NMU patch for the kpdf vulnerability
tag 278173 patch
stop
I attach a possible NMU patch for the kpdf integer overflow
vulnerability, still present in sarge, ready to be compiled and
uploaded by some member of the release team or d-qt-kde.
The patch includes the improvements to the initial fix as issued by
KDE, present now in their CVS.
thanks,
--
Adeodato Simó
EM: asp16 [ykwim] alu.ua.es | PK: DA6AE621
A conclusion is simply the place where someone got tired of thinking.
diff -u -rN kdegraphics-3.2.3/debian/changelog kdegraphics-3.2.3-1.2/debian/changelog
--- kdegraphics-3.2.3/debian/changelog 2004-11-06 04:23:42.000000000 +0100
+++ kdegraphics-3.2.3-1.2/debian/changelog 2004-11-06 04:25:37.000000000 +0100
@@ -1,3 +1,13 @@
+kdegraphics (4:3.2.3-1.2) testing-proposed-updates; urgency=low
+
+ * Non-maintainer upload to testing to fix security issue.
+
+ * Included fix for KDE Security Advisory 20041021-1: kpdf integer overflows
+ <http://www.kde.org/info/security/advisory-20041021-1.txt>. (Closes: #278173)
+ [Include the improvements by Martin Schulze as available in upstream's CVS.]
+
+ -- Adeodato Simó <asp16@alu.ua.es> Sat, 06 Nov 2004 04:25:37 +0100
+
kdegraphics (4:3.2.3-1.1) testing-proposed-updates; urgency=low
* Non-maintainer upload with approval from Ben Burton.
diff -u -rN kdegraphics-3.2.3/debian/patches/10_fix-CAN-2004-0888.diff kdegraphics-3.2.3-1.2/debian/patches/10_fix-CAN-2004-0888.diff
--- kdegraphics-3.2.3/debian/patches/10_fix-CAN-2004-0888.diff 1970-01-01 01:00:00.000000000 +0100
+++ kdegraphics-3.2.3-1.2/debian/patches/10_fix-CAN-2004-0888.diff 2004-11-06 04:29:08.000000000 +0100
@@ -0,0 +1,101 @@
+ First hunk:
+
+ http://webcvs.kde.org/cgi-bin/cvsweb.cgi/kdegraphics/kpdf/xpdf/Catalog.cc.diff?only_with_tag=KDE_3_2_BRANCH&r1=text&tr1=1.3&r2=text&tr2=1.3.2.3
+
+--- kdegraphics/kpdf/xpdf/Catalog.cc 2003/08/20 21:25:12 1.3
++++ kdegraphics/kpdf/xpdf/Catalog.cc 2004/10/28 09:25:05 1.3.2.3
+@@ -12,6 +12,7 @@
+ #pragma implementation
+ #endif
+
++#include <limits.h>
+ #include <stddef.h>
+ #include "gmem.h"
+ #include "Object.h"
+@@ -63,6 +64,12 @@ Catalog::Catalog(XRef *xrefA) {
+ }
+ pagesSize = numPages0 = obj.getInt();
+ obj.free();
++ if ((unsigned) pagesSize >= INT_MAX / sizeof(Page *) ||
++ (unsigned) pagesSize >= INT_MAX / sizeof(Ref)) {
++ error(-1, "Invalid 'pagesSize'");
++ ok = gFalse;
++ return;
++ }
+ pages = (Page **)gmalloc(pagesSize * sizeof(Page *));
+ pageRefs = (Ref *)gmalloc(pagesSize * sizeof(Ref));
+ for (i = 0; i < pagesSize; ++i) {
+@@ -190,6 +197,11 @@ int Catalog::readPageTree(Dict *pagesDic
+ }
+ if (start >= pagesSize) {
+ pagesSize += 32;
++ if ((unsigned) pagesSize >= INT_MAX / sizeof(Page *) ||
++ (unsigned) pagesSize >= INT_MAX / sizeof(Ref)) {
++ error(-1, "Invalid 'pagesSize' parameter.");
++ goto err3;
++ }
+ pages = (Page **)grealloc(pages, pagesSize * sizeof(Page *));
+ pageRefs = (Ref *)grealloc(pageRefs, pagesSize * sizeof(Ref));
+ for (j = pagesSize - 32; j < pagesSize; ++j) {
+
+
+ Second hunk:
+ http://webcvs.kde.org/cgi-bin/cvsweb.cgi/kdegraphics/kpdf/xpdf/XRef.cc.diff?only_with_tag=KDE_3_2_BRANCH&r1=text&tr1=1.3&r2=text&tr2=1.3.2.4
+
+--- kdegraphics/kpdf/xpdf/XRef.cc 2003/08/20 21:25:12 1.3
++++ kdegraphics/kpdf/xpdf/XRef.cc 2004/10/28 09:35:21 1.3.2.4
+@@ -12,6 +12,7 @@
+ #pragma implementation
+ #endif
+
++#include <limits.h>
+ #include <stdlib.h>
+ #include <stddef.h>
+ #include <string.h>
+@@ -76,6 +77,12 @@ XRef::XRef(BaseStream *strA, GString *ow
+
+ // trailer is ok - read the xref table
+ } else {
++ if ((unsigned) size >= INT_MAX / sizeof(XRefEntry)) {
++ error(-1, "Invalid 'size' inside xref table.");
++ ok = gFalse;
++ errCode = errDamaged;
++ return;
++ }
+ entries = (XRefEntry *)gmalloc(size * sizeof(XRefEntry));
+ for (i = 0; i < size; ++i) {
+ entries[i].offset = 0xffffffff;
+@@ -267,6 +274,10 @@ GBool XRef::readXRef(Guint *pos) {
+ // table size
+ if (first + n > size) {
+ newSize = size + 256;
++ if ((unsigned) newSize >= INT_MAX / sizeof(XRefEntry)) {
++ error(-1, "Invalid 'newSize'");
++ goto err2;
++ }
+ entries = (XRefEntry *)grealloc(entries, newSize * sizeof(XRefEntry));
+ for (i = size; i < newSize; ++i) {
+ entries[i].offset = 0xffffffff;
+@@ -415,6 +426,10 @@ GBool XRef::constructXRef() {
+ if (!strncmp(p, "obj", 3)) {
+ if (num >= size) {
+ newSize = (num + 1 + 255) & ~255;
++ if ((unsigned) newSize >= INT_MAX / sizeof(XRefEntry)) {
++ error(-1, "Invalid 'obj' parameters.");
++ return gFalse;
++ }
+ entries = (XRefEntry *)
+ grealloc(entries, newSize * sizeof(XRefEntry));
+ for (i = size; i < newSize; ++i) {
+@@ -436,6 +451,11 @@ GBool XRef::constructXRef() {
+ } else if (!strncmp(p, "endstream", 9)) {
+ if (streamEndsLen == streamEndsSize) {
+ streamEndsSize += 64;
++ if ((unsigned) streamEndsSize >= INT_MAX / sizeof(int)) {
++ error(-1, "Invalid 'endstream' parameter.");
++ return gFalse;
++ }
++
+ streamEnds = (Guint *)grealloc(streamEnds,
+ streamEndsSize * sizeof(int));
+ }
Reply to: