Bug#520920: texlive-base-bin: bibtex crashes on realloc (invalid next size)
tags 520920 + patch stop On 23.03.09 Vincent Lefevre (vinc...@vinc17.org) wrote: Hi, I've got the following error with bibtex (someone else here mentioned the same problem on a different machine, but on the same set of files, possibly a slightly different version). Unfortenately I don't have a simple testcase (I'll try to make one, but this may be difficult), and the files are private. Patch exists made by KB: http://tug.org/mailman/htdig/tex-live/2009-August/021998.html H. -- sigmentation fault -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#520920: texlive-base-bin: bibtex crashes on realloc (invalid next size)
severity 520920 important stop On 26.03.09 Vincent Lefevre (vinc...@vinc17.org) wrote: Hi, Now, as here the bug seems to require a large bibtex file and action from the user (assuming no tex-compilation servers), the severity can probably be lowered. [x] Done BTW, can bibtex8 safely be used in place of bibtex (no compatibility problems)? I googled a little bit and found only these two main differences: - the sort order has changed * bibtex: 0-9,A-Z,a-z * bibtex8: 0-9,A,a,B,b,C etc. - bibtex8 returns exit code 1 in case of warnings. I propose to remove the old bibtex binary and document that change prominently in the NEWS file. H. -- sigmentation fault -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#520920: texlive-base-bin: bibtex crashes on realloc (invalid next size)
On 23.03.09 Vincent Lefevre (vinc...@vinc17.org) wrote: Hi Vincent, Package: texlive-base-bin Version: 2007.dfsg.2-5 Severity: grave Tags: security Justification: user security hole (Note: I suppose that there's some memory corruption, that can lead to security problems, hence the severity.) I've got the following error with bibtex (someone else here mentioned the same problem on a different machine, but on the same set of files, possibly a slightly different version). Unfortenately I don't have a simple testcase (I'll try to make one, but this may be difficult), and the files are private. I can reproduce the problem using bibtex. Then I tried bibtex8 and could generate a livre_fp.bbl file (blg file is attached). Do you still assume it an user security hole, which justifies the severity grave or can you accept the work around and hence a lower severity? H. -- sigmentation fault This is 8-bit Big BibTeX version 0.99c Implementation: C for Unix Release version: 3.71 (31 May 2005) The 8-bit codepage and sorting file: 88591lat.csf The top-level auxiliary file: livre_fp.aux A level-1 auxilliary file: ch_introduction.aux A level-1 auxilliary file: ch_definitions.aux A level-1 auxilliary file: ch_formats.aux A level-1 auxilliary file: ch_smallalgs.aux A level-1 auxilliary file: ch_fma.aux A level-1 auxilliary file: ch_summation.aux A level-1 auxilliary file: ch_languages.aux A level-1 auxilliary file: ch_algorithms.aux A level-1 auxilliary file: ch_hard.aux A level-1 auxilliary file: ch_soft.aux A level-1 auxilliary file: ch_elemfun.aux A level-1 auxilliary file: ch_correctrounding.aux A level-1 auxilliary file: ch_certifying.aux A level-1 auxilliary file: ch_extending.aux A level-1 auxilliary file: ch_nttools.aux The style file: plain.bst Database file #1: biblio.bib Warning--empty institution in SebGou02 Warning--empty note in Gonnet2002 Warning--empty publisher in Newton1664 Warning--empty institution in SunInterval2002 Warning--empty note in May2008 Warning--empty note in Bernstein2001 Here's how much of BibTeX's memory you used: Cites: 405 out of 750 Fields: 5394 out of 17250 Hash table: 3854 out of 5000 Strings:2942 out of 4000 String pool: 64883 out of 65530 Wizard functions: 2118 out of 3000 (There were 6 warnings)
Bug#520920: texlive-base-bin: bibtex crashes on realloc (invalid next size)
Hi, On 2009-03-26 14:07:08 +0100, Hilmar Preusse wrote: I can reproduce the problem using bibtex. Then I tried bibtex8 and could generate a livre_fp.bbl file (blg file is attached). Do you still assume it an user security hole, which justifies the severity grave or can you accept the work around and hence a lower severity? I've set that in doubt. I think that all buffer overflows should seriously be taken into consideration as they can potentially be a real security hole (remember when Debian servers were compromised even though an exploit was thought to be impossible). Now, as here the bug seems to require a large bibtex file and action from the user (assuming no tex-compilation servers), the severity can probably be lowered. BTW, can bibtex8 safely be used in place of bibtex (no compatibility problems)? -- Vincent Lefèvre vinc...@vinc17.org - Web: http://www.vinc17.org/ 100% accessible validated (X)HTML - Blog: http://www.vinc17.org/blog/ Work: CR INRIA - computer arithmetic / Arenaire project (LIP, ENS-Lyon) -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#520920: texlive-base-bin: bibtex crashes on realloc (invalid next size)
On 26.03.09 Vincent Lefevre (vinc...@vinc17.org) wrote: Hi, BTW, can bibtex8 safely be used in place of bibtex (no compatibility problems)? From the manual page: 8-bit BibTeX is an enhanced, portable C version of BibTeX 0.99. It has been enhanced in these areas: - conversion to big (32-bit) capacity - capacity selectable at run time - flexible support for non-English languages using 8-bit character sets - well matched to LateX2e and its inputenc package Oren Patashnik, the creator of BibTeX, is working on a new BibTeX 1.0 that will be a modern implementation supporting large capacities and non-English languages (see TUGboat, pages 269--274, volume 15, number 3, September 1994). He is content for this version to be released, but hopes that people will eventually migrate to BibTeX 1.0 when it is released. Its release date is uncertain at the moment. So I guess bibtex8 is compatible, but I can't really say. I'll ask some more experienced people. H. -- sigmentation fault -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#520920: texlive-base-bin: bibtex crashes on realloc (invalid next size)
On 24.03.09 Norbert Preining (prein...@logic.at) wrote: Hi Norbert, Can you please send a *MINIMAL* test suite? Anything else is hard to trace down. Attached. This is still large, but this seems to be needed. Just type bibtex livre_fp in the directory. thanks. I can reproduce that, too. Is it ok if I forward these example files to upstream? Who is upstream in your opinion? Are you sure this is a problem in bibtex? It could be in glibc and kpathsea too (IMHO). H. -- sigmentation fault -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#520920: texlive-base-bin: bibtex crashes on realloc (invalid next size)
On 2009-03-25 15:23:33 +0100, Hilmar Preusse wrote: Who is upstream in your opinion? Are you sure this is a problem in bibtex? It could be in glibc and kpathsea too (IMHO). Since the crash occurs in kpathsea, perhaps, but see the valgrind output below (I doubt this is a glibc bug, even though the crash doesn't occur under Mac OS X -- but maybe one needs a different testcase for Mac OS X). $ valgrind bibtex livre_fp ==13096== Memcheck, a memory error detector. ==13096== Copyright (C) 2002-2008, and GNU GPL'd, by Julian Seward et al. ==13096== Using LibVEX rev 1884, a library for dynamic binary translation. ==13096== Copyright (C) 2004-2008, and GNU GPL'd, by OpenWorks LLP. ==13096== Using valgrind-3.4.1-Debian, a dynamic binary instrumentation framewor k. ==13096== Copyright (C) 2000-2008, and GNU GPL'd, by Julian Seward et al. ==13096== For more details, rerun with: -v ==13096== This is BibTeX, Version 0.99c (Web2C 7.5.6) The top-level auxiliary file: livre_fp.aux A level-1 auxiliary file: ch_introduction.aux A level-1 auxiliary file: ch_definitions.aux A level-1 auxiliary file: ch_formats.aux A level-1 auxiliary file: ch_smallalgs.aux A level-1 auxiliary file: ch_fma.aux A level-1 auxiliary file: ch_summation.aux A level-1 auxiliary file: ch_languages.aux A level-1 auxiliary file: ch_algorithms.aux A level-1 auxiliary file: ch_hard.aux A level-1 auxiliary file: ch_soft.aux A level-1 auxiliary file: ch_elemfun.aux A level-1 auxiliary file: ch_correctrounding.aux A level-1 auxiliary file: ch_certifying.aux A level-1 auxiliary file: ch_extending.aux A level-1 auxiliary file: ch_nttools.aux The style file: plain.bst ==13096== Use of uninitialised value of size 8 ==13096==at 0x40F410: (within /usr/bin/bibtex) ==13096==by 0x41237C: (within /usr/bin/bibtex) ==13096==by 0x412675: (within /usr/bin/bibtex) ==13096==by 0x52DD5A5: (below main) (libc-start.c:222) Database file #1: biblio.bib ==13096== ==13096== Use of uninitialised value of size 8 ==13096==at 0x40D80D: (within /usr/bin/bibtex) ==13096==by 0x40EE41: (within /usr/bin/bibtex) ==13096==by 0x40F784: (within /usr/bin/bibtex) ==13096==by 0x412374: (within /usr/bin/bibtex) ==13096==by 0x412675: (within /usr/bin/bibtex) ==13096==by 0x52DD5A5: (below main) (libc-start.c:222) ==13096== ==13096== Use of uninitialised value of size 8 ==13096==at 0x40D80D: (within /usr/bin/bibtex) ==13096==by 0x40DD74: (within /usr/bin/bibtex) ==13096==by 0x40E19F: (within /usr/bin/bibtex) ==13096==by 0x40EF29: (within /usr/bin/bibtex) ==13096==by 0x40F784: (within /usr/bin/bibtex) ==13096==by 0x412374: (within /usr/bin/bibtex) ==13096==by 0x412675: (within /usr/bin/bibtex) ==13096==by 0x52DD5A5: (below main) (libc-start.c:222) ==13096== ==13096== Invalid write of size 1 ==13096==at 0x407224: (within /usr/bin/bibtex) ==13096==by 0x40BE14: (within /usr/bin/bibtex) ==13096==by 0x40BB14: (within /usr/bin/bibtex) ==13096==by 0x40BF31: (within /usr/bin/bibtex) ==13096==by 0x40BB14: (within /usr/bin/bibtex) ==13096==by 0x40BB14: (within /usr/bin/bibtex) ==13096==by 0x40BB14: (within /usr/bin/bibtex) ==13096==by 0x4109E1: (within /usr/bin/bibtex) ==13096==by 0x412374: (within /usr/bin/bibtex) ==13096==by 0x412675: (within /usr/bin/bibtex) ==13096==by 0x52DD5A5: (below main) (libc-start.c:222) ==13096== Address 0x56e4b21 is 0 bytes after a block of size 65,001 alloc'd ==13096==at 0x4C2391E: malloc (vg_replace_malloc.c:207) ==13096==by 0x4E34AC4: xmalloc (in /usr/lib/libkpathsea.so.4.0.0) ==13096==by 0x411FDD: (within /usr/bin/bibtex) ==13096==by 0x412675: (within /usr/bin/bibtex) ==13096==by 0x52DD5A5: (below main) (libc-start.c:222) ==13096== ==13096== Invalid read of size 1 ==13096==at 0x404959: (within /usr/bin/bibtex) ==13096==by 0x4073C4: (within /usr/bin/bibtex) ==13096==by 0x40BE44: (within /usr/bin/bibtex) ==13096==by 0x40BB14: (within /usr/bin/bibtex) ==13096==by 0x40BB14: (within /usr/bin/bibtex) ==13096==by 0x40BB14: (within /usr/bin/bibtex) ==13096==by 0x4109E1: (within /usr/bin/bibtex) ==13096==by 0x412374: (within /usr/bin/bibtex) ==13096==by 0x412675: (within /usr/bin/bibtex) ==13096==by 0x52DD5A5: (below main) (libc-start.c:222) ==13096== Address 0x56e4b21 is 0 bytes after a block of size 65,001 alloc'd ==13096==at 0x4C2391E: malloc (vg_replace_malloc.c:207) ==13096==by 0x4E34AC4: xmalloc (in /usr/lib/libkpathsea.so.4.0.0) ==13096==by 0x411FDD: (within /usr/bin/bibtex) ==13096==by 0x412675: (within /usr/bin/bibtex) ==13096==by 0x52DD5A5: (below main) (libc-start.c:222) Warning--empty institution in SebGou02 Warning--empty note in Gonnet2002 Warning--empty publisher in Newton1664 Warning--empty institution in SunInterval2002 Warning--empty note in May2008 Warning--empty note in Bernstein2001 (There were 6 warnings) ==13096== ==13096== ERROR SUMMARY: 48 errors from 5
Bug#520920: texlive-base-bin: bibtex crashes on realloc (invalid next size)
On Mi, 25 Mär 2009, Hilmar Preusse wrote: Who is upstream in your opinion? Are you sure this is a problem in bibtex? It could be in glibc and kpathsea too (IMHO). I would forward it to the texlive and/or the tex-k list for now and ask for help. Hilmar, can you do that please, my laptop is broken, I have to use others' computers for now and cannot come to anything on it for the time being. Thanks Best wishes Norbert --- Dr. Norbert Preining prein...@logic.atVienna University of Technology Debian Developer prein...@debian.org Debian TeX Group gpg DSA: 0x09C5B094 fp: 14DF 2E6C 0307 BE6D AD76 A9C0 D2BF 4AA3 09C5 B094 --- THRUMSTRER (n.) The irritating man next to you in a concert who thinks he's (a) the conductor, (b) the brass section. --- Douglas Adams, The Meaning of Liff -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#520920: texlive-base-bin: bibtex crashes on realloc (invalid next size)
Hi Vincent, Can you please send a *MINIMAL* test suite? Anything else is hard to trace down. Attached. This is still large, but this seems to be needed. Just type bibtex livre_fp in the directory. thanks. I can reproduce that, too. Is it ok if I forward these example files to upstream? Best wishes Norbert --- Dr. Norbert Preining prein...@logic.atVienna University of Technology Debian Developer prein...@debian.org Debian TeX Group gpg DSA: 0x09C5B094 fp: 14DF 2E6C 0307 BE6D AD76 A9C0 D2BF 4AA3 09C5 B094 --- PABBY (n.,vb.) (Fencing term.) The play, or manoeuvre, where one swordsman leaps on to the table and pulls the battleaxe off the wall. --- Douglas Adams, The Meaning of Liff -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#520920: texlive-base-bin: bibtex crashes on realloc (invalid next size)
On 2009-03-24 07:56:21 +0100, Norbert Preining wrote: Is it ok if I forward these example files to upstream? Yes, I randomized the file (in case there would have been a problem related to copyright or whatever with the contents). -- Vincent Lefèvre vinc...@vinc17.org - Web: http://www.vinc17.org/ 100% accessible validated (X)HTML - Blog: http://www.vinc17.org/blog/ Work: CR INRIA - computer arithmetic / Arenaire project (LIP, ENS-Lyon) -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#520920: texlive-base-bin: bibtex crashes on realloc (invalid next size)
Package: texlive-base-bin Version: 2007.dfsg.2-5 Severity: grave Tags: security Justification: user security hole (Note: I suppose that there's some memory corruption, that can lead to security problems, hence the severity.) I've got the following error with bibtex (someone else here mentioned the same problem on a different machine, but on the same set of files, possibly a slightly different version). Unfortenately I don't have a simple testcase (I'll try to make one, but this may be difficult), and the files are private. vin:~/private/fp_arith pdfnlatex livre_fp.tex Making backup of old .idx file: livre_fp.idx.bak. Then makeindex... This is makeindex, version 2.14 [02-Oct-2002] (kpathsea + Thai support). Scanning input file livre_fp.idxdone (651 entries accepted, 0 rejected). Sorting entriesdone (6772 comparisons). Generating output file livre_fp.inddone (493 lines written, 0 warnings). Output written in livre_fp.ind. Transcript written in livre_fp.ilg. Making backup of old .aux file: livre_fp.aux.bak Need bibtex run before first pass... This is BibTeX, Version 0.99c (Web2C 7.5.6) The top-level auxiliary file: livre_fp.aux A level-1 auxiliary file: preface.aux A level-1 auxiliary file: ch_introduction.aux A level-1 auxiliary file: ch_definitions.aux A level-1 auxiliary file: ch_formats.aux A level-1 auxiliary file: ch_smallalgs.aux A level-1 auxiliary file: ch_fma.aux A level-1 auxiliary file: ch_summation.aux A level-1 auxiliary file: ch_languages.aux A level-1 auxiliary file: ch_algorithms.aux A level-1 auxiliary file: ch_hard.aux A level-1 auxiliary file: ch_soft.aux A level-1 auxiliary file: ch_elemfun.aux A level-1 auxiliary file: ch_correctrounding.aux A level-1 auxiliary file: ch_certifying.aux A level-1 auxiliary file: ch_extending.aux A level-1 auxiliary file: perspectives.aux A level-1 auxiliary file: ch_nttools.aux The style file: plain.bst Database file #1: biblio.bib *** glibc detected *** bibtex: realloc(): invalid next size: 0x01d47d90 *** === Backtrace: = /lib64/libc.so.6[0x7f899a8c81b8] /lib64/libc.so.6[0x7f899a8cc101] /lib64/libc.so.6(realloc+0x12f)[0x7f899a8cce5f] /usr/lib/libkpathsea.so.4(xrealloc+0xf)[0x7f899ae39d9f] bibtex[0x40337a] bibtex[0x40346d] bibtex[0x40be45] bibtex[0x40bb15] bibtex[0x40bb15] bibtex[0x40bb15] bibtex[0x4109e2] bibtex[0x412375] bibtex[0x412676] /lib64/libc.so.6(__libc_start_main+0xe6)[0x7f899a8745a6] bibtex[0x401239] === Memory map: 0040-00417000 r-xp 08:01 5489883/usr/bi n/bibtex 00617000-00618000 rw-p 00017000 08:01 5489883/usr/bi n/bibtex 00618000-006e rw-p 00618000 00:00 0 01d3d000-01fdf000 rw-p 01d3d000 00:00 0 [heap] 7f899400-7f8994021000 rw-p 7f899400 00:00 0 7f8994021000-7f899800 ---p 7f8994021000 00:00 0 7f899a63f000-7f899a655000 r-xp 08:01 28082213 /lib/li bgcc_s.so.1 7f899a655000-7f899a855000 ---p 00016000 08:01 28082213 /lib/li bgcc_s.so.1 7f899a855000-7f899a856000 rw-p 00016000 08:01 28082213 /lib/li bgcc_s.so.1 7f899a856000-7f899a99f000 r-xp 08:01 28082578 /lib/li bc-2.9.so 7f899a99f000-7f899ab9f000 ---p 00149000 08:01 28082578 /lib/li bc-2.9.so 7f899ab9f000-7f899aba3000 r--p 00149000 08:01 28082578 /lib/li bc-2.9.so 7f899aba3000-7f899aba4000 rw-p 0014d000 08:01 28082578 /lib/li bc-2.9.so 7f899aba4000-7f899aba9000 rw-p 7f899aba4000 00:00 0 7f899aba9000-7f899ac2b000 r-xp 08:01 28082575 /lib/li bm-2.9.so 7f899ac2b000-7f899ae2a000 ---p 00082000 08:01 28082575 /lib/li bm-2.9.so 7f899ae2a000-7f899ae2b000 r--p 00081000 08:01 28082575 /lib/li bm-2.9.so 7f899ae2b000-7f899ae2c000 rw-p 00082000 08:01 28082575 /lib/li bm-2.9.so 7f899ae2c000-7f899ae3d000 r-xp 08:01 5603886/usr/li b/libkpathsea.so.4.0.0 7f899ae3d000-7f899b03d000 ---p 00011000 08:01 5603886/usr/li b/libkpathsea.so.4.0.0 7f899b03d000-7f899b03e000 rw-p 00011000 08:01 5603886/usr/li b/libkpathsea.so.4.0.0 7f899b03e000-7f899b041000 rw-p 7f899b03e000 00:00 0 7f899b041000-7f899b05e000 r-xp 08:01 28082577 /lib/ld -2.9.so 7f899b17d000-7f899b237000 rw-p 7f899b17d000 00:00 0 7f899b257000-7f899b25d000 rw-p 7f899b257000 00:00 0 7f899b25d000-7f899b25e000 r--p 0001c000 08:01 28082577 /lib/ld -2.9.so 7f899b25e000-7f899b25f000 rw-p 0001d000 08:01 28082577 /lib/ld -2.9.so 7fffa3249000-7fffa325f000 rw-p 7ffe9000 00:00 0 [stack] 7fffa33fe000-7fffa33ff000 r-xp 7fffa33fe000 00:00 0 [vdso] ff60-ff601000 r-xp 00:00 0 [vsysca ll] Abort (core dumped) The backtrace: vin:~/private/fp_arith gdb =bibtex
Bug#520920: texlive-base-bin: bibtex crashes on realloc (invalid next size)
On Mo, 23 Mär 2009, Vincent Lefevre wrote: (Note: I suppose that there's some memory corruption, that can lead to security problems, hence the severity.) I've got the following error with bibtex (someone else here mentioned the same problem on a different machine, but on the same set of files, Can you please send a *MINIMAL* test suite? Anything else is hard to trace down. Best wishes Norbert --- Dr. Norbert Preining prein...@logic.atVienna University of Technology Debian Developer prein...@debian.org Debian TeX Group gpg DSA: 0x09C5B094 fp: 14DF 2E6C 0307 BE6D AD76 A9C0 D2BF 4AA3 09C5 B094 --- YADDLETHORPE (vb.) (Of offended pooves.) To exit huffily from a boutique. --- Douglas Adams, The Meaning of Liff -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#520920: texlive-base-bin: bibtex crashes on realloc (invalid next size)
On 2009-03-23 17:40:13 +0100, Norbert Preining wrote: Can you please send a *MINIMAL* test suite? Anything else is hard to trace down. I think I'll be able to do it tonight. -- Vincent Lefèvre vinc...@vinc17.org - Web: http://www.vinc17.org/ 100% accessible validated (X)HTML - Blog: http://www.vinc17.org/blog/ Work: CR INRIA - computer arithmetic / Arenaire project (LIP, ENS-Lyon) -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
