Frank Küster wrote:
> I'm currently preparing an upload of tetex-bin linked against libpoppler.
I'm attaching the current patch against the version in sarge. Please
let me know which version in sid fixes these problems.
The corresponding CVE names are:
CVE IDs : CAN-2005-3191 CAN-2005-3192 CVE-2005-3624 CVE-2005-3625
CVE-2005-3626 CVE-2005-3627 CVE-2005-3628
Regards,
Joey
--
Never trust an operating system you don't have source for!
Please always Cc to me when replying to me on the lists.
diff -u tetex-bin-2.0.2/debian/changelog tetex-bin-2.0.2/debian/changelog
--- tetex-bin-2.0.2/debian/changelog
+++ tetex-bin-2.0.2/debian/changelog
@@ -1,3 +1,35 @@
+tetex-bin (2.0.2-30sarge4) stable-security; urgency=high
+
+ * Non-maintainer upload by the Security Team
+ * Added more precautionary checks by Dirk Müller [xpdf/Stream.cc,
+ xpdf/JBIG2Stream.cc, debian/patches/patch-CVE-2005-3191]
+
+ -- Martin Schulze <joey@infodrom.org> Thu, 15 Dec 2005 17:02:52 +0100
+
+tetex-bin (2.0.2-30sarge3) stable-security; urgency=high
+
+ * Non-maintainer upload by the Security Team
+ * Added more precautionary checks by Martin Pitt
+
+ -- Martin Schulze <joey@infodrom.org> Mon, 12 Dec 2005 08:32:05 +0100
+
+tetex-bin (2.0.2-30sarge2) stable-security; urgency=high
+
+ * Non-maintainer upload by the Security Team
+ * Adjusted the former patch
+ * Applied missing bits found by Ludwig Nussel
+
+ -- Martin Schulze <joey@infodrom.org> Fri, 9 Dec 2005 11:25:16 +0100
+
+tetex-bin (2.0.2-30sarge1) stable-security; urgency=high
+
+ * Non-maintainer upload by the Security Team
+ * Partially applied patch from xpdf upstream to fix buffer overflows
+ [libs/xpdf/xpdf/Stream.cc, libs/xpdf/xpdf/Stream.h, CAN-2005-3191,
+ debian/patches/patch-CVE-2005-3191]
+
+ -- Martin Schulze <joey@infodrom.org> Thu, 8 Dec 2005 10:19:45 +0100
+
tetex-bin (2.0.2-30) unstable; urgency=low
* Restore debian/watch and don't keep the recovered control file in
diff -u tetex-bin-2.0.2/debian/rules tetex-bin-2.0.2/debian/rules
--- tetex-bin-2.0.2/debian/rules
+++ tetex-bin-2.0.2/debian/rules
@@ -57,6 +57,8 @@
patch -p1 -Ni debian/patches/patch-CAN-2005-0064
patch -p1 -NRi debian/patches/patch-mandash || true
patch -p1 -Ni debian/patches/patch-mandash
+ patch -p1 -NRi debian/patches/patch-CVE-2005-3191 || true
+ patch -p1 -Ni debian/patches/patch-CVE-2005-3191
cp -f /usr/share/misc/config.guess /usr/share/misc/config.sub ./texk/
cp -f /usr/share/misc/config.guess /usr/share/misc/config.sub ./utils/texinfo/
cp -f /usr/share/misc/config.guess /usr/share/misc/config.sub ./config/
@@ -95,6 +97,7 @@
# Add here commands to clean up after the build process.
# Make sure all of our expected symlinks are in place
sh debian/restore-symlinks
+ patch -p1 -NRi debian/patches/patch-CVE-2005-3191 || true
patch -p1 -NRi debian/patches/patch-mandash || true
patch -p1 -NRi debian/patches/patch-CAN-2005-0064 || true
patch -p1 -NRi debian/patches/patch-CAN-2004-1125 || true
only in patch2:
unchanged:
--- tetex-bin-2.0.2.orig/debian/patches/patch-CVE-2005-3191
+++ tetex-bin-2.0.2/debian/patches/patch-CVE-2005-3191
@@ -0,0 +1,243 @@
+diff -u -p -Nr --exclude CVS tetex-bin-2.0.2.orig/libs/xpdf/xpdf/JBIG2Stream.cc tetex-bin-2.0.2/libs/xpdf/xpdf/JBIG2Stream.cc
+--- tetex-bin-2.0.2.orig/libs/xpdf/xpdf/JBIG2Stream.cc 2002-11-16 16:02:19.000000000 +0100
++++ tetex-bin-2.0.2/libs/xpdf/xpdf/JBIG2Stream.cc 2005-12-15 16:51:31.000000000 +0100
+@@ -13,6 +13,7 @@
+ #endif
+
+ #include <stdlib.h>
++#include <limits.h>
+ #include "GList.h"
+ #include "Error.h"
+ #include "JBIG2Stream.h"
+@@ -977,7 +978,14 @@ JBIG2Bitmap::JBIG2Bitmap(Guint segNumA,
+ w = wA;
+ h = hA;
+ line = (wA + 7) >> 3;
+- data = (Guchar *)gmalloc(h * line);
++
++ if (h < 0 || line <= 0 || h >= (INT_MAX-1) / line)
++ data = NULL;
++ else {
++ // need to allocate one extra guard byte for use in combine()
++ data = (Guchar *)gmalloc(h * line + 1);
++ data[h * line] = 0;
++ }
+ }
+
+ JBIG2Bitmap::JBIG2Bitmap(Guint segNumA, JBIG2Bitmap *bitmap):
+@@ -986,8 +994,15 @@ JBIG2Bitmap::JBIG2Bitmap(Guint segNumA,
+ w = bitmap->w;
+ h = bitmap->h;
+ line = bitmap->line;
+- data = (Guchar *)gmalloc(h * line);
++
++ if (h < 0 || line <= 0 || h >= (INT_MAX-1) / line) {
++ data = NULL;
++ return;
++ }
++
++ data = (Guchar *)gmalloc(h * line + 1);
+ memcpy(data, bitmap->data, h * line);
++ data[h * line] = 0;
+ }
+
+ JBIG2Bitmap::~JBIG2Bitmap() {
+@@ -1012,10 +1027,10 @@ JBIG2Bitmap *JBIG2Bitmap::getSlice(Guint
+ }
+
+ void JBIG2Bitmap::expand(int newH, Guint pixel) {
+- if (newH <= h) {
++ if (newH <= h || line <= 0 || newH >= (INT_MAX-1) / line) {
+ return;
+ }
+- data = (Guchar *)grealloc(data, newH * line);
++ data = (Guchar *)grealloc(data, newH * line + 1);
+ if (pixel) {
+ memset(data + h * line, 0xff, (newH - h) * line);
+ } else {
+@@ -2505,6 +2520,16 @@ void JBIG2Stream::readHalftoneRegionSeg(
+ error(getPos(), "Bad symbol dictionary reference in JBIG2 halftone segment");
+ return;
+ }
++
++ if (gridH == 0 || gridW >= INT_MAX / gridH) {
++ error(getPos(), "Bad size in JBIG2 halftone segment");
++ return;
++ }
++ if (w == 0 || h >= INT_MAX / w) {
++ error(getPos(), "Bad size in JBIG2 bitmap segment");
++ return;
++ }
++
+ patternDict = (JBIG2PatternDict *)seg;
+ bpp = 0;
+ i = 1;
+@@ -3078,6 +3103,9 @@ JBIG2Bitmap *JBIG2Stream::readGenericRef
+ Guint ltpCX, cx, cx0, cx2, cx3, cx4, tpgrCX0, tpgrCX1, tpgrCX2;
+ int x, y, pix;
+
++ if (w < 0 || h <= 0 || w >= INT_MAX / h)
++ return NULL;
++
+ bitmap = new JBIG2Bitmap(0, w, h);
+ bitmap->clearToZero();
+
+diff -u -p -Nr --exclude CVS tetex-bin-2.0.2.orig/libs/xpdf/xpdf/Stream.cc tetex-bin-2.0.2/libs/xpdf/xpdf/Stream.cc
+--- tetex-bin-2.0.2.orig/libs/xpdf/xpdf/Stream.cc 2005-12-15 16:44:06.000000000 +0100
++++ tetex-bin-2.0.2/libs/xpdf/xpdf/Stream.cc 2005-12-15 17:02:31.000000000 +0100
+@@ -15,6 +15,7 @@
+ #include <stdio.h>
+ #include <stdlib.h>
+ #include <stddef.h>
++#include <limits.h>
+ #ifndef WIN32
+ #include <unistd.h>
+ #endif
+@@ -404,18 +405,40 @@ void ImageStream::skipLine() {
+
+ StreamPredictor::StreamPredictor(Stream *strA, int predictorA,
+ int widthA, int nCompsA, int nBitsA) {
++ int totalBits;
++
+ str = strA;
+ predictor = predictorA;
+ width = widthA;
+ nComps = nCompsA;
+ nBits = nBitsA;
++ predLine = NULL;
++ ok = gFalse;
+
++ if (width <= 0 || nComps <= 0 || nBits <= 0 ||
++ nComps >= INT_MAX/nBits ||
++ width >= INT_MAX/nComps/nBits) {
++ return;
++ }
+ nVals = width * nComps;
++ if (nVals + 7 <= 0) {
++ return;
++ }
++ totalBits = nVals * nBits;
++ if (totalBits == 0 ||
++ (totalBits / nBits) / nComps != width ||
++ totalBits + 7 < 0) {
++ return;
++ }
+ pixBytes = (nComps * nBits + 7) >> 3;
+- rowBytes = ((nVals * nBits + 7) >> 3) + pixBytes;
++ rowBytes = ((totalBits + 7) >> 3) + pixBytes;
++ if (rowBytes < 0) {
++ return;
++ }
+ predLine = (Guchar *)gmalloc(rowBytes);
+ memset(predLine, 0, rowBytes);
+ predIdx = rowBytes;
++ ok = gTrue;
+ }
+
+ StreamPredictor::~StreamPredictor() {
+@@ -981,6 +1004,10 @@ LZWStream::LZWStream(Stream *strA, int p
+ FilterStream(strA) {
+ if (predictor != 1) {
+ pred = new StreamPredictor(this, predictor, columns, colors, bits);
++ if (!pred->isOk()) {
++ delete pred;
++ pred = NULL;
++ }
+ } else {
+ pred = NULL;
+ }
+@@ -1226,6 +1253,12 @@ CCITTFaxStream::CCITTFaxStream(Stream *s
+ endOfLine = endOfLineA;
+ byteAlign = byteAlignA;
+ columns = columnsA;
++
++ if (columns + 4 < 1 || (columns + 4) >= INT_MAX / sizeof(short)) {
++ error(getPos(), "Bad number of columns in CCITTFaxStream");
++ exit(1);
++ }
++
+ rows = rowsA;
+ endOfBlock = endOfBlockA;
+ black = blackA;
+@@ -2860,6 +2893,11 @@ GBool DCTStream::readBaselineSOF() {
+ height = read16();
+ width = read16();
+ numComps = str->getChar();
++ if (numComps <= 0 || numComps > 4) {
++ numComps = 0;
++ error(getPos(), "Bad number of components in DCT stream", prec);
++ return gFalse;
++ }
+ if (prec != 8) {
+ error(getPos(), "Bad DCT precision %d", prec);
+ return gFalse;
+@@ -2886,6 +2924,11 @@ GBool DCTStream::readProgressiveSOF() {
+ height = read16();
+ width = read16();
+ numComps = str->getChar();
++ if (numComps <= 0 || numComps > 4) {
++ numComps = 0;
++ error(getPos(), "Bad number of components in DCT stream");
++ return gFalse;
++ }
+ if (prec != 8) {
+ error(getPos(), "Bad DCT precision %d", prec);
+ return gFalse;
+@@ -2908,6 +2951,11 @@ GBool DCTStream::readScanInfo() {
+
+ length = read16() - 2;
+ scanInfo.numComps = str->getChar();
++ if (scanInfo.numComps <= 0 || scanInfo.numComps > 4) {
++ scanInfo.numComps = 0;
++ error(getPos(), "Bad number of components in DCT stream");
++ return gFalse;
++ }
+ --length;
+ if (length != 2 * scanInfo.numComps + 3) {
+ error(getPos(), "Bad DCT scan info block");
+@@ -2975,12 +3023,12 @@ GBool DCTStream::readHuffmanTables() {
+ while (length > 0) {
+ index = str->getChar();
+ --length;
+- if ((index & 0x0f) >= 4) {
++ if ((index & ~0x10) >= 4 || (index & ~0x10) < 0) {
+ error(getPos(), "Bad DCT Huffman table");
+ return gFalse;
+ }
+ if (index & 0x10) {
+- index &= 0x0f;
++ index &= 0x03;
+ if (index >= numACHuffTables)
+ numACHuffTables = index+1;
+ tbl = &acHuffTables[index];
+@@ -3178,6 +3226,10 @@ FlateStream::FlateStream(Stream *strA, i
+ FilterStream(strA) {
+ if (predictor != 1) {
+ pred = new StreamPredictor(this, predictor, columns, colors, bits);
++ if (!pred->isOk()) {
++ delete pred;
++ pred = NULL;
++ }
+ } else {
+ pred = NULL;
+ }
+diff -u -p -Nr --exclude CVS tetex-bin-2.0.2.orig/libs/xpdf/xpdf/Stream.h tetex-bin-2.0.2/libs/xpdf/xpdf/Stream.h
+--- tetex-bin-2.0.2.orig/libs/xpdf/xpdf/Stream.h 2005-12-15 16:44:06.000000000 +0100
++++ tetex-bin-2.0.2/libs/xpdf/xpdf/Stream.h 2005-12-15 16:44:00.000000000 +0100
+@@ -225,6 +225,8 @@ public:
+
+ ~StreamPredictor();
+
++ GBool isOk() { return ok; }
++
+ int lookChar();
+ int getChar();
+
+@@ -242,6 +244,7 @@ private:
+ int rowBytes; // bytes per line
+ Guchar *predLine; // line buffer
+ int predIdx; // current index in predLine
++ GBool ok;
+ };
+
+ //------------------------------------------------------------------------
Attachment:
signature.asc
Description: Digital signature