Bug#537637: CVE-2009-3050: Stack-based buffer overflow

[Giuseppe Iuculano]

retitle 537637 CVE-2009-3050: Stack-based buffer overflow
thanks

Hi,

this issue got a CVE id:

CVE-2009-3050[0]:
| Buffer overflow in the set_page_size function in util.cxx in HTMLDOC
| 1.8.27 and earlier allows context-dependent attackers to execute
| arbitrary code via a long MEDIA SIZE comment.  NOTE: it was later
| reported that there were additional vectors in htmllib.cxx and
| ps-pdf.cxx using an AFM font file with a long glyph name, but these
| vectors do not cross privilege boundaries.

Unfortunately the vulnerability described above is not important enough
to get it fixed via regular security update in Debian stable and oldstable. It
does not warrant a DSA.

However it would be nice if this could get fixed via a regular point update[1].
Please contact the release team for this.

Attached is a debdiff of the changes I made for 1.8.27-4.1 0-day NMU

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3050
    http://security-tracker.debian.net/tracker/CVE-2009-3050
[1] http://www.debian.org/doc/developers-reference/pkgs.html#upload-stable

diff -u htmldoc-1.8.27/debian/changelog htmldoc-1.8.27/debian/changelog
--- htmldoc-1.8.27/debian/changelog
+++ htmldoc-1.8.27/debian/changelog
@@ -1,3 +1,11 @@
+htmldoc (1.8.27-4.1) unstable; urgency=high
+
+  * Non-maintainer upload by the Security Team.
+  * Fixed CVE-2009-3050: Stack-based buffer overflow when setting custom page
+    output size (Closes: #537637)
+
+ -- Giuseppe Iuculano <iucul...@debian.org>  Tue, 06 Oct 2009 23:11:59 +0200
+
 htmldoc (1.8.27-4) unstable; urgency=low
 
   * Add watch file.
only in patch2:
unchanged:
--- htmldoc-1.8.27.orig/htmldoc/ps-pdf.cxx
+++ htmldoc-1.8.27/htmldoc/ps-pdf.cxx
@@ -12512,7 +12512,7 @@
          * assigned charset...
          */
 
-         if (sscanf(line, "%*s%*s%*s%*s%d%*s%*s%s", &width, glyph) != 2)
+         if (sscanf(line, "%*s%*s%*s%*s%d%*s%*s%63s", &width, glyph) != 2)
            continue;
 
          for (ch = 0; ch < 256; ch ++)
only in patch2:
unchanged:
--- htmldoc-1.8.27.orig/htmldoc/htmllib.cxx
+++ htmldoc-1.8.27/htmldoc/htmllib.cxx
@@ -2139,7 +2139,7 @@
          * assigned charset...
          */
 
-          if (sscanf(line, "%*s%*s%*s%*s%f%*s%*s%s", &width, glyph) != 2)
+          if (sscanf(line, "%*s%*s%*s%*s%f%*s%*s%63s", &width, glyph) != 2)
            continue;
 
           for (ch = 0; ch < 256; ch ++)
only in patch2:
unchanged:
--- htmldoc-1.8.27.orig/htmldoc/util.cxx
+++ htmldoc-1.8.27/htmldoc/util.cxx
@@ -484,7 +484,7 @@
     PageWidth  = 595;
     PageLength = 792;
   }
-  else if (sscanf(size, "%fx%f%s", &width, &length, units) >= 2)
+  else if (sscanf(size, "%fx%f%254s", &width, &length, units) >= 2)
   {
    /*
     * Custom size...

signature.asc
Description: OpenPGP digital signature