Bug#278298: Patch available for #278298
Martin Pitt <martin@piware.de> wrote:
> retitle 278298 tetex-bin is affected by CAN-2004-0888
> tag 278298 patch
> thanks
>
> Hi!
>
> I prepared and uploaded a fixed package for Ubuntu Warty. The used
> interdiff is available in Ubuntu's bugzilla:
>
> https://bugzilla.ubuntulinux.org/show_bug.cgi?id=2748
>
> It applies to version 2.0.2-21, whereas Sarge/Sid already have -22,
> but the only patch conflict should be at the changelog (which can be
> adapted easily).
Applying it as a separate patch is probably the better way. But since I
didn't have it available, I have manually adapted a patch sent by Martin
Schulze and merged it into patch-src. I have sent the patch to the
security team for review, but it's identical to yours (with one small
exception). I attach it here again so that it is in the bug.
The difference: In the second hunk for XRef.cc, I have
++ if (size >= INT_MAX/sizeof(XRefEntry)) {
++ error(-1, "Invalid 'size' inside xref table.");
++ ok = gFalse;
++ errCode = errDamaged;
++ return;
++ }
but you are missing the 4th line:
++ if ( size >= INT_MAX/sizeof(XRefEntry)) {
++ error(-1, "Invalid 'size' inside xref table.");
++ ok = gFalse;
++ return;
++ }
As I said, my knowledge in C is neglegible, I just took what I got from
the security team.
> Adrian, please be aware that the cupsys patch from 5woody10 is not
> sufficient, you also need the patches from woody8 and woody9.
I guess you mistook Adrian as teTeX maintainer - that's been a while
ago... But cupsys doesn't have separate patches. AFAIR the changes are
in the diff.gz, and are the same as discussed here.
The upload is pending, I just wanted to wait for some reaction from the
team.
Regards, Frank
--
Frank Küster
Inst. f. Biochemie der Univ. Zürich
Debian Developer
Index: debian/changelog
===================================================================
RCS file: /cvs/tetex/tetex-bin/debian/changelog,v
retrieving revision 1.179
diff -u -r1.179 changelog
--- debian/changelog 18 Oct 2004 17:48:37 -0000 1.179
+++ debian/changelog 27 Oct 2004 12:29:21 -0000
@@ -1,5 +1,8 @@
-tetex-bin (2.0.2-22.2) UNRELEASED; urgency=low
+tetex-bin (2.0.2-23) unstable; urgency=high
+ * Security fix for the xpdf code included in pdftex. Many thanks to
+ Adrian Bunk <bunk@stusta.de> and Martin Schulze <joey@infodrom.org>
+ (closes: #278298) [frank]
* Do not discard the font cache when updating from woody [frank]
* Fix typo in dvips manpage (closes: #274439) [frank]
* Change wording of a diagnostic message of update-texmf, and add a
@@ -8,7 +11,7 @@
- added czech translation, thanks to Miroslav Kure
<kurem@upcase.inf.upol.cz> (closes: #273712) [frank]
- -- Frank Küster <frank@debian.org> Fri, 15 Oct 2004 16:57:21 +0200
+ -- Frank Küster <frank@debian.org> Wed, 27 Oct 2004 10:30:32 +0200
tetex-bin (2.0.2-22) unstable; urgency=high
Index: debian/patches/patch-src
===================================================================
RCS file: /cvs/tetex/tetex-bin/debian/patches/patch-src,v
retrieving revision 1.5
diff -u -r1.5 patch-src
--- debian/patches/patch-src 3 Mar 2004 13:49:31 -0000 1.5
+++ debian/patches/patch-src 27 Oct 2004 12:29:26 -0000
@@ -142,3 +142,95 @@
do_args (argc, argv);
+--- tetex-bin-2.0.2-CVS/libs/xpdf/xpdf/Catalog.cc.orig Wed Oct 27 13:57:48 2004
++++ tetex-bin-2.0.2-CVS/libs/xpdf/xpdf/Catalog.cc Wed Oct 27 14:15:00 2004
+@@ -22,6 +22,7 @@
+ #include "Error.h"
+ #include "Link.h"
+ #include "Catalog.h"
++#include <limits.h>
+
+ //------------------------------------------------------------------------
+ // Catalog
+@@ -63,6 +64,12 @@
+ }
+ pagesSize = numPages0 = obj.getInt();
+ obj.free();
++ if (pagesSize >= INT_MAX/sizeof(Page *) ||
++ pagesSize >= INT_MAX/sizeof(Ref)) {
++ error(-1, "Invalid 'pagesSize'");
++ ok = gFalse;
++ return;
++ }
+ pages = (Page **)gmalloc(pagesSize * sizeof(Page *));
+ pageRefs = (Ref *)gmalloc(pagesSize * sizeof(Ref));
+ for (i = 0; i < pagesSize; ++i) {
+@@ -190,6 +197,11 @@
+ }
+ if (start >= pagesSize) {
+ pagesSize += 32;
++ if (pagesSize >= INT_MAX/sizeof(Page *) ||
++ pagesSize >= INT_MAX/sizeof(Ref)) {
++ error(-1, "Invalid 'pagesSize' parameter.");
++ goto err3;
++ }
+ pages = (Page **)grealloc(pages, pagesSize * sizeof(Page *));
+ pageRefs = (Ref *)grealloc(pageRefs, pagesSize * sizeof(Ref));
+ for (j = pagesSize - 32; j < pagesSize; ++j) {
+--- tetex-bin-2.0.2-CVS/libs/xpdf/xpdf/XRef.cc.orig Wed Oct 27 13:57:51 2004
++++ tetex-bin-2.0.2-CVS/libs/xpdf/xpdf/XRef.cc Wed Oct 27 14:14:45 2004
+@@ -28,6 +28,7 @@
+ #include "Error.h"
+ #include "ErrorCodes.h"
+ #include "XRef.h"
++#include <limits.h>
+
+ //------------------------------------------------------------------------
+
+@@ -76,6 +77,12 @@
+
+ // trailer is ok - read the xref table
+ } else {
++ if (size >= INT_MAX/sizeof(XRefEntry)) {
++ error(-1, "Invalid 'size' inside xref table.");
++ ok = gFalse;
++ errCode = errDamaged;
++ return;
++ }
+ entries = (XRefEntry *)gmalloc(size * sizeof(XRefEntry));
+ for (i = 0; i < size; ++i) {
+ entries[i].offset = 0xffffffff;
+@@ -267,6 +274,10 @@
+ // table size
+ if (first + n > size) {
+ newSize = size + 256;
++ if (newSize >= INT_MAX/sizeof(XRefEntry)) {
++ error(-1, "Invalid 'newSize'");
++ goto err2;
++ }
+ entries = (XRefEntry *)grealloc(entries, newSize * sizeof(XRefEntry));
+ for (i = size; i < newSize; ++i) {
+ entries[i].offset = 0xffffffff;
+@@ -410,6 +421,10 @@
+ if (!strncmp(p, "obj", 3)) {
+ if (num >= size) {
+ newSize = (num + 1 + 255) & ~255;
++ if (newSize >= INT_MAX/sizeof(XRefEntry)) {
++ error(-1, "Invalid 'obj' parameters.");
++ return gFalse;
++ }
+ entries = (XRefEntry *)
+ grealloc(entries, newSize * sizeof(XRefEntry));
+ for (i = size; i < newSize; ++i) {
+@@ -431,6 +446,11 @@
+ } else if (!strncmp(p, "endstream", 9)) {
+ if (streamEndsLen == streamEndsSize) {
+ streamEndsSize += 64;
++ if (streamEndsSize >= INT_MAX/sizeof(int)) {
++ error(-1, "Invalid 'endstream' parameter.");
++ return gFalse;
++ }
++
+ streamEnds = (Guint *)grealloc(streamEnds,
+ streamEndsSize * sizeof(int));
+ }
Reply to: