Bug#632328: /usr/bin/mpost: indirect readfrom makes a file path leak into the read string

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#632328: /usr/bin/mpost: indirect readfrom makes a file path leak into the read string
From: Andreas Beckmann <debian@abeckmann.de>
Date: Fri, 01 Jul 2011 15:35:57 +0200
Message-id: <[🔎] 20110701133557.19629.78491.reportbug@calzone.localnet>
Reply-to: Andreas Beckmann <debian@abeckmann.de>, 632328@bugs.debian.org

Package: texlive-binaries
Version: 2009-8
Severity: normal
File: /usr/bin/mpost
Tags: upstream patch fixed-upstream

mpost does some internal string corruption for the following construct:

===== oops.mp ======
def oops(expr arg) =
        show arg;
enddef;

beginfig(0)
	string blah;
	blah:="blah/blah";
	oops("first");
	readfrom blah;
	readfrom "doesnotexist";
	oops("OK");
	readfrom blah;
	oops("OOPS");
	readfrom blah;
	readfrom "doesnotexist";
	oops("OK again");
endfig;

end;
==========

$ mpost oops
This is MetaPost, version 1.208 (kpathsea version 5.0.0)
(./oops.mp
>> "first"
>> "OK"
>> "blah/OOPS"
>> "OK again" [0] )
1 output file written: oops.0
Transcript written on oops.log.

The actual script was much mor complicated and the currupted strings
were actually files - that did not exist.

I checked metapost upstream svn repository (not texlive which only
imports a release from time to time) at
http://foundry.supelec.fr/gf/project/metapost

After bisecting branch 1.2 I came up with revision 1401 which fixes that
problem: "fix bug #417: indirect readfrom makes a file path leak into the
read string", cherry picked patch attached.
http://foundry.supelec.fr/gf/project/metapost/scmsvn/?action=browse&path=%2Fbranches%2F1.2%2F&pathrev=1401

Unfortunately bug #417 is not publically viewable.

Another possibility would be to upgrade metapost from 1.208 to 1.212,
the last release from 1.2 branch. Commit 1401 was done between 1.211 and
1.212.


Andreas

-- System Information:
Debian Release: 6.0.2
  APT prefers stable
  APT policy: (800, 'stable'), (750, 'oldstable'), (700, 'testing'), (600, 'unstable'), (500, 'stable-updates'), (130, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.32-5-amd64 (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages texlive-binaries depends on:
ii  ed                      1.4-3            The classic UNIX line editor
ii  libc6                   2.13-7           Embedded GNU C Library: Shared lib
ii  libfontconfig1          2.8.0-2.1        generic font configuration library
ii  libfreetype6            2.4.2-2.1        FreeType 2 font engine, shared lib
ii  libgcc1                 1:4.6.0-10       GCC support library
ii  libkpathsea5            2009-8           TeX Live: path search library for 
ii  libncurses5             5.7+20100313-5   shared libraries for terminal hand
ii  libpng12-0              1.2.44-1         PNG library - runtime
ii  libpoppler5             0.12.4-1.2       PDF rendering library
ii  libstdc++6              4.6.0-10         The GNU Standard C++ Library v3
ii  libx11-6                2:1.3.3-4        X11 client-side library
ii  libxaw7                 2:1.0.7-1        X11 Athena Widget library
ii  libxmu6                 2:1.0.5-2        X11 miscellaneous utility library
ii  libxpm4                 1:3.5.8-1        X11 pixmap library
ii  libxt6                  1:1.0.7-1        X11 toolkit intrinsics library
ii  perl                    5.12.3-7+b1      Larry Wall's Practical Extraction 
ii  tex-common              2.08.1           common infrastructure for building
ii  texlive-common          2009-11          TeX Live: Base component
ii  zlib1g                  1:1.2.3.4.dfsg-3 compression library - runtime

texlive-binaries recommends no packages.

texlive-binaries suggests no packages.

-- no debconf information

------------------------------------------------------------------------
r1401 | taco | 2010-10-13 14:26:03 +0200 (Wed, 13 Oct 2010) | 2 lines
Changed paths:
   M /branches/1.2/source/texk/web2c/mplibdir/mp.w

fix bug #417: indirect readfrom makes a file path leak into the read string

------------------------------------------------------------------------
Index: source/texk/web2c/mplibdir/mp.w
===================================================================
--- source/texk/web2c/mplibdir/mp.w	(revision 1400)
+++ source/texk/web2c/mplibdir/mp.w	(revision 1401)
@@ -16261,10 +16261,11 @@
 
 @c
 void mp_end_name (MP mp) {
-  pool_pointer s; /* length of area, name, and extension */
+  pool_pointer s,orig; /* length of area, name, and extension */
   unsigned int len;
   /* "my/w.mp" */
   s = mp->str_start[mp->str_ptr];
+  orig = s;
   if ( mp->area_delimiter<0 ) {    
     mp->cur_area=xstrdup("");
   } else {
@@ -16280,7 +16281,7 @@
     len = (unsigned)(mp->ext_delimiter-s);
   }
   copy_pool_segment(mp->cur_name,s,len);
-  mp->pool_ptr=s; /* don't need this partial string */
+  mp->pool_ptr=orig; /* don't need this partial string */
 }
 
 @ Conversely, here is a routine that takes three strings and prints a file

Reply to:

Follow-Ups:
- Bug#632328: /usr/bin/mpost: indirect readfrom makes a file path leak into the read string
  - From: Norbert Preining <preining@logic.at>

Next by Date: Bug#632328: /usr/bin/mpost: indirect readfrom makes a file path leak into the read string
Next by thread: Bug#632328: /usr/bin/mpost: indirect readfrom makes a file path leak into the read string
Index(es):
- Date
- Thread