Bug#580668: texlive-bin: Fix arbitrary code execution via integer overflow

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#580668: texlive-bin: Fix arbitrary code execution via integer overflow
From: أحمد المحمودي <aelmahmoudy@sabily.org>
Date: Fri, 07 May 2010 16:00:20 +0000
Message-id: <[🔎] 20100507160020.24872.80066.reportbug@alioth.debian.org>
Reply-to: أحمد المحمودي <aelmahmoudy@sabily.org>, 580668@bugs.debian.org

Package: texlive-bin
Version: 2009-5
Severity: grave
Tags: patch security
Justification: user security hole
User: ubuntu-devel@lists.ubuntu.com
Usertags: origin-ubuntu maverick ubuntu-patch

I'm not sure if this is a user or root security hole


*** /tmp/tmplLlmaC
In Ubuntu, we've applied the attached patch to achieve the following:

  * SECURITY UPDATE: arbitrary code execution via integer overflow
    - debian/patches/security-CVE-2010-0739,1440.patch: make sure numbytes
      doesn't overflow in texk/dvipsk/dospecial.c.
    - CVE-2010-0739
    - CVE-2010-1440

We thought you might be interested in doing the same. 


-- System Information:
Debian Release: 5.0.4
  APT prefers oldstable
  APT policy: (500, 'oldstable'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.18-6-xen-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

diff -u texlive-bin-2009/debian/changelog texlive-bin-2009/debian/changelog
only in patch2:
unchanged:
--- texlive-bin-2009.orig/debian/patches/security-CVE-2010-0739,1440.patch
+++ texlive-bin-2009/debian/patches/security-CVE-2010-0739,1440.patch
@@ -0,0 +1,33 @@
+Description: fix arbitrary code execution via integer overflow
+Author: Jindrich Novy, Karel Šrot, Ludwig Nussel
+Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=572941
+
+diff -Nur texlive-bin-2009/texk/dvipsk/dospecial.c texlive-bin-2009.new/texk/dvipsk/dospecial.c
+--- texlive-bin-2009/texk/dvipsk/dospecial.c	2009-06-23 05:46:14.000000000 -0400
++++ texlive-bin-2009.new/texk/dvipsk/dospecial.c	2010-05-03 09:05:22.000000000 -0400
+@@ -333,7 +333,11 @@
+    int j ;
+    static int omega_specials = 0;
+ 
+-   if (nextstring + numbytes > maxstring) {
++   if (numbytes < 0 || numbytes > maxstring - nextstring) {
++      if (numbytes < 0 || numbytes > (INT_MAX - 1000) / 2 ) {
++         error("! Integer overflow in predospecial");
++         exit(1);
++      }
+       p = nextstring = mymalloc(1000 + 2 * numbytes) ;
+       maxstring = nextstring + 2 * numbytes + 700 ;
+    }
+@@ -918,7 +922,11 @@
+    char seen[NKEYS] ;
+    float valseen[NKEYS] ;
+ 
+-   if (nextstring + nbytes > maxstring) {
++   if (nbytes < 0 || nbytes > maxstring - nextstring) {
++      if (nbytes < 0 || nbytes > (INT_MAX - 1000) / 2 ) {
++         error("! Integer overflow in bbdospecial");
++         exit(1);
++      }
+       p = nextstring = mymalloc(1000 + 2 * nbytes) ;
+       maxstring = nextstring + 2 * nbytes + 700 ;
+    }

Reply to:

Follow-Ups:
- Bug#580668: marked as done (texlive-bin: Fix arbitrary code execution via integer overflow)
  - From: owner@bugs.debian.org (Debian Bug Tracking System)

Prev by Date: Bug#580223: marked as done (kpsewhich runs in endlees loop, symlink loop)
Next by Date: Bug#580669: texlive-bin: Fix arbitrary code execution via memory corruption
Previous by thread: Proposta de Site
Next by thread: Bug#580668: marked as done (texlive-bin: Fix arbitrary code execution via integer overflow)
Index(es):
- Date
- Thread