--- Begin Message ---
Package: texlive-bin
Version: 2009-5
Severity: grave
Tags: patch security
Justification: user security hole
User: ubuntu-devel@lists.ubuntu.com
Usertags: origin-ubuntu maverick ubuntu-patch
I'm not sure if this is a user or root security hole
*** /tmp/tmplLlmaC
In Ubuntu, we've applied the attached patch to achieve the following:
* SECURITY UPDATE: arbitrary code execution via integer overflow
- debian/patches/security-CVE-2010-0739,1440.patch: make sure numbytes
doesn't overflow in texk/dvipsk/dospecial.c.
- CVE-2010-0739
- CVE-2010-1440
We thought you might be interested in doing the same.
-- System Information:
Debian Release: 5.0.4
APT prefers oldstable
APT policy: (500, 'oldstable'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.18-6-xen-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
diff -u texlive-bin-2009/debian/changelog texlive-bin-2009/debian/changelog
only in patch2:
unchanged:
--- texlive-bin-2009.orig/debian/patches/security-CVE-2010-0739,1440.patch
+++ texlive-bin-2009/debian/patches/security-CVE-2010-0739,1440.patch
@@ -0,0 +1,33 @@
+Description: fix arbitrary code execution via integer overflow
+Author: Jindrich Novy, Karel Šrot, Ludwig Nussel
+Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=572941
+
+diff -Nur texlive-bin-2009/texk/dvipsk/dospecial.c texlive-bin-2009.new/texk/dvipsk/dospecial.c
+--- texlive-bin-2009/texk/dvipsk/dospecial.c 2009-06-23 05:46:14.000000000 -0400
++++ texlive-bin-2009.new/texk/dvipsk/dospecial.c 2010-05-03 09:05:22.000000000 -0400
+@@ -333,7 +333,11 @@
+ int j ;
+ static int omega_specials = 0;
+
+- if (nextstring + numbytes > maxstring) {
++ if (numbytes < 0 || numbytes > maxstring - nextstring) {
++ if (numbytes < 0 || numbytes > (INT_MAX - 1000) / 2 ) {
++ error("! Integer overflow in predospecial");
++ exit(1);
++ }
+ p = nextstring = mymalloc(1000 + 2 * numbytes) ;
+ maxstring = nextstring + 2 * numbytes + 700 ;
+ }
+@@ -918,7 +922,11 @@
+ char seen[NKEYS] ;
+ float valseen[NKEYS] ;
+
+- if (nextstring + nbytes > maxstring) {
++ if (nbytes < 0 || nbytes > maxstring - nextstring) {
++ if (nbytes < 0 || nbytes > (INT_MAX - 1000) / 2 ) {
++ error("! Integer overflow in bbdospecial");
++ exit(1);
++ }
+ p = nextstring = mymalloc(1000 + 2 * nbytes) ;
+ maxstring = nextstring + 2 * nbytes + 700 ;
+ }
--- End Message ---
--- Begin Message ---
On Sa, 08 Mai 2010, Michael Gilbert wrote:
> hi, attached is a debdiff that fixes these issues. i am looking for a
> sponsor. the package is at:
> http://mentors.debian.net/debian/pool/main/t/texlive-bin
Fixed packages have been prepared long before the public announcement
of CVE-2010-1440 anbd the security team informed about the lcoation
of the packages that where ready for upload. I couldn't do it myself
since I was offline.
(my email was from 1 May 2010, to security@debian.org)
It looks that at the security side of Debian nobody cared about me contacting
them about this issue (PING PING PING!!! any answer???)
Anyway, I have now myself upload 2009-6 of texlive-binaries and at the
same time an upload fixing the same issues for stable (into
stable-proposed-updates as discussed on the security list).
Anyway, thanks for your work.
Closing the two bugs since I did *NOT* rebuild the packages just to
add two bug numbers.
Best wishes
Norbert
------------------------------------------------------------------------
Norbert Preining preining@{jaist.ac.jp, logic.at, debian.org}
JAIST, Japan TU Wien, Austria Debian TeX Task Force
DSA: 0x09C5B094 fp: 14DF 2E6C 0307 BE6D AD76 A9C0 D2BF 4AA3 09C5 B094
------------------------------------------------------------------------
DUNGENESS (n.)
The uneasy feeling that the plastic handles of the overloaded
supermarket carrier bag you are carrying are getting steadily longer.
--- Douglas Adams, The Meaning of Liff
--- End Message ---