Bug#334454: patch for gpdf/CAN-2005-2097 and CVEs for DSA 982-1

Sat, 29 Jul 2006 08:34:42 -0700 

tags 334454 + patch pending confirmed upstream
stop

 BTW, this is Debian bug #334454.  Forwarding my earlier mail to the
 bug.  Please keep it in copy.

-- 
Loïc Minier <[EMAIL PROTECTED]>
--- Begin Message --- 
        Hi,

 DSA 982-1 was announced without any CVE id.

 I went through the 2005 and 2006 CVEs for gpdf and found this:

                        unstable        stable
CAN-2005-2097           VULNERABLE      VULNERABLE
CVE-2005-3191           2.10.0-2        2.8.2-1.2sarge2
CVE-2005-3192           2.10.0-2        2.8.2-1.2sarge2
CVE-2005-3624           2.10.0-2        2.8.2-1.2sarge2
CVE-2005-3625           2.10.0-2        2.8.2-1.2sarge2
CVE-2005-3626           2.10.0-2        2.8.2-1.2sarge2
CVE-2005-3627           2.10.0-2        2.8.2-1.2sarge2
CVE-2005-3628           2.10.0-2        2.8.2-1.2sarge2
CVE-2006-0301           2.10.0-3        2.8.2-1.2sarge3
???                     ???             2.8.2-1.2sarge4


 But I have no guarantee that I do not miss any additional vulns that
 were not attached to a CVE id in previous DSAs.

 I need your help to:

 1) find out the CVEs of 2.8.2-1.2sarge4 (please allocate CVE ids or
 tell me which CVE ids are concerned by the fix in case I need to fix
 the unstable package again); it seems this might have been fixed in
 unstable with 2.10.0-3, but I can't tell for sure (perhaps you can?)

 2) check the attached fix CAN-2005-2097 in stable; you seem to have
 fixed this for:
 kdegraphics    3.3.2-2sarge1   DSA-780-1
 libextractor   0.4.2-2sarge2   DSA-936

 xpdf and tetex-bin were not affected in stable

 I've found only the second of the two hunks of the attached
 "post-3.4.1-kdegraphics-4.diff" in gpdf 2.8.2-1.2sarge4, and it was
 vulnerable.

 I attach the proposed fix for stable, addressing CAN-2005-2097 in gpdf
 2.8.2-1.2sarge4 (and making it gpdf 2.8.2-1.2sarge5), as
 gpdf_2.8.2-1.2sarge5.diff.

 If you agree with the fix, I'll apply the same fix to gpdf 2.10.0-3.

 (post-3.4.1-kdegraphics-4.diff is the only patch I've found for
 CAN-2005-2097, it might be incomplete, please let me know if you know
 of something better.)

   Bye,
-- 
Loïc Minier <[EMAIL PROTECTED]>

diff -u gpdf-2.8.2/debian/changelog gpdf-2.8.2/debian/changelog
--- gpdf-2.8.2/debian/changelog
+++ gpdf-2.8.2/debian/changelog
@@ -1,3 +1,9 @@
+gpdf (2.8.2-1.2sarge5) stable-security; urgency=low
+
+  * Backported fix for CAN-2005-2097.
+
+ -- Loic Minier <[EMAIL PROTECTED]>  Sat, 29 Jul 2006 16:54:48 +0200
+
 gpdf (2.8.2-1.2sarge4) stable-security; urgency=high
 
   * Non-maintainer upload by the Security Team
only in patch2:
unchanged:
--- gpdf-2.8.2.orig/fofi/FoFiTrueType.cc
+++ gpdf-2.8.2/fofi/FoFiTrueType.cc
@@ -1343,6 +1343,26 @@
     return;
   }
 
+  // make sure the loca table is sane (correct length and entries are
+  // in bounds)
+  i = seekTable("loca");
+  if (tables[i].len < (nGlyphs + 1) * (locaFmt ? 4 : 2)) {
+    parsedOk = gFalse;
+    return;
+  }
+  for (j = 0; j <= nGlyphs; ++j) {
+    if (locaFmt) {
+      pos = (int)getU32BE(tables[i].offset + j*4, &parsedOk);
+    } else {
+      pos = getU16BE(tables[i].offset + j*2, &parsedOk);
+    }
+    if (pos < 0 || pos > len) {
+      parsedOk = gFalse;
+    }
+  }
+  if (!parsedOk) {
+    return;
+
   // read the post table
   readPostTable();
   if (!parsedOk) {

Index: kpdf/xpdf/xpdf/SplashOutputDev.cc
===================================================================
--- kpdf/xpdf/xpdf/SplashOutputDev.cc   (revision 439200)
+++ kpdf/xpdf/xpdf/SplashOutputDev.cc   (working copy)
@@ -621,16 +621,19 @@
       }
       break;
     case fontTrueType:
-      if (!(ff = FoFiTrueType::load(fileName->getCString()))) {
-       goto err2;
+      if ((ff = FoFiTrueType::load(fileName->getCString()))) {
+       codeToGID = ((Gfx8BitFont *)gfxFont)->getCodeToGIDMap(ff);
+       n = 256;
+       delete ff;
+      } else {
+       codeToGID = NULL;
+       n = 0;
       }
-      codeToGID = ((Gfx8BitFont *)gfxFont)->getCodeToGIDMap(ff);
-      delete ff;
       if (!(fontFile = fontEngine->loadTrueTypeFont(
                           id,
                           fileName->getCString(),
                           fileName == tmpFileName,
-                          codeToGID, 256))) {
+                          codeToGID, n))) {
        error(-1, "Couldn't create a font for '%s'",
              gfxFont->getName() ? gfxFont->getName()->getCString()
                                 : "(unnamed)");
Index: kpdf/xpdf/fofi/FoFiTrueType.cc
===================================================================
--- kpdf/xpdf/fofi/FoFiTrueType.cc      (revision 439200)
+++ kpdf/xpdf/fofi/FoFiTrueType.cc      (working copy)
@@ -1343,6 +1343,27 @@
     return;
   }
 
+  // make sure the loca table is sane (correct length and entries are
+  // in bounds)
+  i = seekTable("loca");
+  if (tables[i].len < (nGlyphs + 1) * (locaFmt ? 4 : 2)) {
+    parsedOk = gFalse;
+    return;
+  }
+  for (j = 0; j <= nGlyphs; ++j) {
+    if (locaFmt) {
+      pos = (int)getU32BE(tables[i].offset + j*4, &parsedOk);
+    } else {
+      pos = getU16BE(tables[i].offset + j*2, &parsedOk);
+    }
+    if (pos < 0 || pos > len) {
+      parsedOk = gFalse;
+    }
+  }
+  if (!parsedOk) {
+    return;
+  }
+
   // read the post table
   readPostTable();
   if (!parsedOk) {

--- End Message ---

Reply via email to