Martin Pitt <[EMAIL PROTECTED]> wrote: > OK, you can now find the 3.0 debdiff at > > http://patches.ubuntu.com/patches/tetex-bin.CVE-2005-3191_2_3.diff
Thank you, I've added this. > it might be interesting for you to get the CVE numbers in the > changelog right. (Please do mention the CVE numbers to ease tracking.) Thanks, sorry that I forgot it in the upload. But I have more bad news. While looking at the patches, I noticed that the patch for CAN-2004-0888 in tetex 3.0 still has the flaws in the upstream/KDE/whoever patch. It does buffer overflow checks that some compilers will simply optimize away ( if (size * sizeof(int)/sizeof(int) != size) and the like). In the upload to unstable back then, which was 2.0.2, we changed this to size >=MAX_INT / sizeof(int), but I obviously did not do this in our copy. I have started to fix this, see http://svn.debian.org/wsvn/pkg-tetex/tetex-bin/trunk/debian/patches/patch-CAN-2004-0888?op=diff&rev=0&sc=0 however since the codebase differs I cannot simply use the patch from tetex 2.0.2. Unfortunately, I don't have the original patch against 3.00 left, and I also cannot find it on the net. It also seems that there are some buffer overflows in 3.00 that do not have any tests, e.g. in XRef.cc, line 391 after patch-CAN-2004-0888 has been applied. Or is such a check if (newSize < 0) { goto err1; } enough to detect an integer overflow, because newSize is signed? 3.01 uses greallocn there. Regards, Frank -- Frank Küster Inst. f. Biochemie der Univ. Zürich Debian Developer