Package: evince
Version: 0.4.0-2
Severity: critical
Tags: security, patch
This is the same vulnerability as reported against gv as bug 398292,
since evince has old gv code embedded (I've updated the wiki to reflect
this: http://wiki.debian.org/EmbeddedCodeCopies)
Patch attached (applies to both 0.4.0 and 0.6.1).
--
Kees Cook @outflux.net
diff -Nur evince-0.4.0/ps/ps.c evince-0.4.0.new/ps/ps.c
--- evince-0.4.0/ps/ps.c 2005-06-17 06:33:00.000000000 -0700
+++ evince-0.4.0.new/ps/ps.c 2006-12-04 12:28:32.280683848 -0800
@@ -1225,6 +1225,9 @@
quoted = 1;
line++;
while(*line && !(*line == ')' && level == 0)) {
+ if (cp - text >= PSLINELENGTH - 2) {
+ return NULL;
+ }
if(*line == '\\') {
if(*(line + 1) == 'n') {
*cp++ = '\n';
@@ -1295,8 +1298,12 @@
}
}
else {
- while(*line && !(*line == ' ' || *line == '\t' || *line == '\n'))
+ while(*line && !(*line == ' ' || *line == '\t' || *line == '\n')) {
+ if (cp - text >= PSLINELENGTH - 2) {
+ return NULL;
+ }
*cp++ = *line++;
+ }
}
*cp = '\0';
if(next_char)
