[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#342292: Fwd: Re: [vendor-sec] xpdf update - patch wrong?

Martin Pitt <mpitt@debian.org> wrote:

> OK, you can now find the 3.0 debdiff at 
>
>   http://patches.ubuntu.com/patches/tetex-bin.CVE-2005-3191_2_3.diff

Thank you, I've added this.

> it might be interesting for you to get the CVE numbers in the
> changelog right. (Please do mention the CVE numbers to ease tracking.)

Thanks, sorry that I forgot it in the upload.

But I have more bad news.  While looking at the patches, I noticed that
the patch for CAN-2004-0888 in tetex 3.0 still has the flaws in the
upstream/KDE/whoever patch.  It does buffer overflow checks that some
compilers will simply optimize away ( if (size * sizeof(int)/sizeof(int)
!= size) and the like).  In the upload to unstable back then, which was
2.0.2, we changed this to size >=MAX_INT / sizeof(int), but I obviously
did not do this in our copy.

I have started to fix this, see

http://svn.debian.org/wsvn/pkg-tetex/tetex-bin/trunk/debian/patches/patch-CAN-2004-0888?op=diff&rev=0&sc=0

however since the codebase differs I cannot simply use the patch from
tetex 2.0.2. Unfortunately, I don't have the original patch against 3.00
left, and I also cannot find it on the net.

It also seems that there are some buffer overflows in 3.00 that do not
have any tests, e.g. in XRef.cc, line 391 after patch-CAN-2004-0888 has
been applied.  Or is such a check

      if (newSize < 0) {
	goto err1;
      }

enough to detect an integer overflow, because newSize is signed? 3.01
uses greallocn there.

Regards, Frank

-- 
Frank Küster
Inst. f. Biochemie der Univ. Zürich
Debian Developer
Reply to: