Fixed upstream and expected in the groff 1.23.0 release. commit 1b97881fc0e2246cf29b4758139a665c7816ba23 Author: G. Branden Robinson <g.branden.robin...@gmail.com> Date: Sun Sep 12 05:53:43 2021 +1000
[libbib]: Validate input to avoid heap overread. Since June 1991 if not earlier, groff (technically, the refer, lookbib, and lkbib programs) has trusted the header contents of binary bibliographic index files (canonically generated with indxbib(1)) regarding the sizes of the data structures that follow in the file, a notorious class of security problem. In July 2013, the Mayhem Team at Carnegie Mellon University reported to the Debian Bug Tracking System a problem with groff's refer(1) implementation dumping core when reading an index file prepared by a fuzzer. * src/libs/libbib/index.cpp (index_search_item::check_header): Add new member function to validate the header of an indexed bibliography file, returning a string describing in detail the first validity problem encountered. (index_search_item::load): Perform the foregoing check before using any of the size values taken from the header; they are relied upon for pointer arithmetic. If in verification mode (using the undocumented `-V` flag to refer(1), lkbib(1), or lookbib(1)), report the details of the problem encountered. Regardless of that mode, if there is a validity problem, report corruption of the index file and abandon it, forcing fallback to the text version of the corresponding bibliography file. Fixes <https://bugs.debian.org/716109>.
signature.asc
Description: PGP signature