Bug#286984: tetex-bin in woody (was: Bug#286984: tetex-bin: Vulnerable to CAN-2004-1125)
Hi Martin, hi security team (probably also Martin),
Hilmar Preusse <hille42@web.de> wrote:
> The first part of your patch doesn't fit into xpdf 0.92, however the
> second part does. I'm not sure if this part is still part of the CAN.
Indeed, I missed that. I had thought that the patch to GfxState.cc is
just to get a decent error message, and that the real security patch is
just in Gfx.cc. I missed that also in GfxState.cc, the patch changes
nCompsA (which is called nComps in tetex-bin_1.0.7's sources).
Still it seems to me as if there is no exploit in 1.0.7, but I would
like to hear comments about this from you. As stated before, the patched
code in Gfx.cc, the main point of vulnerability, simply doesn't
exist. The original code in GfxState.cc looks quite similar:
nComps = obj2.getInt();
obj2.free();
+ if (nCompsA > gfxColorMaxComps) {
+ error(-1, "ICCBased color space with too many (%d > %d) components",
+ nCompsA, gfxColorMaxComps);
+ nCompsA = gfxColorMaxComps;
+ }
if (dict->lookup("Alternate", &obj2)->isNull() ||
!(alt = GfxColorSpace::parse(&obj2))) {
switch (nComps) {
case 1:
alt = new GfxDeviceGrayColorSpace();
break;
case 3:
alt = new GfxDeviceRGBColorSpace();
break;
case 4:
alt = new GfxDeviceCMYKColorSpace();
break;
default:
error(-1, "Bad ICCBased color space - invalid N");
obj2.free();
obj1.free();
return NULL;
}
}
Here, without the patch, nComps would not be set to its maximum value,
but everything above 4 is treated as an error. I'm confused whether
"return NULL" means an error as in Perl or success as in shell? nComps
is also used outside this function, however.
Regards, Frank
--
Frank Küster
Inst. f. Biochemie der Univ. Zürich
Debian Developer
Reply to: