overflow checks that some int)/sizeof( int)
the patch for CAN-2004-0888 in tetex 3.0 still has the flaws in the
upstream/
compilers will simply optimize away ( if (size * sizeof(
!= size) and the like). In the upload to unstable back then, which was
2.0.2, we changed this to size >=MAX_INT / sizeof(int), but I obviously
did not do this in our copy.
I have started to fix this, see
http:// svn.debian. org/wsvn/ pkg-tetex/ tetex-bin/ trunk/debian/ patches/ patch-CAN- 2004-0888? op=diff& rev=0&sc= 0
however since the codebase differs I cannot simply use the patch from
tetex 2.0.2. Unfortunately, I don't have the original patch against 3.00
left, and I also cannot find it on the net.
It also seems that there are some buffer overflows in 3.00 that do not
have any tests, e.g. in XRef.cc, line 391 after patch-CAN-2004-0888 has
been applied. Or is such a check
if (newSize < 0) {
goto err1;
}
enough to detect an integer overflow, because newSize is signed? 3.01
uses greallocn there.
Regards, Frank
--
Frank Küster
Inst. f. Biochemie der Univ. Zürich
Debian Developer