Bug#346086: tetex-bin: New integer overflows in xpdf copy [CVE-2005-3624, CVE-2005-3625, CVE-2005-3627]
On 05.01.06 Martin Pitt (martin.pitt@ubuntu.com) wrote:
Hi Martin,
> Chris Evans found some more integer overflows in the xpdf code [1]
> which affect tetex-bin as well. [1] also has demo exploit PDFs for
> patch checking.
>
> See [2] for the Ubuntu debdiff.
>
> This only affects sarge (and woody); luckily sid is finally cured
> forever due to poppler, so please mark this bug as fixed in sid.
>
> Thanks,
>
> Martin
>
> [1] http://scary.beasts.org/security/b0dfca810501f2da/CESA-2005-003.txt
> [2] http://patches.ubuntu.com/patches/tetex-bin.CVE-2005-3624_5_7.diff
>
The problem is for 3.0 solved as we use libpoppler.
http://www.debian.org/security/2006/dsa-937 refers to CVE-2005-3624,
CVE-2005-3625, CVE-2005-3627. In Debian stable (2.0.2-sarge4) is a
patch contained, named patch-CVE-2005-3624_5_7. That one is identical
to your patch posted on Ubuntu. Hence I guess that bug is solved for
stable.
On the DSA page Joey states, that the problem is solved for oldstable
too. The .orig.tar.gz contains a patched Stream.cc, which got the
same modifications as your patch contain, except the last hunk. I'm
attaching it. Could you evluate if the hunk is necessary.
If not I guess we're done here and can close #346086.
Thanks,
Hilmar
--
sigmentation fault
@@ -3100,9 +3107,11 @@ int DCTStream::readMarker() {
do {
do {
c = str->getChar();
+ if(c == EOF) return EOF;
} while (c != 0xff);
do {
c = str->getChar();
+ if(c == EOF) return EOF;
} while (c == 0xff);
} while (c == 0x00);
return c;
Reply to: