Bug#300182: marked as done (tetex-bin still vulnerable to CAN-2004-0888 (CAN-2005-0206))

To: frank@kuesterei.ch (Frank Küster)
Cc: teTeX maintainers <debian-tetex-maint@lists.debian.org>
Subject: Bug#300182: marked as done (tetex-bin still vulnerable to CAN-2004-0888 (CAN-2005-0206))
From: owner@bugs.debian.org (Debian Bug Tracking System)
Date: Tue, 29 Mar 2005 05:33:47 -0800
Message-id: <[🔎] handler.300182.D300182.111210274114765.ackdone@bugs.debian.org>
In-reply-to: <87ll8637ou.fsf@alhambra.kuesterei.ch>
References: <87ll8637ou.fsf@alhambra.kuesterei.ch> <[🔎] 20050318091619.GD2460@preusse>

Your message dated Tue, 29 Mar 2005 15:25:37 +0200
with message-id <87ll8637ou.fsf@alhambra.kuesterei.ch>
and subject line tetex-bin not vulnerable
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

--------------------------------------
Received: (at submit) by bugs.debian.org; 18 Mar 2005 09:16:52 +0000
>From hille42@web.de Fri Mar 18 01:16:52 2005
Return-path: <hille42@web.de>
Received: from smtp06.web.de [217.72.192.224] 
	by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
	id 1DCDbA-0001gh-00; Fri, 18 Mar 2005 01:16:52 -0800
Received: from [212.14.71.206] (helo=preusse.amasol.de)
	by smtp06.web.de with asmtp (WEB.DE 4.104 #268)
	id 1DCDac-0003Do-00
	for submit@bugs.debian.org; Fri, 18 Mar 2005 10:16:18 +0100
Received: by preusse.amasol.de (sSMTP sendmail emulation); Fri, 18 Mar 2005 10:16:20 +0100
Date: Fri, 18 Mar 2005 10:16:19 +0100
From: Hilmar Preusse <hille42@web.de>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: tetex-bin still vulnerable to CAN-2004-0888 (CAN-2005-0206)
Message-ID: <[🔎] 20050318091619.GD2460@preusse>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
	protocol="application/pgp-signature"; boundary="69pVuxX8awAiJ7fD"
Content-Disposition: inline
User-Agent: Mutt/1.4.1i
X-Operating-System: CYGWIN_NT-5.0 1.5.13(0.122/4/2) i686
X-www.distributed.net: OGR-P2: 4 packets (55.05 stats units) [3.04 Mnodes/s]
X-Face: .n=jHnz:2pu0c0)ef]4O#1FE{Vak?h89!g7_#2+PzSRoIU[pJFNnz>gLhn}UMwv}4/j{X.. 2E+>U>P!`PYk
X-Confirmation-Request: yes
X-Confirm-Reading-To: "Hilmar Preusse" <hille42@web.de>
Sender: hille42@web.de
X-Sender: hille42@web.de
Delivered-To: submit@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
	(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-1.8 required=4.0 tests=BAYES_00,FROM_ENDS_IN_NUMS 
	autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level: 


--69pVuxX8awAiJ7fD
Content-Type: multipart/mixed; boundary="i9LlY+UWpKt15+FH"
Content-Disposition: inline


--i9LlY+UWpKt15+FH
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Package: tetex-bin
Version: 2.0.2-26
Severity: critical
Tags: security

Hi all,

As recently discovered the patch, which fixed CAN-2004-0888, seems to
be broken on all 64bit platforms (tested only on ia64 though).[1]

Attched are two patches, which should fix that. They are simply
stolen from the RedHat BTS.[2]

H.

[1] e.g.: http://www.auscert.org.au/render.html?it=3D4887
[2] https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=3D135393
--=20
sigmentation fault

--i9LlY+UWpKt15+FH
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="CAN-2005-0206-1.diff"

@@ -186,6 +192,11 @@
       }
       if (start >= pagesSize) {
        pagesSize += 32;
+        if (pagesSize*(int)sizeof(Page *)/sizeof(Page *) != pagesSize ||
+            pagesSize*(int)sizeof(Ref)/sizeof(Ref) != pagesSize) {
+          error(-1, "Invalid 'pagesSize' parameter.");
+          goto err3;
+        }

--i9LlY+UWpKt15+FH
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="CAN-2005-0206.diff"
Content-Transfer-Encoding: quoted-printable

--- XRef.cc.orig	2004-09-17 23:54:38.000000000 -0700
+++ XRef.cc	2004-09-25 17:59:36.000000000 -0700
@@ -76,6 +76,12 @@
=20
   // trailer is ok - read the xref table
   } else {
+    if (size*(int)sizeof(XRefEntry)/sizeof(XRefEntry) !=3D size) {
+      error(-1, "Invalid 'size' inside xref table.");
+      ok =3D gFalse;
+      errCode =3D errDamaged;
+      return;
+    }
     entries =3D (XRefEntry *)gmalloc(size * sizeof(XRefEntry));
     for (i =3D 0; i < size; ++i) {
       entries[i].offset =3D 0xffffffff;
@@ -267,6 +273,10 @@
     // table size
     if (first + n > size) {
       newSize =3D size + 256;
+      if (newSize*(int)sizeof(XRefEntry)/sizeof(XRefEntry) !=3D newSize) {
+        error(-1, "Invalid 'newSize'");
+        goto err2;
+      }
       entries =3D (XRefEntry *)grealloc(entries, newSize * sizeof(XRefEntr=
y));
       for (i =3D size; i < newSize; ++i) {
 	entries[i].offset =3D 0xffffffff;
@@ -410,6 +420,10 @@
 	    if (!strncmp(p, "obj", 3)) {
 	      if (num >=3D size) {
 		newSize =3D (num + 1 + 255) & ~255;
+	        if (newSize*(int)sizeof(XRefEntry)/sizeof(XRefEntry) !=3D newSize=
) {
+	          error(-1, "Invalid 'obj' parameters.");
+	          return gFalse;
+	        }
 		entries =3D (XRefEntry *)
 		            grealloc(entries, newSize * sizeof(XRefEntry));
 		for (i =3D size; i < newSize; ++i) {
@@ -431,6 +445,11 @@
     } else if (!strncmp(p, "endstream", 9)) {
       if (streamEndsLen =3D=3D streamEndsSize) {
 	streamEndsSize +=3D 64;
+        if (streamEndsSize*(int)sizeof(int)/sizeof(int) !=3D streamEndsSiz=
e) {
+          error(-1, "Invalid 'endstream' parameter.");
+          return gFalse;
+        }
+
 	streamEnds =3D (Guint *)grealloc(streamEnds,
 				       streamEndsSize * sizeof(int));
       }
--- Catalog.cc.orig	2004-09-18 00:14:15.000000000 -0700
+++ Catalog.cc	2004-09-25 18:19:55.000000000 -0700
@@ -63,6 +63,12 @@
   }
   pagesSize =3D numPages0 =3D obj.getInt();
   obj.free();
+  if (pagesSize*(int)sizeof(Page *)/sizeof(Page *) !=3D pagesSize ||
+      pagesSize*(int)sizeof(Ref)/sizeof(Ref) !=3D pagesSize) {
+    error(-1, "Invalid 'pagesSize'");
+    ok =3D gFalse;
+    return;
+  }
   pages =3D (Page **)gmalloc(pagesSize * sizeof(Page *));
   pageRefs =3D (Ref *)gmalloc(pagesSize * sizeof(Ref));
   for (i =3D 0; i < pagesSize; ++i) {
@@ -190,6 +196,10 @@
       }
       if (start >=3D pagesSize) {
 	pagesSize +=3D 32;
+        if (pagesSize*(int)sizeof(Page *)/sizeof(Page *) !=3D pagesSize) {
+          error(-1, "Invalid 'pagesSize' parameter.");
+          goto err3;
+        }
 	pages =3D (Page **)grealloc(pages, pagesSize * sizeof(Page *));
 	pageRefs =3D (Ref *)grealloc(pageRefs, pagesSize * sizeof(Ref));
 	for (j =3D pagesSize - 32; j < pagesSize; ++j) {

--i9LlY+UWpKt15+FH--

--69pVuxX8awAiJ7fD
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (Cygwin)

iQB1AwUBQjqcYjwKFtukZhFxAQJAOAMAlgvHmkWGZrgGbMLVeGaiCQeejtE+qrpu
wn32afijizSTDe+RMWNEyZ106ucUQQneYpRGASy7la3LcwvEvWA8WH/MGnoSmKPS
Vl/2CJS4t6vYtK3q6rWxtSDWRG2lcAcq
=NL70
-----END PGP SIGNATURE-----

--69pVuxX8awAiJ7fD--

---------------------------------------
Received: (at 300182-done) by bugs.debian.org; 29 Mar 2005 13:25:41 +0000
>From frank@kuesterei.ch Tue Mar 29 05:25:40 2005
Return-path: <frank@kuesterei.ch>
Received: from idmailgate1.unizh.ch [130.60.68.105] 
	by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
	id 1DGGiy-0003nu-00; Tue, 29 Mar 2005 05:25:40 -0800
Received: from alhambra.kuesterei.ch ([130.60.169.112])
	by idmailgate1.unizh.ch (8.12.10/8.12.10/Debian-2) with ESMTP id j2TDPbxW018933
	for <300182-done@bugs.debian.org>; Tue, 29 Mar 2005 15:25:38 +0200
Received: from localhost ([127.0.0.1] helo=alhambra.kuesterei.ch)
	by alhambra.kuesterei.ch with esmtp (Exim 4.50)
	id 1DGGiw-0007ax-Pm
	for 300182-done@bugs.debian.org; Tue, 29 Mar 2005 15:25:38 +0200
To: 300182-done@bugs.debian.org
Subject: tetex-bin not vulnerable
X-Attribution: fant
X-Ehrenamt: http://www.langau.de
From: frank@kuesterei.ch (=?iso-8859-1?q?Frank_K=FCster?=)
Date: Tue, 29 Mar 2005 15:25:37 +0200
Message-ID: <87ll8637ou.fsf@alhambra.kuesterei.ch>
User-Agent: Gnus/5.1007 (Gnus v5.10.7) Emacs/21.4 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: quoted-printable
X-Virus-Scanned: by amavisd-new
Delivered-To: 300182-done@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
	(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-3.0 required=4.0 tests=BAYES_00 autolearn=no 
	version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level: 


After the discussion on -security, starting with

http://lists.debian.org/debian-security/2005/03/msg00057.html

it is clear that tetex-bin is not vulnerably in woody, sarge or sid.

Regards, Frank
--=20
Frank K=FCster
Inst. f. Biochemie der Univ. Z=FCrich
Debian Developer

Reply to:

References:
- Bug#300182: tetex-bin still vulnerable to CAN-2004-0888 (CAN-2005-0206)
  - From: Hilmar Preusse <hille42@web.de>

Prev by Date: CVS frank tetex-base: [experimental] port the changes for the tetex-common synchronization
Next by Date: Bug#301944: marked as done (ltpatch.ltx of tetex-extra 2.0.2 conflicts with LaTeX of teTeX 3.0)
Previous by thread: Bug#300182: tetex-bin still vulnerable to CAN-2004-0888 (CAN-2005-0206)
Next by thread: Processed: Re: Bug#300109: tetex-bin: xdvi fails on compressed files
Index(es):
- Date
- Thread