Re: [bressers@redhat.com: [vendor-sec] texinfo buffer overflow]
- To: debian-tex-maint@lists.debian.org
- Subject: Re: [bressers@redhat.com: [vendor-sec] texinfo buffer overflow]
- From: Norbert Preining <preining@logic.at>
- Date: Wed, 22 Nov 2006 17:15:59 +0700
- Message-id: <5556-SnapperMsgD65F34B6C189D51A@[10.0.0.100]>
- In-reply-to: <20061119215500.GE11767@galadriel.inutil.org>
- References: <20061119215500.GE11767@galadriel.inutil.org>
Hi DD WITHOUT Frank!!!
(Frank already knows about the problem but does not have time!)
Can one of you please prepare an upload of texinfo with the fix below, urgency high (security fix for a bug in etch). afair there are no other changes in the texinfo svn repos.
Thanks a lot and keep me informed ...
Norbert
..... Original Message .......
On Sun, 19 Nov 2006 22:55:00 +0100 "Moritz Muehlenhoff" <jmm@debian.org> wrote:
>----- Forwarded message from Josh Bressers <bressers@redhat.com> -----
>
>From: Josh Bressers <bressers@redhat.com>
>Subject: [vendor-sec] texinfo buffer overflow
>Date: Tue, 24 Oct 2006 22:08:13 -0400
>
>Hello everybody,
>
>Miloslav Trmac, one of our developers, discovered a buffer overflow in
>texinfo. I'll attach the testcase and a patch. The testcase will crash
>when texi2dvi is run on the demo file. This generates a file called
>long-index.cp, which will crash when texindex is run on it (for a shorter
>debug path).
>
>Upstream has added this patch to their public CVS, but it's not well known.
>It would be appreciated if nobody released an update until 2006-11-07.
>I've assigned the name CVE-2006-4810 to this issue.
>
>Here are the gory details:
>
>>From what I see, it looks like the code in readline() of texindex.c has
>some crazy arithmetic.
>
>char *buffer = linebuffer->buffer;
>char *p = linebuffer->buffer;
>char *end = p + linebuffer->size;
>
>while (1)
> {
> int c = getc (stream);
> if (p == end)
> {
> buffer = (char *) xrealloc (buffer, linebuffer->size *= 2);
> p += buffer - linebuffer->buffer;
> end += buffer - linebuffer->buffer;
> linebuffer->buffer = buffer;
>
>It would seem that when p == end, p and end are assigned what could be a
>random memory addresses as the location of buffer is likely to change with
>a realloc from a size of 200 to 400 bytes. p then proceeds to dump trash
>on the heap until the current line ends.
>
>
>Let me know if anyone has any questions.
>
>Thanks
>
>--
> JB
>
>
>Content-Description: texindex.patch
>--- util/texindex.c.orig 2006-10-13 01:26:23.000000000 +0200
>+++ util/texindex.c 2006-10-13 01:28:11.000000000 +0200
>@@ -858,7 +857,7 @@
> {
> buffer = (char *) xrealloc (buffer, linebuffer->size *= 2);
> p += buffer - linebuffer->buffer;
>- end += buffer - linebuffer->buffer;
>+ end = buffer + linebuffer->size;
> linebuffer->buffer = buffer;
> }
> if (c < 0 || c == '\n')
>
>
>
>----- End forwarded message -----
-------------------------------------------------------------------------------
Dr. Norbert Preining <preining@logic.at> Università di Siena
Debian Developer <preining@debian.org> Debian TeX Group
gpg DSA: 0x09C5B094 fp: 14DF 2E6C 0307 BE6D AD76 A9C0 D2BF 4AA3 09C5 B094
-------------------------------------------------------------------------------
Reply to: