Frank Küster wrote: > I'm currently preparing an upload of tetex-bin linked against libpoppler. I'm attaching the current patch against the version in sarge. Please let me know which version in sid fixes these problems. The corresponding CVE names are: CVE IDs : CAN-2005-3191 CAN-2005-3192 CVE-2005-3624 CVE-2005-3625 CVE-2005-3626 CVE-2005-3627 CVE-2005-3628 Regards, Joey -- Never trust an operating system you don't have source for! Please always Cc to me when replying to me on the lists.
diff -u tetex-bin-2.0.2/debian/changelog tetex-bin-2.0.2/debian/changelog --- tetex-bin-2.0.2/debian/changelog +++ tetex-bin-2.0.2/debian/changelog @@ -1,3 +1,35 @@ +tetex-bin (2.0.2-30sarge4) stable-security; urgency=high + + * Non-maintainer upload by the Security Team + * Added more precautionary checks by Dirk Müller [xpdf/Stream.cc, + xpdf/JBIG2Stream.cc, debian/patches/patch-CVE-2005-3191] + + -- Martin Schulze <joey@infodrom.org> Thu, 15 Dec 2005 17:02:52 +0100 + +tetex-bin (2.0.2-30sarge3) stable-security; urgency=high + + * Non-maintainer upload by the Security Team + * Added more precautionary checks by Martin Pitt + + -- Martin Schulze <joey@infodrom.org> Mon, 12 Dec 2005 08:32:05 +0100 + +tetex-bin (2.0.2-30sarge2) stable-security; urgency=high + + * Non-maintainer upload by the Security Team + * Adjusted the former patch + * Applied missing bits found by Ludwig Nussel + + -- Martin Schulze <joey@infodrom.org> Fri, 9 Dec 2005 11:25:16 +0100 + +tetex-bin (2.0.2-30sarge1) stable-security; urgency=high + + * Non-maintainer upload by the Security Team + * Partially applied patch from xpdf upstream to fix buffer overflows + [libs/xpdf/xpdf/Stream.cc, libs/xpdf/xpdf/Stream.h, CAN-2005-3191, + debian/patches/patch-CVE-2005-3191] + + -- Martin Schulze <joey@infodrom.org> Thu, 8 Dec 2005 10:19:45 +0100 + tetex-bin (2.0.2-30) unstable; urgency=low * Restore debian/watch and don't keep the recovered control file in diff -u tetex-bin-2.0.2/debian/rules tetex-bin-2.0.2/debian/rules --- tetex-bin-2.0.2/debian/rules +++ tetex-bin-2.0.2/debian/rules @@ -57,6 +57,8 @@ patch -p1 -Ni debian/patches/patch-CAN-2005-0064 patch -p1 -NRi debian/patches/patch-mandash || true patch -p1 -Ni debian/patches/patch-mandash + patch -p1 -NRi debian/patches/patch-CVE-2005-3191 || true + patch -p1 -Ni debian/patches/patch-CVE-2005-3191 cp -f /usr/share/misc/config.guess /usr/share/misc/config.sub ./texk/ cp -f /usr/share/misc/config.guess /usr/share/misc/config.sub ./utils/texinfo/ cp -f /usr/share/misc/config.guess /usr/share/misc/config.sub ./config/ @@ -95,6 +97,7 @@ # Add here commands to clean up after the build process. # Make sure all of our expected symlinks are in place sh debian/restore-symlinks + patch -p1 -NRi debian/patches/patch-CVE-2005-3191 || true patch -p1 -NRi debian/patches/patch-mandash || true patch -p1 -NRi debian/patches/patch-CAN-2005-0064 || true patch -p1 -NRi debian/patches/patch-CAN-2004-1125 || true only in patch2: unchanged: --- tetex-bin-2.0.2.orig/debian/patches/patch-CVE-2005-3191 +++ tetex-bin-2.0.2/debian/patches/patch-CVE-2005-3191 @@ -0,0 +1,243 @@ +diff -u -p -Nr --exclude CVS tetex-bin-2.0.2.orig/libs/xpdf/xpdf/JBIG2Stream.cc tetex-bin-2.0.2/libs/xpdf/xpdf/JBIG2Stream.cc +--- tetex-bin-2.0.2.orig/libs/xpdf/xpdf/JBIG2Stream.cc 2002-11-16 16:02:19.000000000 +0100 ++++ tetex-bin-2.0.2/libs/xpdf/xpdf/JBIG2Stream.cc 2005-12-15 16:51:31.000000000 +0100 +@@ -13,6 +13,7 @@ + #endif + + #include <stdlib.h> ++#include <limits.h> + #include "GList.h" + #include "Error.h" + #include "JBIG2Stream.h" +@@ -977,7 +978,14 @@ JBIG2Bitmap::JBIG2Bitmap(Guint segNumA, + w = wA; + h = hA; + line = (wA + 7) >> 3; +- data = (Guchar *)gmalloc(h * line); ++ ++ if (h < 0 || line <= 0 || h >= (INT_MAX-1) / line) ++ data = NULL; ++ else { ++ // need to allocate one extra guard byte for use in combine() ++ data = (Guchar *)gmalloc(h * line + 1); ++ data[h * line] = 0; ++ } + } + + JBIG2Bitmap::JBIG2Bitmap(Guint segNumA, JBIG2Bitmap *bitmap): +@@ -986,8 +994,15 @@ JBIG2Bitmap::JBIG2Bitmap(Guint segNumA, + w = bitmap->w; + h = bitmap->h; + line = bitmap->line; +- data = (Guchar *)gmalloc(h * line); ++ ++ if (h < 0 || line <= 0 || h >= (INT_MAX-1) / line) { ++ data = NULL; ++ return; ++ } ++ ++ data = (Guchar *)gmalloc(h * line + 1); + memcpy(data, bitmap->data, h * line); ++ data[h * line] = 0; + } + + JBIG2Bitmap::~JBIG2Bitmap() { +@@ -1012,10 +1027,10 @@ JBIG2Bitmap *JBIG2Bitmap::getSlice(Guint + } + + void JBIG2Bitmap::expand(int newH, Guint pixel) { +- if (newH <= h) { ++ if (newH <= h || line <= 0 || newH >= (INT_MAX-1) / line) { + return; + } +- data = (Guchar *)grealloc(data, newH * line); ++ data = (Guchar *)grealloc(data, newH * line + 1); + if (pixel) { + memset(data + h * line, 0xff, (newH - h) * line); + } else { +@@ -2505,6 +2520,16 @@ void JBIG2Stream::readHalftoneRegionSeg( + error(getPos(), "Bad symbol dictionary reference in JBIG2 halftone segment"); + return; + } ++ ++ if (gridH == 0 || gridW >= INT_MAX / gridH) { ++ error(getPos(), "Bad size in JBIG2 halftone segment"); ++ return; ++ } ++ if (w == 0 || h >= INT_MAX / w) { ++ error(getPos(), "Bad size in JBIG2 bitmap segment"); ++ return; ++ } ++ + patternDict = (JBIG2PatternDict *)seg; + bpp = 0; + i = 1; +@@ -3078,6 +3103,9 @@ JBIG2Bitmap *JBIG2Stream::readGenericRef + Guint ltpCX, cx, cx0, cx2, cx3, cx4, tpgrCX0, tpgrCX1, tpgrCX2; + int x, y, pix; + ++ if (w < 0 || h <= 0 || w >= INT_MAX / h) ++ return NULL; ++ + bitmap = new JBIG2Bitmap(0, w, h); + bitmap->clearToZero(); + +diff -u -p -Nr --exclude CVS tetex-bin-2.0.2.orig/libs/xpdf/xpdf/Stream.cc tetex-bin-2.0.2/libs/xpdf/xpdf/Stream.cc +--- tetex-bin-2.0.2.orig/libs/xpdf/xpdf/Stream.cc 2005-12-15 16:44:06.000000000 +0100 ++++ tetex-bin-2.0.2/libs/xpdf/xpdf/Stream.cc 2005-12-15 17:02:31.000000000 +0100 +@@ -15,6 +15,7 @@ + #include <stdio.h> + #include <stdlib.h> + #include <stddef.h> ++#include <limits.h> + #ifndef WIN32 + #include <unistd.h> + #endif +@@ -404,18 +405,40 @@ void ImageStream::skipLine() { + + StreamPredictor::StreamPredictor(Stream *strA, int predictorA, + int widthA, int nCompsA, int nBitsA) { ++ int totalBits; ++ + str = strA; + predictor = predictorA; + width = widthA; + nComps = nCompsA; + nBits = nBitsA; ++ predLine = NULL; ++ ok = gFalse; + ++ if (width <= 0 || nComps <= 0 || nBits <= 0 || ++ nComps >= INT_MAX/nBits || ++ width >= INT_MAX/nComps/nBits) { ++ return; ++ } + nVals = width * nComps; ++ if (nVals + 7 <= 0) { ++ return; ++ } ++ totalBits = nVals * nBits; ++ if (totalBits == 0 || ++ (totalBits / nBits) / nComps != width || ++ totalBits + 7 < 0) { ++ return; ++ } + pixBytes = (nComps * nBits + 7) >> 3; +- rowBytes = ((nVals * nBits + 7) >> 3) + pixBytes; ++ rowBytes = ((totalBits + 7) >> 3) + pixBytes; ++ if (rowBytes < 0) { ++ return; ++ } + predLine = (Guchar *)gmalloc(rowBytes); + memset(predLine, 0, rowBytes); + predIdx = rowBytes; ++ ok = gTrue; + } + + StreamPredictor::~StreamPredictor() { +@@ -981,6 +1004,10 @@ LZWStream::LZWStream(Stream *strA, int p + FilterStream(strA) { + if (predictor != 1) { + pred = new StreamPredictor(this, predictor, columns, colors, bits); ++ if (!pred->isOk()) { ++ delete pred; ++ pred = NULL; ++ } + } else { + pred = NULL; + } +@@ -1226,6 +1253,12 @@ CCITTFaxStream::CCITTFaxStream(Stream *s + endOfLine = endOfLineA; + byteAlign = byteAlignA; + columns = columnsA; ++ ++ if (columns + 4 < 1 || (columns + 4) >= INT_MAX / sizeof(short)) { ++ error(getPos(), "Bad number of columns in CCITTFaxStream"); ++ exit(1); ++ } ++ + rows = rowsA; + endOfBlock = endOfBlockA; + black = blackA; +@@ -2860,6 +2893,11 @@ GBool DCTStream::readBaselineSOF() { + height = read16(); + width = read16(); + numComps = str->getChar(); ++ if (numComps <= 0 || numComps > 4) { ++ numComps = 0; ++ error(getPos(), "Bad number of components in DCT stream", prec); ++ return gFalse; ++ } + if (prec != 8) { + error(getPos(), "Bad DCT precision %d", prec); + return gFalse; +@@ -2886,6 +2924,11 @@ GBool DCTStream::readProgressiveSOF() { + height = read16(); + width = read16(); + numComps = str->getChar(); ++ if (numComps <= 0 || numComps > 4) { ++ numComps = 0; ++ error(getPos(), "Bad number of components in DCT stream"); ++ return gFalse; ++ } + if (prec != 8) { + error(getPos(), "Bad DCT precision %d", prec); + return gFalse; +@@ -2908,6 +2951,11 @@ GBool DCTStream::readScanInfo() { + + length = read16() - 2; + scanInfo.numComps = str->getChar(); ++ if (scanInfo.numComps <= 0 || scanInfo.numComps > 4) { ++ scanInfo.numComps = 0; ++ error(getPos(), "Bad number of components in DCT stream"); ++ return gFalse; ++ } + --length; + if (length != 2 * scanInfo.numComps + 3) { + error(getPos(), "Bad DCT scan info block"); +@@ -2975,12 +3023,12 @@ GBool DCTStream::readHuffmanTables() { + while (length > 0) { + index = str->getChar(); + --length; +- if ((index & 0x0f) >= 4) { ++ if ((index & ~0x10) >= 4 || (index & ~0x10) < 0) { + error(getPos(), "Bad DCT Huffman table"); + return gFalse; + } + if (index & 0x10) { +- index &= 0x0f; ++ index &= 0x03; + if (index >= numACHuffTables) + numACHuffTables = index+1; + tbl = &acHuffTables[index]; +@@ -3178,6 +3226,10 @@ FlateStream::FlateStream(Stream *strA, i + FilterStream(strA) { + if (predictor != 1) { + pred = new StreamPredictor(this, predictor, columns, colors, bits); ++ if (!pred->isOk()) { ++ delete pred; ++ pred = NULL; ++ } + } else { + pred = NULL; + } +diff -u -p -Nr --exclude CVS tetex-bin-2.0.2.orig/libs/xpdf/xpdf/Stream.h tetex-bin-2.0.2/libs/xpdf/xpdf/Stream.h +--- tetex-bin-2.0.2.orig/libs/xpdf/xpdf/Stream.h 2005-12-15 16:44:06.000000000 +0100 ++++ tetex-bin-2.0.2/libs/xpdf/xpdf/Stream.h 2005-12-15 16:44:00.000000000 +0100 +@@ -225,6 +225,8 @@ public: + + ~StreamPredictor(); + ++ GBool isOk() { return ok; } ++ + int lookChar(); + int getChar(); + +@@ -242,6 +244,7 @@ private: + int rowBytes; // bytes per line + Guchar *predLine; // line buffer + int predIdx; // current index in predLine ++ GBool ok; + }; + + //------------------------------------------------------------------------
Attachment:
signature.asc
Description: Digital signature