Bug#300182: tetex-bin still vulnerable to CAN-2004-0888 (CAN-2005-0206)

Mon, 21 Mar 2005 01:23:08 -0800 

Hi!

Hilmar, where did you see patches like

+        if (pagesSize*(int)sizeof(Page *)/sizeof(Page *) != pagesSize ||
+            pagesSize*(int)sizeof(Ref)/sizeof(Ref) != pagesSize) {

in the current tetex-bin package? debian/patches/patch-CAN-2004-0888
already has correct patches. Also, "advanced static code analysis"
shows that the wrong approach is not used:

~/tex/tetex-bin-2.0.2 $ grep -r 'pagesSize.*sizeof' .
./libs/xpdf/xpdf/Catalog.cc:  pages = (Page **)gmalloc(pagesSize * sizeof(Page 
*));
./libs/xpdf/xpdf/Catalog.cc:  pageRefs = (Ref *)gmalloc(pagesSize * 
sizeof(Ref));
./libs/xpdf/xpdf/Catalog.cc:    pages = (Page **)grealloc(pages, pagesSize * 
sizeof(Page *));
./libs/xpdf/xpdf/Catalog.cc:    pageRefs = (Ref *)grealloc(pageRefs, pagesSize 
* sizeof(Ref));
./debian/patches/patch-CAN-2004-0888:+  if (pagesSize >= INT_MAX/sizeof(Page *) 
||
./debian/patches/patch-CAN-2004-0888:+      pagesSize >= INT_MAX/sizeof(Ref)) {
./debian/patches/patch-CAN-2004-0888:   pages = (Page **)gmalloc(pagesSize * 
sizeof(Page *));
./debian/patches/patch-CAN-2004-0888:   pageRefs = (Ref *)gmalloc(pagesSize * 
sizeof(Ref));
./debian/patches/patch-CAN-2004-0888:+        if (pagesSize >= 
INT_MAX/sizeof(Page *) ||
./debian/patches/patch-CAN-2004-0888:+            pagesSize >= 
INT_MAX/sizeof(Ref)) {
./debian/patches/patch-CAN-2004-0888:   pages = (Page **)grealloc(pages, 
pagesSize * sizeof(Page *));
./debian/patches/patch-CAN-2004-0888:   pageRefs = (Ref *)grealloc(pageRefs, 
pagesSize * sizeof(Ref));

At the time the patch was fixed, the new CAN number was not yet
assigned, so it does not appear in the changelog. So it would be nice
to add the CAN to the changelog.

This was the relevant upload (I think):

tetex-bin (2.0.2-24) unstable; urgency=high

  * SECURITY UPDATE: more buffer overflows in xpdf library, thanks to
    Martin Pitt <[EMAIL PROTECTED]> for the tetex-bin-specific patch, which
    fixes more integer overflows discovered by Markus Meissner
    <[EMAIL PROTECTED]>, thanks to him for discovering this.
  * Added debian/patches/patch-CAN-2004-0888. This patch contains the
    first fix included in the last upload, as well as the additional fixes
    from this upload, which are:
  [...]

Please close this bug.

Martin

-- 
Martin Pitt                       http://www.piware.de
Ubuntu Developer            http://www.ubuntulinux.org
Debian GNU/Linux Developer       http://www.debian.org

Attachment: signature.asc
Description: Digital signature

Reply via email to