Your message dated Tue, 29 Mar 2005 15:25:37 +0200
with message-id <[EMAIL PROTECTED]>
and subject line tetex-bin not vulnerable
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 18 Mar 2005 09:16:52 +0000
>From [EMAIL PROTECTED] Fri Mar 18 01:16:52 2005
Return-path: <[EMAIL PROTECTED]>
Received: from smtp06.web.de [217.72.192.224]
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1DCDbA-0001gh-00; Fri, 18 Mar 2005 01:16:52 -0800
Received: from [212.14.71.206] (helo=preusse.amasol.de)
by smtp06.web.de with asmtp (WEB.DE 4.104 #268)
id 1DCDac-0003Do-00
for [EMAIL PROTECTED]; Fri, 18 Mar 2005 10:16:18 +0100
Received: by preusse.amasol.de (sSMTP sendmail emulation); Fri, 18 Mar 2005
10:16:20 +0100
Date: Fri, 18 Mar 2005 10:16:19 +0100
From: Hilmar Preusse <[EMAIL PROTECTED]>
To: Debian Bug Tracking System <[EMAIL PROTECTED]>
Subject: tetex-bin still vulnerable to CAN-2004-0888 (CAN-2005-0206)
Message-ID: <[EMAIL PROTECTED]>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature"; boundary="69pVuxX8awAiJ7fD"
Content-Disposition: inline
User-Agent: Mutt/1.4.1i
X-Operating-System: CYGWIN_NT-5.0 1.5.13(0.122/4/2) i686
X-www.distributed.net: OGR-P2: 4 packets (55.05 stats units) [3.04 Mnodes/s]
X-Face: .n=jHnz:2pu0c0)ef]4O#1FE{Vak?h89!g7_#2+PzSRoIU[pJFNnz>gLhn}UMwv}4/j{X..
2E+>U>P!`PYk
X-Confirmation-Request: yes
X-Confirm-Reading-To: "Hilmar Preusse" <[EMAIL PROTECTED]>
Sender: [EMAIL PROTECTED]
X-Sender: [EMAIL PROTECTED]
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-1.8 required=4.0 tests=BAYES_00,FROM_ENDS_IN_NUMS
autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level:
--69pVuxX8awAiJ7fD
Content-Type: multipart/mixed; boundary="i9LlY+UWpKt15+FH"
Content-Disposition: inline
--i9LlY+UWpKt15+FH
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
Package: tetex-bin
Version: 2.0.2-26
Severity: critical
Tags: security
Hi all,
As recently discovered the patch, which fixed CAN-2004-0888, seems to
be broken on all 64bit platforms (tested only on ia64 though).[1]
Attched are two patches, which should fix that. They are simply
stolen from the RedHat BTS.[2]
H.
[1] e.g.: http://www.auscert.org.au/render.html?it=3D4887
[2] https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=3D135393
--=20
sigmentation fault
--i9LlY+UWpKt15+FH
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="CAN-2005-0206-1.diff"
@@ -186,6 +192,11 @@
}
if (start >= pagesSize) {
pagesSize += 32;
+ if (pagesSize*(int)sizeof(Page *)/sizeof(Page *) != pagesSize ||
+ pagesSize*(int)sizeof(Ref)/sizeof(Ref) != pagesSize) {
+ error(-1, "Invalid 'pagesSize' parameter.");
+ goto err3;
+ }
--i9LlY+UWpKt15+FH
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="CAN-2005-0206.diff"
Content-Transfer-Encoding: quoted-printable
--- XRef.cc.orig 2004-09-17 23:54:38.000000000 -0700
+++ XRef.cc 2004-09-25 17:59:36.000000000 -0700
@@ -76,6 +76,12 @@
=20
// trailer is ok - read the xref table
} else {
+ if (size*(int)sizeof(XRefEntry)/sizeof(XRefEntry) !=3D size) {
+ error(-1, "Invalid 'size' inside xref table.");
+ ok =3D gFalse;
+ errCode =3D errDamaged;
+ return;
+ }
entries =3D (XRefEntry *)gmalloc(size * sizeof(XRefEntry));
for (i =3D 0; i < size; ++i) {
entries[i].offset =3D 0xffffffff;
@@ -267,6 +273,10 @@
// table size
if (first + n > size) {
newSize =3D size + 256;
+ if (newSize*(int)sizeof(XRefEntry)/sizeof(XRefEntry) !=3D newSize) {
+ error(-1, "Invalid 'newSize'");
+ goto err2;
+ }
entries =3D (XRefEntry *)grealloc(entries, newSize * sizeof(XRefEntr=
y));
for (i =3D size; i < newSize; ++i) {
entries[i].offset =3D 0xffffffff;
@@ -410,6 +420,10 @@
if (!strncmp(p, "obj", 3)) {
if (num >=3D size) {
newSize =3D (num + 1 + 255) & ~255;
+ if (newSize*(int)sizeof(XRefEntry)/sizeof(XRefEntry) !=3D
newSize=
) {
+ error(-1, "Invalid 'obj' parameters.");
+ return gFalse;
+ }
entries =3D (XRefEntry *)
grealloc(entries, newSize * sizeof(XRefEntry));
for (i =3D size; i < newSize; ++i) {
@@ -431,6 +445,11 @@
} else if (!strncmp(p, "endstream", 9)) {
if (streamEndsLen =3D=3D streamEndsSize) {
streamEndsSize +=3D 64;
+ if (streamEndsSize*(int)sizeof(int)/sizeof(int) !=3D streamEndsSiz=
e) {
+ error(-1, "Invalid 'endstream' parameter.");
+ return gFalse;
+ }
+
streamEnds =3D (Guint *)grealloc(streamEnds,
streamEndsSize * sizeof(int));
}
--- Catalog.cc.orig 2004-09-18 00:14:15.000000000 -0700
+++ Catalog.cc 2004-09-25 18:19:55.000000000 -0700
@@ -63,6 +63,12 @@
}
pagesSize =3D numPages0 =3D obj.getInt();
obj.free();
+ if (pagesSize*(int)sizeof(Page *)/sizeof(Page *) !=3D pagesSize ||
+ pagesSize*(int)sizeof(Ref)/sizeof(Ref) !=3D pagesSize) {
+ error(-1, "Invalid 'pagesSize'");
+ ok =3D gFalse;
+ return;
+ }
pages =3D (Page **)gmalloc(pagesSize * sizeof(Page *));
pageRefs =3D (Ref *)gmalloc(pagesSize * sizeof(Ref));
for (i =3D 0; i < pagesSize; ++i) {
@@ -190,6 +196,10 @@
}
if (start >=3D pagesSize) {
pagesSize +=3D 32;
+ if (pagesSize*(int)sizeof(Page *)/sizeof(Page *) !=3D pagesSize) {
+ error(-1, "Invalid 'pagesSize' parameter.");
+ goto err3;
+ }
pages =3D (Page **)grealloc(pages, pagesSize * sizeof(Page *));
pageRefs =3D (Ref *)grealloc(pageRefs, pagesSize * sizeof(Ref));
for (j =3D pagesSize - 32; j < pagesSize; ++j) {
--i9LlY+UWpKt15+FH--
--69pVuxX8awAiJ7fD
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (Cygwin)
iQB1AwUBQjqcYjwKFtukZhFxAQJAOAMAlgvHmkWGZrgGbMLVeGaiCQeejtE+qrpu
wn32afijizSTDe+RMWNEyZ106ucUQQneYpRGASy7la3LcwvEvWA8WH/MGnoSmKPS
Vl/2CJS4t6vYtK3q6rWxtSDWRG2lcAcq
=NL70
-----END PGP SIGNATURE-----
--69pVuxX8awAiJ7fD--
---------------------------------------
Received: (at 300182-done) by bugs.debian.org; 29 Mar 2005 13:25:41 +0000
>From [EMAIL PROTECTED] Tue Mar 29 05:25:40 2005
Return-path: <[EMAIL PROTECTED]>
Received: from idmailgate1.unizh.ch [130.60.68.105]
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1DGGiy-0003nu-00; Tue, 29 Mar 2005 05:25:40 -0800
Received: from alhambra.kuesterei.ch ([130.60.169.112])
by idmailgate1.unizh.ch (8.12.10/8.12.10/Debian-2) with ESMTP id
j2TDPbxW018933
for <[EMAIL PROTECTED]>; Tue, 29 Mar 2005 15:25:38 +0200
Received: from localhost ([127.0.0.1] helo=alhambra.kuesterei.ch)
by alhambra.kuesterei.ch with esmtp (Exim 4.50)
id 1DGGiw-0007ax-Pm
for [EMAIL PROTECTED]; Tue, 29 Mar 2005 15:25:38 +0200
To: [EMAIL PROTECTED]
Subject: tetex-bin not vulnerable
X-Attribution: fant
X-Ehrenamt: http://www.langau.de
From: [EMAIL PROTECTED] (=?iso-8859-1?q?Frank_K=FCster?=)
Date: Tue, 29 Mar 2005 15:25:37 +0200
Message-ID: <[EMAIL PROTECTED]>
User-Agent: Gnus/5.1007 (Gnus v5.10.7) Emacs/21.4 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: quoted-printable
X-Virus-Scanned: by amavisd-new
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-3.0 required=4.0 tests=BAYES_00 autolearn=no
version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level:
After the discussion on -security, starting with
http://lists.debian.org/debian-security/2005/03/msg00057.html
it is clear that tetex-bin is not vulnerably in woody, sarge or sid.
Regards, Frank
--=20
Frank K=FCster
Inst. f. Biochemie der Univ. Z=FCrich
Debian Developer
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
