Your message dated Tue, 29 Mar 2005 15:25:37 +0200 with message-id <[EMAIL PROTECTED]> and subject line tetex-bin not vulnerable has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what I am talking about this indicates a serious mail system misconfiguration somewhere. Please contact me immediately.) Debian bug tracking system administrator (administrator, Debian Bugs database) -------------------------------------- Received: (at submit) by bugs.debian.org; 18 Mar 2005 09:16:52 +0000 >From [EMAIL PROTECTED] Fri Mar 18 01:16:52 2005 Return-path: <[EMAIL PROTECTED]> Received: from smtp06.web.de [217.72.192.224] by spohr.debian.org with esmtp (Exim 3.35 1 (Debian)) id 1DCDbA-0001gh-00; Fri, 18 Mar 2005 01:16:52 -0800 Received: from [212.14.71.206] (helo=preusse.amasol.de) by smtp06.web.de with asmtp (WEB.DE 4.104 #268) id 1DCDac-0003Do-00 for [EMAIL PROTECTED]; Fri, 18 Mar 2005 10:16:18 +0100 Received: by preusse.amasol.de (sSMTP sendmail emulation); Fri, 18 Mar 2005 10:16:20 +0100 Date: Fri, 18 Mar 2005 10:16:19 +0100 From: Hilmar Preusse <[EMAIL PROTECTED]> To: Debian Bug Tracking System <[EMAIL PROTECTED]> Subject: tetex-bin still vulnerable to CAN-2004-0888 (CAN-2005-0206) Message-ID: <[EMAIL PROTECTED]> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="69pVuxX8awAiJ7fD" Content-Disposition: inline User-Agent: Mutt/1.4.1i X-Operating-System: CYGWIN_NT-5.0 1.5.13(0.122/4/2) i686 X-www.distributed.net: OGR-P2: 4 packets (55.05 stats units) [3.04 Mnodes/s] X-Face: .n=jHnz:2pu0c0)ef]4O#1FE{Vak?h89!g7_#2+PzSRoIU[pJFNnz>gLhn}UMwv}4/j{X.. 2E+>U>P!`PYk X-Confirmation-Request: yes X-Confirm-Reading-To: "Hilmar Preusse" <[EMAIL PROTECTED]> Sender: [EMAIL PROTECTED] X-Sender: [EMAIL PROTECTED] Delivered-To: [EMAIL PROTECTED] X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 (1.212-2003-09-23-exp) on spohr.debian.org X-Spam-Status: No, hits=-1.8 required=4.0 tests=BAYES_00,FROM_ENDS_IN_NUMS autolearn=no version=2.60-bugs.debian.org_2005_01_02 X-Spam-Level: --69pVuxX8awAiJ7fD Content-Type: multipart/mixed; boundary="i9LlY+UWpKt15+FH" Content-Disposition: inline --i9LlY+UWpKt15+FH Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Package: tetex-bin Version: 2.0.2-26 Severity: critical Tags: security Hi all, As recently discovered the patch, which fixed CAN-2004-0888, seems to be broken on all 64bit platforms (tested only on ia64 though).[1] Attched are two patches, which should fix that. They are simply stolen from the RedHat BTS.[2] H. [1] e.g.: http://www.auscert.org.au/render.html?it=3D4887 [2] https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=3D135393 --=20 sigmentation fault --i9LlY+UWpKt15+FH Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename="CAN-2005-0206-1.diff" @@ -186,6 +192,11 @@ } if (start >= pagesSize) { pagesSize += 32; + if (pagesSize*(int)sizeof(Page *)/sizeof(Page *) != pagesSize || + pagesSize*(int)sizeof(Ref)/sizeof(Ref) != pagesSize) { + error(-1, "Invalid 'pagesSize' parameter."); + goto err3; + } --i9LlY+UWpKt15+FH Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename="CAN-2005-0206.diff" Content-Transfer-Encoding: quoted-printable --- XRef.cc.orig 2004-09-17 23:54:38.000000000 -0700 +++ XRef.cc 2004-09-25 17:59:36.000000000 -0700 @@ -76,6 +76,12 @@ =20 // trailer is ok - read the xref table } else { + if (size*(int)sizeof(XRefEntry)/sizeof(XRefEntry) !=3D size) { + error(-1, "Invalid 'size' inside xref table."); + ok =3D gFalse; + errCode =3D errDamaged; + return; + } entries =3D (XRefEntry *)gmalloc(size * sizeof(XRefEntry)); for (i =3D 0; i < size; ++i) { entries[i].offset =3D 0xffffffff; @@ -267,6 +273,10 @@ // table size if (first + n > size) { newSize =3D size + 256; + if (newSize*(int)sizeof(XRefEntry)/sizeof(XRefEntry) !=3D newSize) { + error(-1, "Invalid 'newSize'"); + goto err2; + } entries =3D (XRefEntry *)grealloc(entries, newSize * sizeof(XRefEntr= y)); for (i =3D size; i < newSize; ++i) { entries[i].offset =3D 0xffffffff; @@ -410,6 +420,10 @@ if (!strncmp(p, "obj", 3)) { if (num >=3D size) { newSize =3D (num + 1 + 255) & ~255; + if (newSize*(int)sizeof(XRefEntry)/sizeof(XRefEntry) !=3D newSize= ) { + error(-1, "Invalid 'obj' parameters."); + return gFalse; + } entries =3D (XRefEntry *) grealloc(entries, newSize * sizeof(XRefEntry)); for (i =3D size; i < newSize; ++i) { @@ -431,6 +445,11 @@ } else if (!strncmp(p, "endstream", 9)) { if (streamEndsLen =3D=3D streamEndsSize) { streamEndsSize +=3D 64; + if (streamEndsSize*(int)sizeof(int)/sizeof(int) !=3D streamEndsSiz= e) { + error(-1, "Invalid 'endstream' parameter."); + return gFalse; + } + streamEnds =3D (Guint *)grealloc(streamEnds, streamEndsSize * sizeof(int)); } --- Catalog.cc.orig 2004-09-18 00:14:15.000000000 -0700 +++ Catalog.cc 2004-09-25 18:19:55.000000000 -0700 @@ -63,6 +63,12 @@ } pagesSize =3D numPages0 =3D obj.getInt(); obj.free(); + if (pagesSize*(int)sizeof(Page *)/sizeof(Page *) !=3D pagesSize || + pagesSize*(int)sizeof(Ref)/sizeof(Ref) !=3D pagesSize) { + error(-1, "Invalid 'pagesSize'"); + ok =3D gFalse; + return; + } pages =3D (Page **)gmalloc(pagesSize * sizeof(Page *)); pageRefs =3D (Ref *)gmalloc(pagesSize * sizeof(Ref)); for (i =3D 0; i < pagesSize; ++i) { @@ -190,6 +196,10 @@ } if (start >=3D pagesSize) { pagesSize +=3D 32; + if (pagesSize*(int)sizeof(Page *)/sizeof(Page *) !=3D pagesSize) { + error(-1, "Invalid 'pagesSize' parameter."); + goto err3; + } pages =3D (Page **)grealloc(pages, pagesSize * sizeof(Page *)); pageRefs =3D (Ref *)grealloc(pageRefs, pagesSize * sizeof(Ref)); for (j =3D pagesSize - 32; j < pagesSize; ++j) { --i9LlY+UWpKt15+FH-- --69pVuxX8awAiJ7fD Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (Cygwin) iQB1AwUBQjqcYjwKFtukZhFxAQJAOAMAlgvHmkWGZrgGbMLVeGaiCQeejtE+qrpu wn32afijizSTDe+RMWNEyZ106ucUQQneYpRGASy7la3LcwvEvWA8WH/MGnoSmKPS Vl/2CJS4t6vYtK3q6rWxtSDWRG2lcAcq =NL70 -----END PGP SIGNATURE----- --69pVuxX8awAiJ7fD-- --------------------------------------- Received: (at 300182-done) by bugs.debian.org; 29 Mar 2005 13:25:41 +0000 >From [EMAIL PROTECTED] Tue Mar 29 05:25:40 2005 Return-path: <[EMAIL PROTECTED]> Received: from idmailgate1.unizh.ch [130.60.68.105] by spohr.debian.org with esmtp (Exim 3.35 1 (Debian)) id 1DGGiy-0003nu-00; Tue, 29 Mar 2005 05:25:40 -0800 Received: from alhambra.kuesterei.ch ([130.60.169.112]) by idmailgate1.unizh.ch (8.12.10/8.12.10/Debian-2) with ESMTP id j2TDPbxW018933 for <[EMAIL PROTECTED]>; Tue, 29 Mar 2005 15:25:38 +0200 Received: from localhost ([127.0.0.1] helo=alhambra.kuesterei.ch) by alhambra.kuesterei.ch with esmtp (Exim 4.50) id 1DGGiw-0007ax-Pm for [EMAIL PROTECTED]; Tue, 29 Mar 2005 15:25:38 +0200 To: [EMAIL PROTECTED] Subject: tetex-bin not vulnerable X-Attribution: fant X-Ehrenamt: http://www.langau.de From: [EMAIL PROTECTED] (=?iso-8859-1?q?Frank_K=FCster?=) Date: Tue, 29 Mar 2005 15:25:37 +0200 Message-ID: <[EMAIL PROTECTED]> User-Agent: Gnus/5.1007 (Gnus v5.10.7) Emacs/21.4 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable X-Virus-Scanned: by amavisd-new Delivered-To: [EMAIL PROTECTED] X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 (1.212-2003-09-23-exp) on spohr.debian.org X-Spam-Status: No, hits=-3.0 required=4.0 tests=BAYES_00 autolearn=no version=2.60-bugs.debian.org_2005_01_02 X-Spam-Level: After the discussion on -security, starting with http://lists.debian.org/debian-security/2005/03/msg00057.html it is clear that tetex-bin is not vulnerably in woody, sarge or sid. Regards, Frank --=20 Frank K=FCster Inst. f. Biochemie der Univ. Z=FCrich Debian Developer -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]