Debian Bug report logs - #342292
tetex-bin: Multiple exploitable heap overflows in embedded xpdf copy

version graph

Package: tetex-bin; Maintainer for tetex-bin is (unknown);

Reported by: Moritz Muehlenhoff <jmm@inutil.org>

Date: Tue, 6 Dec 2005 22:18:04 UTC

Severity: grave

Tags: security

Found in versions tetex-bin/3.0-10.1, tetex-bin/2.0.2-30, tetex-bin/2.0.2-31, tetex-bin/1.0.7+20011202-7.3

Fixed in version tetex-bin/3.0-11

Done: Frank Küster <frank@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, teTeX maintainers <debian-tetex-maint@lists.debian.org>:
Bug#342292; Package tetex-bin. Full text and rfc822 format available.

Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, teTeX maintainers <debian-tetex-maint@lists.debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Moritz Muehlenhoff <jmm@inutil.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: tetex-bin: Multiple exploitable heap overflows in embedded xpdf copy
Date: Tue, 06 Dec 2005 23:15:18 +0100
Package: tetex-bin
Version: 3.0-10.1
Severity: grave
Tags: security
Justification: user security hole

Multiple exploitable security problems have been found in xpdf, which are
all present in tetex-bin's embedded xpdf copy as well:

Multiple Vendor xpdf DCTStream Baseline Heap Overflow Vulnerability
 http://www.idefense.com/application/poi/display?id=342

Multiple Vendor xpdf DCTStream Progressive Heap Overflow
 http://www.idefense.com/application/poi/display?id=343

Multiple Vendor xpdf StreamPredictor Heap Overflow Vulnerability
 http://www.idefense.com/application/poi/display?id=344

Multiple Vendor xpdf JPX Stream Reader Heap Overflow Vulnerability
 http://www.idefense.com/application/poi/display?id=345

Please reference CVE-2005-3191, CVE-2005-3192 and CVE-2005-3193 when fixing
this.

Cheers,
        Moritz

-- System Information:
Debian Release: testing/unstable
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.14-2-686
Locale: LANG=C, LC_CTYPE=de_DE.ISO-8859-15@euro (charmap=ISO-8859-15)

Versions of packages tetex-bin depends on:
ii  debconf [debconf-2.0]    1.4.62          Debian configuration management sy
ii  debianutils              2.15.1          Miscellaneous utilities specific t
ii  dpkg                     1.13.11.0.1     package maintenance system for Deb
ii  ed                       0.2-20          The classic unix line editor
ii  libc6                    2.3.5-8.1       GNU C Library: Shared libraries an
ii  libgcc1                  1:4.0.2-5       GCC support library
ii  libice6                  6.8.2.dfsg.1-11 Inter-Client Exchange library
ii  libkpathsea4             3.0-10.1        path search library for teTeX (run
ii  libpaper1                1.1.14-3        Library for handling paper charact
ii  libpng12-0               1.2.8rel-5      PNG library - runtime
ii  libsm6                   6.8.2.dfsg.1-11 X Window System Session Management
ii  libstdc++6               4.0.2-5         The GNU Standard C++ Library v3
ii  libt1-5                  5.1.0-2         Type 1 font rasterizer library - r
ii  libx11-6                 6.8.2.dfsg.1-11 X Window System protocol client li
ii  libxaw8                  6.8.2.dfsg.1-11 X Athena widget set library
ii  libxext6                 6.8.2.dfsg.1-11 X Window System miscellaneous exte
ii  libxmu6                  6.8.2.dfsg.1-11 X Window System miscellaneous util
ii  libxp6                   6.8.2.dfsg.1-11 X Window System printing extension
ii  libxpm4                  6.8.2.dfsg.1-11 X pixmap library
ii  libxt6                   6.8.2.dfsg.1-11 X Toolkit Intrinsics
ii  mime-support             3.35-1          MIME files 'mime.types' & 'mailcap
ii  perl                     5.8.7-8         Larry Wall's Practical Extraction 
ii  sed                      4.1.4-4         The GNU sed stream editor
ii  tetex-base               3.0-10          Basic library files of teTeX
ii  ucf                      2.004           Update Configuration File: preserv
pi  xlibs                    6.8.2.dfsg.1-11 X Window System client libraries m
ii  zlib1g                   1:1.2.3-8       compression library - runtime

Versions of packages tetex-bin recommends:
ii  dialog                    1.0-20051107-1 Displays user-friendly dialog boxe
pn  libxml-parser-perl        <none>         (no description available)
pn  perl-tk                   <none>         (no description available)
ii  psutils                   1.17-21        A collection of PostScript documen
ii  whiptail                  0.51.6-31      Displays user-friendly dialog boxe

-- debconf information excluded



Information forwarded to debian-bugs-dist@lists.debian.org, teTeX maintainers <debian-tetex-maint@lists.debian.org>:
Bug#342292; Package tetex-bin. Full text and rfc822 format available.

Acknowledgement sent to Frank Küster <frank@debian.org>:
Extra info received and forwarded to list. Copy sent to teTeX maintainers <debian-tetex-maint@lists.debian.org>. Full text and rfc822 format available.

Message #10 received at 342292@bugs.debian.org (full text, mbox):

From: Frank Küster <frank@debian.org>
To: team@security.debian.org
Cc: 342292@bugs.debian.org, Moritz Muehlenhoff <jmm@inutil.org>
Subject: Re: Bug#342292: tetex-bin: Multiple exploitable heap overflows in embedded xpdf copy
Date: Wed, 07 Dec 2005 09:36:24 +0100
Dear security team,

Moritz Muehlenhoff <jmm@inutil.org> wrote:

> Package: tetex-bin
> Version: 3.0-10.1
> Severity: grave
> Tags: security
> Justification: user security hole
>
> Multiple exploitable security problems have been found in xpdf, which are
> all present in tetex-bin's embedded xpdf copy as well

A patch is provided by upstream, and I'll be able to upload a fixed
version to sid in the next 2 or three days.

However, since I'm currently busy with real-life issues, I will *NOT* be
able to backport the patch to the stable version of tetex-bin, nor work
on the numerous other packages that contain xpdf code and that I have
prepared patches for or NMU'ed previously in similar cases.

Note also that testing still has the same upstream version as stable,
and other issues prevent the new version to migrate from sid to testing
soon. 

Regards, Frank

P.S. Is anybody in contact with the xpdf upstream about providing a
dynamically shared library, or at least get clarification whether they
think distributions should try libpoppler instead?  If not, would the
security team allow me to quote them as "We would very much appreciate
if such a library existed, and would urge maintainers and upstream
developers to switch to using it"?
-- 
Frank Küster
Inst. f. Biochemie der Univ. Zürich
Debian Developer




Information forwarded to debian-bugs-dist@lists.debian.org, teTeX maintainers <debian-tetex-maint@lists.debian.org>:
Bug#342292; Package tetex-bin. Full text and rfc822 format available.

Acknowledgement sent to Frank Küster <frank@debian.org>:
Extra info received and forwarded to list. Copy sent to teTeX maintainers <debian-tetex-maint@lists.debian.org>. Full text and rfc822 format available.

Message #15 received at 342292@bugs.debian.org (full text, mbox):

From: Frank Küster <frank@debian.org>
To: Debian Bug Control Server <control@bugs.debian.org>
Cc: 342292@bugs.debian.org, Debian Security Team <team@security.debian.org>
Subject: Re: Bug#342292: tetex-bin: Multiple exploitable heap overflows in embedded xpdf copy
Date: Wed, 07 Dec 2005 14:54:40 +0100
found 342292 2.0.2-30
found 342292 2.0.2-31
found 342292 1.0.7+20011202-7.3
thanks

The upstream patch applies cleanly to xpdf/Stream.{cc,h} in sarge, but
JPXStream.cc does not exist.  But the functions might still be defined
elsewhere.

The patch does not apply cleanly, except for Stream.h, in woody, but at
least one affected line in Stream.cc *does* exist.

As I said previously, I will not be able to work on this.

Regards, Frank
-- 
Frank Küster
Inst. f. Biochemie der Univ. Zürich
Debian Developer




Bug marked as found in version 2.0.2-30. Request was from Frank Küster <frank@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Bug marked as found in version 2.0.2-31. Request was from Frank Küster <frank@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Bug marked as found in version 1.0.7+20011202-7.3. Request was from Frank Küster <frank@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Reply sent to Frank Küster <frank@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Moritz Muehlenhoff <jmm@inutil.org>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #26 received at 342292-close@bugs.debian.org (full text, mbox):

From: Frank Küster <frank@debian.org>
To: 342292-close@bugs.debian.org
Subject: Bug#342292: fixed in tetex-bin 3.0-11
Date: Wed, 07 Dec 2005 06:32:11 -0800
Source: tetex-bin
Source-Version: 3.0-11

We believe that the bug you reported is fixed in the latest version of
tetex-bin, which is due to be installed in the Debian FTP archive:

libkpathsea4-dev_3.0-11_i386.deb
  to pool/main/t/tetex-bin/libkpathsea4-dev_3.0-11_i386.deb
libkpathsea4_3.0-11_i386.deb
  to pool/main/t/tetex-bin/libkpathsea4_3.0-11_i386.deb
tetex-bin_3.0-11.diff.gz
  to pool/main/t/tetex-bin/tetex-bin_3.0-11.diff.gz
tetex-bin_3.0-11.dsc
  to pool/main/t/tetex-bin/tetex-bin_3.0-11.dsc
tetex-bin_3.0-11_i386.deb
  to pool/main/t/tetex-bin/tetex-bin_3.0-11_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 342292@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Frank Küster <frank@debian.org> (supplier of updated tetex-bin package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Wed,  7 Dec 2005 14:34:12 +0100
Source: tetex-bin
Binary: tetex-bin libkpathsea4-dev libkpathsea4
Architecture: source i386
Version: 3.0-11
Distribution: unstable
Urgency: high
Maintainer: teTeX maintainers <debian-tetex-maint@lists.debian.org>
Changed-By: Frank Küster <frank@debian.org>
Description: 
 libkpathsea4 - path search library for teTeX (runtime part)
 libkpathsea4-dev - path search library for teTeX (devel part)
 tetex-bin  - The teTeX binary files
Closes: 207874 335055 335477 336092 337308 338986 339388 341940 342292
Changes: 
 tetex-bin (3.0-11) unstable; urgency=high
 .
   * Apply xpdf patch 3.01pl1 to fix vulnerabilities in the included xpdf
     code.  The patch has been modified slightly, because our code is based
     on xpdf 3.00 which uses gmalloc() instead of gmallocn() (closes:
     #342292) [frank]
   * Remove old alternatives for oxdvi, which is now integrated in xdvi
     (closes: #335477) [frank]
   * Add Florent to the list of uploaders to prevent future technical NMUs,
     and acknowledge the last one with thanks (closes: #335055)
     [frank]
   * Fix up our backwards compatibility code in fmtutil(-sys), so that root
     can now also use it as mktexfmt (closes: #338986) [frank]
   * Remove ancient code from libkpathsea's postinst script; it is now
     fully created by debhelper.  The same is true for libkpathsea4-dev.
     Many thanks to Hilmar (closes: #207874) [frank]
   * Unset variables that might override texmf.cnf settings in postinst
     [frank]
   * Translations:
     - Update Italian debconf translation, thanks to Luca Monducci
       <luca.mo@tiscali.it> (closes: #336092) [frank]
     - Update French debconf translation, thanks to Clement Stenac
       <zorglub@via.ecp.fr> (closes: #337308) [frank]
     - Update Danish debconf translation, thanks to Claus Hindsgaul
       <claus_h@image.dk> (closes: #339388) [frank]
     - Update Czech debconf translation, thanks to Miroslav Kure
       <kurem@upcase.inf.upol.cz> (closes: #341940) [frank]
Files: 
 fef63f1e8fa7b88fd3e23df61ba38c1a 998 tex optional tetex-bin_3.0-11.dsc
 a6b589f665edbc6305d793ad5c1ce8c6 127304 tex optional tetex-bin_3.0-11.diff.gz
 b0548d39c6b42f579b73a372c025d727 3844736 tex optional tetex-bin_3.0-11_i386.deb
 d21401d7e7f504fc5c00d4af671581f7 74040 libs optional libkpathsea4_3.0-11_i386.deb
 d74d8571306f04092ecd9c70273e4f8e 70020 libdevel optional libkpathsea4-dev_3.0-11_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFDlvA3+xs9YyJS+hoRAtMxAJ95+98enWcQjWZ69zf8OOIem7TwsgCfZfge
15eDjopNRrZq6nzYbW9BMPs=
=kZ4I
-----END PGP SIGNATURE-----




Information forwarded to debian-bugs-dist@lists.debian.org, teTeX maintainers <debian-tetex-maint@lists.debian.org>:
Bug#342292; Package tetex-bin. Full text and rfc822 format available.

Acknowledgement sent to Martin Pitt <martin.pitt@canonical.com>:
Extra info received and forwarded to list. Copy sent to teTeX maintainers <debian-tetex-maint@lists.debian.org>. Full text and rfc822 format available.

Message #31 received at 342292@bugs.debian.org (full text, mbox):

From: Martin Pitt <martin.pitt@canonical.com>
To: 342292@bugs.debian.org, 342288@bugs.debian.org
Subject: Fwd: Re: [vendor-sec] xpdf update - patch wrong?
Date: Thu, 8 Dec 2005 12:21:57 +0100
[Message part 1 (text/plain, inline)]
Hi!

I'm currently preparing Ubuntu security updates for these issues, and
I noticed that the upstream provided patch is wrong. I sent the mail
below to upstream (and some others).

Can you please check that you indeed fixed (tetex-bin)/will fix
(poppler) DCTStream::readProgressiveSOF(), too?

Thanks,

Martin

----- Forwarded message from Martin Pitt <martin.pitt@canonical.com> -----

From: Martin Pitt <martin.pitt@canonical.com>
To: vendor-sec@lst.de, derekn@foolabs.com, Dirk Mueller <mueller@kde.org>
Subject: Re: [vendor-sec] xpdf update - patch wrong?
Mail-Followup-To: vendor-sec@lst.de, derekn@foolabs.com,
	Dirk Mueller <mueller@kde.org>
Date: Thu, 8 Dec 2005 11:20:37 +0100
X-Spam-Status: No, score=1.0 required=4.0 tests=AWL,BAYES_50,
	RCVD_IN_BL_SPAMCOP_NET,RCVD_IN_SORBS_WEB autolearn=no version=3.0.3

Hi Derek, hi Dirk, hi Vendor-Sec!

Josh Bressers [2005-12-06 13:50 -0500]:
> In the event any of you missed this:
> 
> http://www.idefense.com/application/poi/display?id=342&type=vulnerabilities
> http://www.idefense.com/application/poi/display?id=343&type=vulnerabilities

It seems that the patch linked from these advisories [1] is a little
bit flawed: it checks numComps twice in DCTStream::readBaselineSOF(),
but does not check it in DCTStream::readProgressiveSOF().

It *seems* that KDE spotted and removed the double check in their
kdegraphics patch [2], but unless they removed
DCTStream::readProgressiveSOF() (which could very well be, I didn't
check yet), these patches now have the same flaw.

Thanks,

Martin


[1] ftp://ftp.foolabs.com/pub/xpdf/xpdf-3.01pl1.patch
[2] ftp://ftp.kde.org/pub/kde/security_patches/post-3.4.3-kdegraphics-CAN-2005-3193.diff

-- 
Martin Pitt        http://www.piware.de
Ubuntu Developer   http://www.ubuntu.com
Debian Developer   http://www.debian.org

In a world without walls and fences, who needs Windows and Gates?



----- End forwarded message -----
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, teTeX maintainers <debian-tetex-maint@lists.debian.org>:
Bug#342292; Package tetex-bin. Full text and rfc822 format available.

Acknowledgement sent to Frank Küster <frank@debian.org>:
Extra info received and forwarded to list. Copy sent to teTeX maintainers <debian-tetex-maint@lists.debian.org>. Full text and rfc822 format available.

Message #36 received at 342292@bugs.debian.org (full text, mbox):

From: Frank Küster <frank@debian.org>
To: Martin Pitt <martin.pitt@canonical.com>
Cc: 342292@bugs.debian.org
Subject: Re: Bug#342292: Fwd: Re: [vendor-sec] xpdf update - patch wrong?
Date: Thu, 08 Dec 2005 13:17:50 +0100
Martin Pitt <martin.pitt@canonical.com> wrote:

> Hi!
>
> I'm currently preparing Ubuntu security updates for these issues, and
> I noticed that the upstream provided patch is wrong. I sent the mail
> below to upstream (and some others).
>
> Can you please check that you indeed fixed (tetex-bin)/will fix
> (poppler) DCTStream::readProgressiveSOF(), too?
[...]
> It seems that the patch linked from these advisories [1] is a little
> bit flawed: it checks numComps twice in DCTStream::readBaselineSOF(),
> but does not check it in DCTStream::readProgressiveSOF().

We have the same flaw in our upload.  Would you be so kind and check the
updated patch at 

http://svn.debian.org/wsvn/pkg-tetex/tetex-bin/trunk/debian/patches/patch-CVE-2005-3191+2+3?op=file&rev=0&sc=0

I'm completely illerate in C++, and would like to make sure this is
correct.  

Regards, Frank
-- 
Frank Küster
Inst. f. Biochemie der Univ. Zürich
Debian Developer




Information forwarded to debian-bugs-dist@lists.debian.org, teTeX maintainers <debian-tetex-maint@lists.debian.org>:
Bug#342292; Package tetex-bin. Full text and rfc822 format available.

Acknowledgement sent to Martin Pitt <mpitt@debian.org>:
Extra info received and forwarded to list. Copy sent to teTeX maintainers <debian-tetex-maint@lists.debian.org>. Full text and rfc822 format available.

Message #41 received at 342292@bugs.debian.org (full text, mbox):

From: Martin Pitt <mpitt@debian.org>
To: Frank Küster <frank@debian.org>
Cc: Martin Pitt <martin.pitt@canonical.com>, 342292@bugs.debian.org
Subject: Re: Bug#342292: Fwd: Re: [vendor-sec] xpdf update - patch wrong?
Date: Thu, 8 Dec 2005 14:33:50 +0100
[Message part 1 (text/plain, inline)]
Hi Frank!

Frank Küster [2005-12-08 13:17 +0100]:
> Martin Pitt <martin.pitt@canonical.com> wrote:
> 
> > Hi!
> >
> > I'm currently preparing Ubuntu security updates for these issues, and
> > I noticed that the upstream provided patch is wrong. I sent the mail
> > below to upstream (and some others).
> >
> > Can you please check that you indeed fixed (tetex-bin)/will fix
> > (poppler) DCTStream::readProgressiveSOF(), too?
> [...]
> > It seems that the patch linked from these advisories [1] is a little
> > bit flawed: it checks numComps twice in DCTStream::readBaselineSOF(),
> > but does not check it in DCTStream::readProgressiveSOF().
> 
> We have the same flaw in our upload.  Would you be so kind and check the
> updated patch at 
> 
> http://svn.debian.org/wsvn/pkg-tetex/tetex-bin/trunk/debian/patches/patch-CVE-2005-3191+2+3?op=file&rev=0&sc=0

The DCTStream::readProgressiveSOF() seems to be correct now, however,
there is still a flaw in 

-      img.tiles = (JPXTile *)gmalloc(img.nXTiles * img.nYTiles *
-				     sizeof(JPXTile));
+      nTiles = img.nXTiles * img.nYTiles;
+      // check for overflow before allocating memory
+      if (nTiles == 0 || nTiles / img.nXTiles != img.nYTiles) {
+	error(getPos(), "Bad tile count in JPX SIZ marker segment");
+	return gFalse;
+      }
+      img.tiles = (JPXTile *)gmalloc(nTiles * sizeof(JPXTile));

gmalloc does a multiplication which is not checked for integer
overflows. xpdf uses gmallocn() which does that check.

I'll send you an updated patch very soon, I just finished patching
tetex-bin 2.0.2, cupsys, xpdf, poppler, etc.

Martin

-- 
Martin Pitt        http://www.piware.de
Ubuntu Developer   http://www.ubuntu.com
Debian Developer   http://www.debian.org

In a world without walls and fences, who needs Windows and Gates?
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, teTeX maintainers <debian-tetex-maint@lists.debian.org>:
Bug#342292; Package tetex-bin. Full text and rfc822 format available.

Acknowledgement sent to Martin Pitt <mpitt@debian.org>:
Extra info received and forwarded to list. Copy sent to teTeX maintainers <debian-tetex-maint@lists.debian.org>. Full text and rfc822 format available.

Message #46 received at 342292@bugs.debian.org (full text, mbox):

From: Martin Pitt <mpitt@debian.org>
To: Frank Küster <frank@debian.org>
Cc: 342292@bugs.debian.org
Subject: Re: Bug#342292: Fwd: Re: [vendor-sec] xpdf update - patch wrong?
Date: Thu, 8 Dec 2005 14:55:55 +0100
[Message part 1 (text/plain, inline)]
Hi Frank!

Frank Küster [2005-12-08 13:17 +0100]:
> We have the same flaw in our upload.  Would you be so kind and check the
> updated patch at 
> 
> http://svn.debian.org/wsvn/pkg-tetex/tetex-bin/trunk/debian/patches/patch-CVE-2005-3191+2+3?op=file&rev=0&sc=0
> 
> I'm completely illerate in C++, and would like to make sure this is
> correct.  

OK, you can now find the 3.0 debdiff at 

  http://patches.ubuntu.com/patches/tetex-bin.CVE-2005-3191_2_3.diff

it might be interesting for you to get the CVE numbers in the
changelog right. (Please do mention the CVE numbers to ease tracking.)

The essential difference is the JPXStream.cc diff, which now looks
like:

--- tetex-bin-3.0/libs/xpdf/xpdf/JPXStream.cc   2004-01-22 02:26:45.000000000 +0100
+++ tetex-bin-3.0.new/libs/xpdf/xpdf/JPXStream.cc       2005-12-08 14:40:19.000000000 +0100
@@ -666,7 +666,8 @@
   int segType;
   GBool haveSIZ, haveCOD, haveQCD, haveSOT;
   Guint precinctSize, style;
-  Guint segLen, capabilities, comp, i, j, r;
+  Guint segLen, capabilities, nTiles, comp, i, j, r;
+  Guint allocSize;

   //----- main header
   haveSIZ = haveCOD = haveQCD = haveSOT = gFalse;
@@ -701,8 +702,15 @@
                    / img.xTileSize;
       img.nYTiles = (img.ySize - img.yTileOffset + img.yTileSize - 1)
                    / img.yTileSize;
-      img.tiles = (JPXTile *)gmalloc(img.nXTiles * img.nYTiles *
-                                    sizeof(JPXTile));
+      nTiles = img.nXTiles * img.nYTiles;
+      allocSize = nTiles * sizeof(JPXTile);
+      // check for overflow before allocating memory
+      if (nTiles == 0 || nTiles / img.nXTiles != img.nYTiles ||
+          allocSize / sizeof(JPXTile) != nTiles) {
+       error(getPos(), "Bad tile count in JPX SIZ marker segment");
+       return gFalse;
+      }
+      img.tiles = (JPXTile *)gmalloc(allocSize);
       for (i = 0; i < img.nXTiles * img.nYTiles; ++i) {
        img.tiles[i].tileComps = (JPXTileComp *)gmalloc(img.nComps *
                                                        sizeof(JPXTileComp));


I added an additional allocSize variable and check it for int
overflow, to get the same effect as gmallocn() in the original xpdf
source.

HTH,

Martin
(who really wishes upstreams would switch to poppler after uploading
22 security update packgages)

-- 
Martin Pitt        http://www.piware.de
Ubuntu Developer   http://www.ubuntu.com
Debian Developer   http://www.debian.org

In a world without walls and fences, who needs Windows and Gates?
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, teTeX maintainers <debian-tetex-maint@lists.debian.org>:
Bug#342292; Package tetex-bin. Full text and rfc822 format available.

Acknowledgement sent to Frank Küster <frank@kuesterei.ch>:
Extra info received and forwarded to list. Copy sent to teTeX maintainers <debian-tetex-maint@lists.debian.org>. Full text and rfc822 format available.

Message #51 received at 342292@bugs.debian.org (full text, mbox):

From: Frank Küster <frank@kuesterei.ch>
To: Martin Pitt <mpitt@debian.org>
Cc: Martin Pitt <martin.pitt@canonical.com>, 342292@bugs.debian.org
Subject: Re: Bug#342292: Fwd: Re: [vendor-sec] xpdf update - patch wrong?
Date: Thu, 08 Dec 2005 15:54:49 +0100
Martin Pitt <mpitt@debian.org> wrote:

> -      img.tiles = (JPXTile *)gmalloc(img.nXTiles * img.nYTiles *
> -				     sizeof(JPXTile));
> +      nTiles = img.nXTiles * img.nYTiles;
> +      // check for overflow before allocating memory
> +      if (nTiles == 0 || nTiles / img.nXTiles != img.nYTiles) {
> +	error(getPos(), "Bad tile count in JPX SIZ marker segment");
> +	return gFalse;
> +      }
> +      img.tiles = (JPXTile *)gmalloc(nTiles * sizeof(JPXTile));
>
> gmalloc does a multiplication which is not checked for integer
> overflows. xpdf uses gmallocn() which does that check.

xpdf has gmallocn only since 3.01, but tetex-bin uses 3.00.  I wouldn't
want to update parts of the code, or all of it to 3.01, without
understanding the differences.  On the other hand, maybe the xpdf code
in tetex-bin has *more* unchecked buffer overflows exactly because it
does not yet use gmallocn...

Would 

      if (nTiles >= INT_MAX / sizeof(JPXTile) {
	error(getPos(), "Bad tile count in JPX SIZ marker segment");
	return gFalse;

be okay?

Regards, Frank

-- 
Frank Küster
Inst. f. Biochemie der Univ. Zürich
Debian Developer




Information forwarded to debian-bugs-dist@lists.debian.org, teTeX maintainers <debian-tetex-maint@lists.debian.org>:
Bug#342292; Package tetex-bin. Full text and rfc822 format available.

Acknowledgement sent to Rogério Brito <rbrito@ime.usp.br>:
Extra info received and forwarded to list. Copy sent to teTeX maintainers <debian-tetex-maint@lists.debian.org>. Full text and rfc822 format available.

Message #56 received at 342292@bugs.debian.org (full text, mbox):

From: Rogério Brito <rbrito@ime.usp.br>
To: Martin Pitt <mpitt@debian.org>, 342292@bugs.debian.org
Cc: Frank Küster <frank@debian.org>
Subject: Re: Bug#342292: Fwd: Re: [vendor-sec] xpdf update - patch wrong?
Date: Thu, 8 Dec 2005 12:54:43 -0200
On Dec 08 2005, Martin Pitt wrote:
> (who really wishes upstreams would switch to poppler after uploading
> 22 security update packgages)

Yes, but poppler is still not exactly a complete replacement for
xpdf---at least, that is what I understand from this bug of mine:
http://bugs.debian.org/340379


Cheers, Rogério Brito.
-- 
Rogério Brito : rbrito@ime.usp.br : http://www.ime.usp.br/~rbrito
Homepage of the algorithms package : http://algorithms.berlios.de
Homepage on freshmeat:  http://freshmeat.net/projects/algorithms/



Information forwarded to debian-bugs-dist@lists.debian.org, teTeX maintainers <debian-tetex-maint@lists.debian.org>:
Bug#342292; Package tetex-bin. Full text and rfc822 format available.

Acknowledgement sent to Frank Küster <frank@debian.org>:
Extra info received and forwarded to list. Copy sent to teTeX maintainers <debian-tetex-maint@lists.debian.org>. Full text and rfc822 format available.

Message #61 received at 342292@bugs.debian.org (full text, mbox):

From: Frank Küster <frank@debian.org>
To: Rogério Brito <rbrito@ime.usp.br>
Cc: 342292@bugs.debian.org, Martin Pitt <mpitt@debian.org>, poppler@packages.debian.org
Subject: poppler as a replacement for xpdf code (was: Bug#342292: Fwd: Re: [vendor-sec] xpdf update - patch wrong?)
Date: Thu, 08 Dec 2005 16:20:34 +0100
Rogério Brito <rbrito@ime.usp.br> wrote:

> On Dec 08 2005, Martin Pitt wrote:
>> (who really wishes upstreams would switch to poppler after uploading
>> 22 security update packgages)
>
> Yes, but poppler is still not exactly a complete replacement for
> xpdf---at least, that is what I understand from this bug of mine:
> http://bugs.debian.org/340379

One single bug need not mean that the library is not generally usable;
especially if it's "only" about viewing.

But the real concern that I have is whether the poppler people do
actually intend to become a "libxpdf".  My impression from looking at
their homepage (a while ago, though) was that they wanted to create
something new on top of xpdf - a unified viewing and printing tool for
the desktop, based on pdf.  But many projects that use xpdf code have a
different interest in xpdf: They use it for parsing, analysing and
manipulating PDF files, which is different from a user's point of view,
and I don't know whether it's also different from a developer's.

My concern is that if pdftex, pdftk, pdftohtml et al. start using
libpoppler now they might find in the future that libpoppler does not
all they need, or does not give proper support for them, because of its
different goal.  I'd be very glad to hear that this not realistic, and
if I am such advised, I would be happy to create a patch for pdftex to
use poppler and submit it upstream.

Regards, Frank
-- 
Frank Küster
Inst. f. Biochemie der Univ. Zürich
Debian Developer




Information forwarded to debian-bugs-dist@lists.debian.org, teTeX maintainers <debian-tetex-maint@lists.debian.org>:
Bug#342292; Package tetex-bin. Full text and rfc822 format available.

Acknowledgement sent to Frank Küster <frank@debian.org>:
Extra info received and forwarded to list. Copy sent to teTeX maintainers <debian-tetex-maint@lists.debian.org>. Full text and rfc822 format available.

Message #66 received at 342292@bugs.debian.org (full text, mbox):

From: Frank Küster <frank@debian.org>
To: Martin Pitt <mpitt@debian.org>
Cc: 342292@bugs.debian.org
Subject: Re: Bug#342292: Fwd: Re: [vendor-sec] xpdf update - patch wrong?
Date: Thu, 08 Dec 2005 17:28:15 +0100
Martin Pitt <mpitt@debian.org> wrote:

> OK, you can now find the 3.0 debdiff at 
>
>   http://patches.ubuntu.com/patches/tetex-bin.CVE-2005-3191_2_3.diff

Thank you, I've added this.

> it might be interesting for you to get the CVE numbers in the
> changelog right. (Please do mention the CVE numbers to ease tracking.)

Thanks, sorry that I forgot it in the upload.

But I have more bad news.  While looking at the patches, I noticed that
the patch for CAN-2004-0888 in tetex 3.0 still has the flaws in the
upstream/KDE/whoever patch.  It does buffer overflow checks that some
compilers will simply optimize away ( if (size * sizeof(int)/sizeof(int)
!= size) and the like).  In the upload to unstable back then, which was
2.0.2, we changed this to size >=MAX_INT / sizeof(int), but I obviously
did not do this in our copy.

I have started to fix this, see

http://svn.debian.org/wsvn/pkg-tetex/tetex-bin/trunk/debian/patches/patch-CAN-2004-0888?op=diff&rev=0&sc=0

however since the codebase differs I cannot simply use the patch from
tetex 2.0.2. Unfortunately, I don't have the original patch against 3.00
left, and I also cannot find it on the net.

It also seems that there are some buffer overflows in 3.00 that do not
have any tests, e.g. in XRef.cc, line 391 after patch-CAN-2004-0888 has
been applied.  Or is such a check

      if (newSize < 0) {
	goto err1;
      }

enough to detect an integer overflow, because newSize is signed? 3.01
uses greallocn there.

Regards, Frank

-- 
Frank Küster
Inst. f. Biochemie der Univ. Zürich
Debian Developer




Information forwarded to debian-bugs-dist@lists.debian.org, teTeX maintainers <debian-tetex-maint@lists.debian.org>:
Bug#342292; Package tetex-bin. Full text and rfc822 format available.

Acknowledgement sent to Florian Weimer <fw@deneb.enyo.de>:
Extra info received and forwarded to list. Copy sent to teTeX maintainers <debian-tetex-maint@lists.debian.org>. Full text and rfc822 format available.

Message #71 received at 342292@bugs.debian.org (full text, mbox):

From: Florian Weimer <fw@deneb.enyo.de>
To: Frank Küster <frank@debian.org>
Cc: 342292@bugs.debian.org, Martin Pitt <mpitt@debian.org>
Subject: Re: Bug#342292: Fwd: Re: [vendor-sec] xpdf update - patch wrong?
Date: Thu, 08 Dec 2005 22:03:19 +0100
* Frank Küster:

> It also seems that there are some buffer overflows in 3.00 that do not
> have any tests, e.g. in XRef.cc, line 391 after patch-CAN-2004-0888 has
> been applied.  Or is such a check
>
>       if (newSize < 0) {
> 	goto err1;
>       }
>
> enough to detect an integer overflow, because newSize is signed?

No, it's not, see:

  <http://cert.uni-stuttgart.de/advisories/c-integer-overflow.php>

I should retry with GCC 4.1; it might actually perform the
optimization.



Information forwarded to debian-bugs-dist@lists.debian.org, teTeX maintainers <debian-tetex-maint@lists.debian.org>:
Bug#342292; Package tetex-bin. Full text and rfc822 format available.

Acknowledgement sent to Florian Weimer <fw@deneb.enyo.de>:
Extra info received and forwarded to list. Copy sent to teTeX maintainers <debian-tetex-maint@lists.debian.org>. Full text and rfc822 format available.

Message #76 received at 342292@bugs.debian.org (full text, mbox):

From: Florian Weimer <fw@deneb.enyo.de>
To: Frank Küster <frank@kuesterei.ch>
Cc: 342292@bugs.debian.org, Martin Pitt <mpitt@debian.org>, Martin Pitt <martin.pitt@canonical.com>
Subject: Re: Bug#342292: Fwd: Re: [vendor-sec] xpdf update - patch wrong?
Date: Thu, 08 Dec 2005 22:21:53 +0100
* Frank Küster:

> Would 
>
>       if (nTiles >= INT_MAX / sizeof(JPXTile) {
> 	error(getPos(), "Bad tile count in JPX SIZ marker segment");
> 	return gFalse;
>
> be okay?

It might still be a DoS issue, I think.  Allocating arbitrary amounts
of memory upon user request is usually a bad idea.  But gmallocn does
not touch the memory it allocates, so even very large allocations are
very cheap initially.  As long as you initialize the allocated data
structure as you read more input, it should be a minor issue (because
you need an enormous file size to cause problems on even slightly
dated machines).

By the way, the gmallocn function suffers from undefined integer
overflow, too:

void *gmallocn(int nObjs, int objSize) {
  int n;

  n = nObjs * objSize;
  if (objSize == 0 || n / objSize != nObjs) {
    fprintf(stderr, "Bogus memory allocation size\n");
    exit(1);
  }
  return gmalloc(n);
}

The error handling is not suitable for library use, either.  I don't
know if this is a problem.

PS: I haven't checked if the comparison "nTiles >= INT_MAX /
sizeof(JPXTile" is indeed correct and checks the right bound.



Information forwarded to debian-bugs-dist@lists.debian.org, teTeX maintainers <debian-tetex-maint@lists.debian.org>:
Bug#342292; Package tetex-bin. Full text and rfc822 format available.

Acknowledgement sent to Frank Küster <frank@kuesterei.ch>:
Extra info received and forwarded to list. Copy sent to teTeX maintainers <debian-tetex-maint@lists.debian.org>. Full text and rfc822 format available.

Message #81 received at 342292@bugs.debian.org (full text, mbox):

From: Frank Küster <frank@kuesterei.ch>
To: Florian Weimer <fw@deneb.enyo.de>
Cc: 342292@bugs.debian.org, Martin Pitt <mpitt@debian.org>, Martin Pitt <martin.pitt@canonical.com>
Subject: Re: Bug#342292: Fwd: Re: [vendor-sec] xpdf update - patch wrong?
Date: Thu, 08 Dec 2005 22:55:39 +0100
Florian Weimer <fw@deneb.enyo.de> wrote:

> * Frank Küster:
>
>> Would 
>>
>>       if (nTiles >= INT_MAX / sizeof(JPXTile) {
>> 	error(getPos(), "Bad tile count in JPX SIZ marker segment");
>> 	return gFalse;
>>
>> be okay?
>
> It might still be a DoS issue, I think.  Allocating arbitrary amounts
> of memory upon user request is usually a bad idea.  But gmallocn does
> not touch the memory it allocates, so even very large allocations are
> very cheap initially.

The function that is called in *tetex-bin* is not gmallocn, but gmalloc
- it's based on xpdf 3.00, not 3.01, and this is the very reason why I
need to check for an overflow in nTiles * sizeof(JPXTile).

> As long as you initialize the allocated data
> structure as you read more input, it should be a minor issue (because
> you need an enormous file size to cause problems on even slightly
> dated machines).

I have no idea what the code does, and I'm only starting to learn C and
know next to nothing about C++.  Somebody else should check.

> By the way, the gmallocn function suffers from undefined integer
> overflow, too:
>
> void *gmallocn(int nObjs, int objSize) {
>   int n;
>
>   n = nObjs * objSize;
>   if (objSize == 0 || n / objSize != nObjs) {
>     fprintf(stderr, "Bogus memory allocation size\n");
>     exit(1);
>   }
>   return gmalloc(n);
> }

What's the problem here?  That the value in "n" is undefined, and
therefore the comparison n / objSize != nObjs is undefined, too?

This xpdf stuff seems to be a security nightmare by itself, even if not
copied to everybodies orig.tar.gz.

> The error handling is not suitable for library use, either.  I don't
> know if this is a problem.

Only if the poppler people didn't notice...

Regards, Frank
-- 
Frank Küster
Inst. f. Biochemie der Univ. Zürich
Debian Developer




Information forwarded to debian-bugs-dist@lists.debian.org, teTeX maintainers <debian-tetex-maint@lists.debian.org>:
Bug#342292; Package tetex-bin. Full text and rfc822 format available.

Acknowledgement sent to Florian Weimer <fw@deneb.enyo.de>:
Extra info received and forwarded to list. Copy sent to teTeX maintainers <debian-tetex-maint@lists.debian.org>. Full text and rfc822 format available.

Message #86 received at 342292@bugs.debian.org (full text, mbox):

From: Florian Weimer <fw@deneb.enyo.de>
To: Frank Küster <frank@kuesterei.ch>
Cc: 342292@bugs.debian.org, Martin Pitt <mpitt@debian.org>, Martin Pitt <martin.pitt@canonical.com>
Subject: Re: Bug#342292: Fwd: Re: [vendor-sec] xpdf update - patch wrong?
Date: Thu, 08 Dec 2005 23:19:53 +0100
* Frank Küster:

> The function that is called in *tetex-bin* is not gmallocn, but gmalloc
> - it's based on xpdf 3.00, not 3.01, and this is the very reason why I
> need to check for an overflow in nTiles * sizeof(JPXTile).

Sure, I wanted to explain why this is not sufficient.  It should be
equivalent to the gmallocn check (once that is fixed, as discussed).

>> By the way, the gmallocn function suffers from undefined integer
>> overflow, too:
>>
>> void *gmallocn(int nObjs, int objSize) {
>>   int n;
>>
>>   n = nObjs * objSize;
>>   if (objSize == 0 || n / objSize != nObjs) {
>>     fprintf(stderr, "Bogus memory allocation size\n");
>>     exit(1);
>>   }
>>   return gmalloc(n);
>> }
>
> What's the problem here?  That the value in "n" is undefined, and
> therefore the comparison n / objSize != nObjs is undefined, too?

Exactly.  You have a strange way of learning C, most programmers learn
that signed integer overflow is undefined only after they've written
tens of thousands of lines of code. 8-)

> This xpdf stuff seems to be a security nightmare by itself, even if not
> copied to everybodies orig.tar.gz.

The xpdf code which we are discussing is pretty much industry
standard, I fear.
>
>> The error handling is not suitable for library use, either.  I don't
>> know if this is a problem.
>
> Only if the poppler people didn't notice...

According to their CVS repository, they didn't. 8-(

I'm going to notify them.  I'm also going to report the undefined
behavior problem to the xpdf folks.



Information forwarded to debian-bugs-dist@lists.debian.org, teTeX maintainers <debian-tetex-maint@lists.debian.org>:
Bug#342292; Package tetex-bin. Full text and rfc822 format available.

Acknowledgement sent to Martin Pitt <mpitt@debian.org>:
Extra info received and forwarded to list. Copy sent to teTeX maintainers <debian-tetex-maint@lists.debian.org>. Full text and rfc822 format available.

Message #91 received at 342292@bugs.debian.org (full text, mbox):

From: Martin Pitt <mpitt@debian.org>
To: Frank Küster <frank@kuesterei.ch>
Cc: Martin Pitt <mpitt@debian.org>, Martin Pitt <martin.pitt@canonical.com>, 342292@bugs.debian.org
Subject: Re: Bug#342292: Fwd: Re: [vendor-sec] xpdf update - patch wrong?
Date: Fri, 9 Dec 2005 10:17:51 +0100
[Message part 1 (text/plain, inline)]
Hi!

Frank Küster [2005-12-08 15:54 +0100]:
> Martin Pitt <mpitt@debian.org> wrote:
> 
> > -      img.tiles = (JPXTile *)gmalloc(img.nXTiles * img.nYTiles *
> > -				     sizeof(JPXTile));
> > +      nTiles = img.nXTiles * img.nYTiles;
> > +      // check for overflow before allocating memory
> > +      if (nTiles == 0 || nTiles / img.nXTiles != img.nYTiles) {
> > +	error(getPos(), "Bad tile count in JPX SIZ marker segment");
> > +	return gFalse;
> > +      }
> > +      img.tiles = (JPXTile *)gmalloc(nTiles * sizeof(JPXTile));
> >
> > gmalloc does a multiplication which is not checked for integer
> > overflows. xpdf uses gmallocn() which does that check.
> 
> xpdf has gmallocn only since 3.01, but tetex-bin uses 3.00.  I wouldn't
> want to update parts of the code, or all of it to 3.01, without
> understanding the differences.  On the other hand, maybe the xpdf code
> in tetex-bin has *more* unchecked buffer overflows exactly because it
> does not yet use gmallocn...

Possibly. gmallocn() is just a shallow wrapper around gmalloc() with
integer overflow checking, so it's not a big deal.

> Would 
> 
>       if (nTiles >= INT_MAX / sizeof(JPXTile) {
> 	error(getPos(), "Bad tile count in JPX SIZ marker segment");
> 	return gFalse;
> 
> be okay?

This is the standard way of checking for multiplicative overflows,
that looks fine.

Martin

-- 
Martin Pitt        http://www.piware.de
Ubuntu Developer   http://www.ubuntu.com
Debian Developer   http://www.debian.org

In a world without walls and fences, who needs Windows and Gates?
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, teTeX maintainers <debian-tetex-maint@lists.debian.org>:
Bug#342292; Package tetex-bin. Full text and rfc822 format available.

Acknowledgement sent to Martin Pitt <mpitt@debian.org>:
Extra info received and forwarded to list. Copy sent to teTeX maintainers <debian-tetex-maint@lists.debian.org>. Full text and rfc822 format available.

Message #96 received at 342292@bugs.debian.org (full text, mbox):

From: Martin Pitt <mpitt@debian.org>
To: Frank Küster <frank@debian.org>
Cc: 342292@bugs.debian.org
Subject: Re: Bug#342292: Fwd: Re: [vendor-sec] xpdf update - patch wrong?
Date: Fri, 9 Dec 2005 10:19:51 +0100
[Message part 1 (text/plain, inline)]
Hi Frank!

Frank Küster [2005-12-08 13:17 +0100]:
> Martin Pitt <martin.pitt@canonical.com> wrote:
> 
> > Hi!
> >
> > I'm currently preparing Ubuntu security updates for these issues, and
> > I noticed that the upstream provided patch is wrong. I sent the mail
> > below to upstream (and some others).
> >
> > Can you please check that you indeed fixed (tetex-bin)/will fix
> > (poppler) DCTStream::readProgressiveSOF(), too?
> [...]
> > It seems that the patch linked from these advisories [1] is a little
> > bit flawed: it checks numComps twice in DCTStream::readBaselineSOF(),
> > but does not check it in DCTStream::readProgressiveSOF().
> 
> We have the same flaw in our upload.  Would you be so kind and check the
> updated patch at 
> 
> http://svn.debian.org/wsvn/pkg-tetex/tetex-bin/trunk/debian/patches/patch-CVE-2005-3191+2+3?op=file&rev=0&sc=0
> 
> I'm completely illerate in C++, and would like to make sure this is
> correct.  

Bad news. A further review of Streams.cc revealed a third place where
numComps goes unchecked (I checked the whole file now, it's really the
last one). So you additionally need this hunk:

@@ -2947,6 +2974,10 @@ GBool DCTStream::readScanInfo() {

   length = read16() - 2;
   scanInfo.numComps = str->getChar();
+  if (scanInfo.numComps <= 0 || scanInfo.numComps > 4) {
+    error(getPos(), "Bad number of components in DCT stream");
+    return gFalse;
+  }
   --length;
   if (length != 2 * scanInfo.numComps + 3) {
     error(getPos(), "Bad DCT scan info block");

Martin
-- 
Martin Pitt        http://www.piware.de
Ubuntu Developer   http://www.ubuntu.com
Debian Developer   http://www.debian.org

In a world without walls and fences, who needs Windows and Gates?
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, teTeX maintainers <debian-tetex-maint@lists.debian.org>:
Bug#342292; Package tetex-bin. Full text and rfc822 format available.

Acknowledgement sent to Martin Pitt <mpitt@debian.org>:
Extra info received and forwarded to list. Copy sent to teTeX maintainers <debian-tetex-maint@lists.debian.org>. Full text and rfc822 format available.

Message #101 received at 342292@bugs.debian.org (full text, mbox):

From: Martin Pitt <mpitt@debian.org>
To: Frank Küster <frank@kuesterei.ch>, Florian Weimer <fw@deneb.enyo.de>
Cc: 342292@bugs.debian.org
Subject: Re: Bug#342292: Fwd: Re: [vendor-sec] xpdf update - patch wrong?
Date: Fri, 9 Dec 2005 10:40:39 +0100
[Message part 1 (text/plain, inline)]
Hi Florian, hi Frank!

Frank Küster [2005-12-08 22:55 +0100]:
> Florian Weimer <fw@deneb.enyo.de> wrote:
> > By the way, the gmallocn function suffers from undefined integer
> > overflow, too:
> >
> > void *gmallocn(int nObjs, int objSize) {
> >   int n;
> >
> >   n = nObjs * objSize;
> >   if (objSize == 0 || n / objSize != nObjs) {
> >     fprintf(stderr, "Bogus memory allocation size\n");
> >     exit(1);
> >   }
> >   return gmalloc(n);
> > }
> 
> What's the problem here?  That the value in "n" is undefined, and
> therefore the comparison n / objSize != nObjs is undefined, too?

n is not 'undefined' here. For every given nObjs and objSize input, it
always gets the same well-defined value.

We can assume that objSize is a small positive number, since it is not
user defined (just a sizeof value). The function works correctly for
positive number of nObjs (both valid and invalid), but there is a
corner case for negative nOjbs. Since gmalloc() takes a size_t
(unsigned), in most cases gmalloc() will allocate more memory than
required for a negative argument. However, when n is exactly -2^31 you
could see an off-by-one memory allocation error.

Indeed the function should completely be written using unsigned
arithmetics, otherwise your head will just explode.

Florian, is that what you meant?

Thanks,

Martin
-- 
Martin Pitt        http://www.piware.de
Ubuntu Developer   http://www.ubuntu.com
Debian Developer   http://www.debian.org

In a world without walls and fences, who needs Windows and Gates?
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, teTeX maintainers <debian-tetex-maint@lists.debian.org>:
Bug#342292; Package tetex-bin. Full text and rfc822 format available.

Acknowledgement sent to Frank Küster <frank@kuesterei.ch>:
Extra info received and forwarded to list. Copy sent to teTeX maintainers <debian-tetex-maint@lists.debian.org>. Full text and rfc822 format available.

Message #106 received at 342292@bugs.debian.org (full text, mbox):

From: Frank Küster <frank@kuesterei.ch>
To: Martin Pitt <mpitt@debian.org>
Cc: Florian Weimer <fw@deneb.enyo.de>, 342292@bugs.debian.org
Subject: Re: Bug#342292: Fwd: Re: [vendor-sec] xpdf update - patch wrong?
Date: Fri, 09 Dec 2005 11:09:26 +0100
Martin Pitt <mpitt@debian.org> wrote:

> Hi Florian, hi Frank!
>
> Frank Küster [2005-12-08 22:55 +0100]:
>> Florian Weimer <fw@deneb.enyo.de> wrote:
>> > By the way, the gmallocn function suffers from undefined integer
>> > overflow, too:
>> >
>> > void *gmallocn(int nObjs, int objSize) {
>> >   int n;
>> >
>> >   n = nObjs * objSize;
>> >   if (objSize == 0 || n / objSize != nObjs) {
>> >     fprintf(stderr, "Bogus memory allocation size\n");
>> >     exit(1);
>> >   }
>> >   return gmalloc(n);
>> > }
>> 
>> What's the problem here?  That the value in "n" is undefined, and
>> therefore the comparison n / objSize != nObjs is undefined, too?
>
> n is not 'undefined' here. For every given nObjs and objSize input, it
> always gets the same well-defined value.
>
> We can assume that objSize is a small positive number, since it is not
> user defined (just a sizeof value). The function works correctly for
> positive number of nObjs (both valid and invalid), 

But what if nObjs * objSize is larger than fits into an int?

Regards, Frank
-- 
Frank Küster
Inst. f. Biochemie der Univ. Zürich
Debian Developer




Information forwarded to debian-bugs-dist@lists.debian.org, teTeX maintainers <debian-tetex-maint@lists.debian.org>:
Bug#342292; Package tetex-bin. Full text and rfc822 format available.

Acknowledgement sent to Martin Pitt <mpitt@debian.org>:
Extra info received and forwarded to list. Copy sent to teTeX maintainers <debian-tetex-maint@lists.debian.org>. Full text and rfc822 format available.

Message #111 received at 342292@bugs.debian.org (full text, mbox):

From: Martin Pitt <mpitt@debian.org>
To: Frank Küster <frank@kuesterei.ch>
Cc: Martin Pitt <mpitt@debian.org>, Florian Weimer <fw@deneb.enyo.de>, 342292@bugs.debian.org
Subject: Re: Bug#342292: Fwd: Re: [vendor-sec] xpdf update - patch wrong?
Date: Fri, 9 Dec 2005 11:20:29 +0100
[Message part 1 (text/plain, inline)]
Hi!

Frank Küster [2005-12-09 11:09 +0100]:
> Martin Pitt <mpitt@debian.org> wrote:
> 
> > Hi Florian, hi Frank!
> >
> > Frank Küster [2005-12-08 22:55 +0100]:
> >> Florian Weimer <fw@deneb.enyo.de> wrote:
> >> > By the way, the gmallocn function suffers from undefined integer
> >> > overflow, too:
> >> >
> >> > void *gmallocn(int nObjs, int objSize) {
> >> >   int n;
> >> >
> >> >   n = nObjs * objSize;
> >> >   if (objSize == 0 || n / objSize != nObjs) {
> >> >     fprintf(stderr, "Bogus memory allocation size\n");
> >> >     exit(1);
> >> >   }
> >> >   return gmalloc(n);
> >> > }
> >> 
> >> What's the problem here?  That the value in "n" is undefined, and
> >> therefore the comparison n / objSize != nObjs is undefined, too?
> >
> > n is not 'undefined' here. For every given nObjs and objSize input, it
> > always gets the same well-defined value.
> >
> > We can assume that objSize is a small positive number, since it is not
> > user defined (just a sizeof value). The function works correctly for
> > positive number of nObjs (both valid and invalid), 
> 
> But what if nObjs * objSize is larger than fits into an int?

Handling this case is the sole purpose of this gmallocn() wrapper.

Let N be the product of nObjs * objSize in the naturals.

- For valid (small) positive values of nObjs, n == N and the division is ok.

- For invalid (big) positive values of nObjs which, when multiplied with nObjs
  overflow an int, we have two cases:

  * n == N mod 2^31 (i. e. product overflows into the positive half of int space) 
    => n < N 
    => n/objSize < N/objSize
    => n/objSize < nObjs 
    => n/objSize != nObjs 
    => check fails.

  * n < 0 
    => n/objSize < 0 
    => since by assumption nObjs > 0: n/objSize != nObjs
    => check fails.

As I already said, the function will cause trouble (allocating
insanely amounts of memory, but probably not an overflow) for negative
nObjs. Thus, the function should either use unsigneds, or at least
check that nObjs and objSize > 0.

Martin

-- 
Martin Pitt        http://www.piware.de
Ubuntu Developer   http://www.ubuntu.com
Debian Developer   http://www.debian.org

In a world without walls and fences, who needs Windows and Gates?
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, teTeX maintainers <debian-tetex-maint@lists.debian.org>:
Bug#342292; Package tetex-bin. Full text and rfc822 format available.

Acknowledgement sent to Florian Weimer <fw@deneb.enyo.de>:
Extra info received and forwarded to list. Copy sent to teTeX maintainers <debian-tetex-maint@lists.debian.org>. Full text and rfc822 format available.

Message #116 received at 342292@bugs.debian.org (full text, mbox):

From: Florian Weimer <fw@deneb.enyo.de>
To: Martin Pitt <mpitt@debian.org>
Cc: Frank Küster <frank@kuesterei.ch>, 342292@bugs.debian.org
Subject: Re: Bug#342292: Fwd: Re: [vendor-sec] xpdf update - patch wrong?
Date: Fri, 09 Dec 2005 11:53:58 +0100
* Martin Pitt:

> - For invalid (big) positive values of nObjs which, when multiplied with nObjs
>   overflow an int, we have two cases:

But neither ISO C nor GNU C make any promises regarding this case.
Overflow is undefined, period.

You can pass -fwrapv to gcc if you want modulo arithmetic for ints.
In general, this decreases code quality, that's why it's not the
default.



Information forwarded to debian-bugs-dist@lists.debian.org, teTeX maintainers <debian-tetex-maint@lists.debian.org>:
Bug#342292; Package tetex-bin. Full text and rfc822 format available.

Acknowledgement sent to Martin Pitt <mpitt@debian.org>:
Extra info received and forwarded to list. Copy sent to teTeX maintainers <debian-tetex-maint@lists.debian.org>. Full text and rfc822 format available.

Message #121 received at 342292@bugs.debian.org (full text, mbox):

From: Martin Pitt <mpitt@debian.org>
To: Florian Weimer <fw@deneb.enyo.de>
Cc: Martin Pitt <mpitt@debian.org>, Frank Küster <frank@kuesterei.ch>, 342292@bugs.debian.org
Subject: Re: Bug#342292: Fwd: Re: [vendor-sec] xpdf update - patch wrong?
Date: Fri, 9 Dec 2005 12:05:56 +0100
[Message part 1 (text/plain, inline)]
Hi Florian!

Florian Weimer [2005-12-09 11:53 +0100]:
> * Martin Pitt:
> 
> > - For invalid (big) positive values of nObjs which, when multiplied with nObjs
> >   overflow an int, we have two cases:
> 
> But neither ISO C nor GNU C make any promises regarding this case.
> Overflow is undefined, period.

Ah, right, I mixed that up with additive overflow (which is defined).
Thanks for the cluebat.

Well, in terms of the current security update this is irrelevant
anyway since gmalloc() is not yet used.

Martin

-- 
Martin Pitt        http://www.piware.de
Ubuntu Developer   http://www.ubuntu.com
Debian Developer   http://www.debian.org

In a world without walls and fences, who needs Windows and Gates?
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, teTeX maintainers <debian-tetex-maint@lists.debian.org>:
Bug#342292; Package tetex-bin. Full text and rfc822 format available.

Acknowledgement sent to Florian Weimer <fw@deneb.enyo.de>:
Extra info received and forwarded to list. Copy sent to teTeX maintainers <debian-tetex-maint@lists.debian.org>. Full text and rfc822 format available.

Message #126 received at 342292@bugs.debian.org (full text, mbox):

From: Florian Weimer <fw@deneb.enyo.de>
To: Martin Pitt <mpitt@debian.org>
Cc: Frank Küster <frank@kuesterei.ch>, 342292@bugs.debian.org
Subject: Re: Bug#342292: Fwd: Re: [vendor-sec] xpdf update - patch wrong?
Date: Fri, 09 Dec 2005 12:42:45 +0100
* Martin Pitt:

> Hi Florian!
>
> Florian Weimer [2005-12-09 11:53 +0100]:
>> * Martin Pitt:
>> 
>> > - For invalid (big) positive values of nObjs which, when multiplied with nObjs
>> >   overflow an int, we have two cases:
>> 
>> But neither ISO C nor GNU C make any promises regarding this case.
>> Overflow is undefined, period.
>
> Ah, right, I mixed that up with additive overflow (which is defined).

I think you mean unsigned arithmetic, which is performed module 2^k
for some k.



Information forwarded to debian-bugs-dist@lists.debian.org, teTeX maintainers <debian-tetex-maint@lists.debian.org>:
Bug#342292; Package tetex-bin. Full text and rfc822 format available.

Acknowledgement sent to Martin Schulze <joey@infodrom.org>:
Extra info received and forwarded to list. Copy sent to teTeX maintainers <debian-tetex-maint@lists.debian.org>. Full text and rfc822 format available.

Message #131 received at 342292@bugs.debian.org (full text, mbox):

From: Martin Schulze <joey@infodrom.org>
To: Frank Küster <frank@debian.org>
Cc: 342292@bugs.debian.org, Debian Security Team <team@security.debian.org>
Subject: Re: Bug#342292: tetex-bin: Multiple exploitable heap overflows in embedded xpdf copy
Date: Fri, 9 Dec 2005 15:47:03 +0100
[Message part 1 (text/plain, inline)]
Frank Küster wrote:
> The upstream patch applies cleanly to xpdf/Stream.{cc,h} in sarge, but
> JPXStream.cc does not exist.  But the functions might still be defined
> elsewhere.
> 
> The patch does not apply cleanly, except for Stream.h, in woody, but at
> least one affected line in Stream.cc *does* exist.
> 
> As I said previously, I will not be able to work on this.

The original patch was not sufficient.  I'm attaching the entire and the
incremental patch.  Please apply the incremental patch to the version in
sid as well.

Regards,

	Joey

-- 
Have you ever noticed that "General Public Licence" contains the word "Pub"?

Please always Cc to me when replying to me on the lists.
[patch.sarge (text/plain, attachment)]
[patch.sarge.incremental (text/plain, attachment)]
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, teTeX maintainers <debian-tetex-maint@lists.debian.org>:
Bug#342292; Package tetex-bin. Full text and rfc822 format available.

Acknowledgement sent to Martin Pitt <mpitt@debian.org>:
Extra info received and forwarded to list. Copy sent to teTeX maintainers <debian-tetex-maint@lists.debian.org>. Full text and rfc822 format available.

Message #136 received at 342292@bugs.debian.org (full text, mbox):

From: Martin Pitt <mpitt@debian.org>
To: Frank Küster <frank@debian.org>
Cc: Martin Pitt <martin.pitt@canonical.com>, 342292@bugs.debian.org, Florian Weimer <fw@deneb.enyo.de>
Subject: Re: Bug#342292: Fwd: Re: [vendor-sec] xpdf update - patch wrong?
Date: Fri, 9 Dec 2005 17:21:14 +0100
[Message part 1 (text/plain, inline)]
Hi Frank, hi Florian!

Frank Küster [2005-12-08 13:17 +0100]:
> Martin Pitt <martin.pitt@canonical.com> wrote:
> 
> > Hi!
> >
> > I'm currently preparing Ubuntu security updates for these issues, and
> > I noticed that the upstream provided patch is wrong. I sent the mail
> > below to upstream (and some others).
> >
> > Can you please check that you indeed fixed (tetex-bin)/will fix
> > (poppler) DCTStream::readProgressiveSOF(), too?
> [...]
> > It seems that the patch linked from these advisories [1] is a little
> > bit flawed: it checks numComps twice in DCTStream::readBaselineSOF(),
> > but does not check it in DCTStream::readProgressiveSOF().
> 
> We have the same flaw in our upload.  Would you be so kind and check the
> updated patch at 
> 
> http://svn.debian.org/wsvn/pkg-tetex/tetex-bin/trunk/debian/patches/patch-CVE-2005-3191+2+3?op=file&rev=0&sc=0

After discovering that the same flawed multiplication is also present
in upstream's other two patches, I decided to completely rework the
patch.

I attach the debdiff with separated out changelog. Florian, maybe you
can peer-review the patch?

Thanks!

Martin
-- 
Martin Pitt        http://www.piware.de
Ubuntu Developer   http://www.ubuntu.com
Debian Developer   http://www.debian.org

In a world without walls and fences, who needs Windows and Gates?
[tetex-bin.CVE-2005-3191_2_3.diff (text/plain, attachment)]
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, teTeX maintainers <debian-tetex-maint@lists.debian.org>:
Bug#342292; Package tetex-bin. Full text and rfc822 format available.

Acknowledgement sent to Frank Küster <frank@debian.org>:
Extra info received and forwarded to list. Copy sent to teTeX maintainers <debian-tetex-maint@lists.debian.org>. Full text and rfc822 format available.

Message #141 received at 342292@bugs.debian.org (full text, mbox):

From: Frank Küster <frank@debian.org>
To: Martin Schulze <joey@infodrom.org>
Cc: 342292@bugs.debian.org, Debian Security Team <team@security.debian.org>
Subject: Re: Bug#342292: tetex-bin: Multiple exploitable heap overflows in embedded xpdf copy
Date: Fri, 09 Dec 2005 18:49:03 +0100
Hi Joey,

Martin Schulze <joey@infodrom.org> wrote:

> The original patch was not sufficient.  I'm attaching the entire and the
> incremental patch.  Please apply the incremental patch to the version in
> sid as well.

Did you see Martin Pitt's "enhanced" patch - do both address the same
problems?

TIA, Frank

P.S. Did you see my mail to -release regarding the tetex-base upload to
stable/proposed-updates?

-- 
Frank Küster
Inst. f. Biochemie der Univ. Zürich
Debian Developer




Information forwarded to debian-bugs-dist@lists.debian.org, teTeX maintainers <debian-tetex-maint@lists.debian.org>:
Bug#342292; Package tetex-bin. Full text and rfc822 format available.

Acknowledgement sent to Frank Küster <frank@debian.org>:
Extra info received and forwarded to list. Copy sent to teTeX maintainers <debian-tetex-maint@lists.debian.org>. Full text and rfc822 format available.

Message #146 received at 342292@bugs.debian.org (full text, mbox):

From: Frank Küster <frank@debian.org>
To: Martin Pitt <mpitt@debian.org>
Cc: 342292@bugs.debian.org, Martin Pitt <martin.pitt@canonical.com>, Florian Weimer <fw@deneb.enyo.de>
Subject: Re: Bug#342292: Fwd: Re: [vendor-sec] xpdf update - patch wrong?
Date: Fri, 09 Dec 2005 19:01:01 +0100
Martin Pitt <mpitt@debian.org> wrote:

> After discovering that the same flawed multiplication is also present
> in upstream's other two patches, I decided to completely rework the
> patch.
>
> I attach the debdiff with separated out changelog. Florian, maybe you
> can peer-review the patch?

Martin and Florian,  Joey Schulze also sent a "fixed" patch to the bug,
see http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=342292;msg=131

Would you be so kind and review it?

Regards, Frank
-- 
Frank Küster
Inst. f. Biochemie der Univ. Zürich
Debian Developer




Information forwarded to debian-bugs-dist@lists.debian.org, teTeX maintainers <debian-tetex-maint@lists.debian.org>:
Bug#342292; Package tetex-bin. Full text and rfc822 format available.

Acknowledgement sent to Martin Schulze <joey@infodrom.org>:
Extra info received and forwarded to list. Copy sent to teTeX maintainers <debian-tetex-maint@lists.debian.org>. Full text and rfc822 format available.

Message #151 received at 342292@bugs.debian.org (full text, mbox):

From: Martin Schulze <joey@infodrom.org>
To: Frank Küster <frank@debian.org>
Cc: 342292@bugs.debian.org, Debian Security Team <team@security.debian.org>
Subject: Re: Bug#342292: tetex-bin: Multiple exploitable heap overflows in embedded xpdf copy
Date: Fri, 9 Dec 2005 21:45:08 +0100
Frank Küster wrote:
> Hi Joey,
> 
> Martin Schulze <joey@infodrom.org> wrote:
> 
> > The original patch was not sufficient.  I'm attaching the entire and the
> > incremental patch.  Please apply the incremental patch to the version in
> > sid as well.
> 
> Did you see Martin Pitt's "enhanced" patch - do both address the same
> problems?

The appendix removes the douplette Martin found, so yes.

> P.S. Did you see my mail to -release regarding the tetex-base upload to
> stable/proposed-updates?

No.  Could you forward it?

Regards,

	Joey

-- 
Have you ever noticed that "General Public Licence" contains the word "Pub"?

Please always Cc to me when replying to me on the lists.



Information forwarded to debian-bugs-dist@lists.debian.org, teTeX maintainers <debian-tetex-maint@lists.debian.org>:
Bug#342292; Package tetex-bin. Full text and rfc822 format available.

Acknowledgement sent to Frank Küster <frank@debian.org>:
Extra info received and forwarded to list. Copy sent to teTeX maintainers <debian-tetex-maint@lists.debian.org>. Full text and rfc822 format available.

Message #156 received at 342292@bugs.debian.org (full text, mbox):

From: Frank Küster <frank@debian.org>
To: Martin Schulze <joey@infodrom.org>
Cc: 342292@bugs.debian.org, Debian Security Team <team@security.debian.org>, Martin Pitt <mpitt@debian.org>, Florian Weimer <fw@deneb.enyo.de>
Subject: Re: Bug#342292: tetex-bin: Multiple exploitable heap overflows in embedded xpdf copy
Date: Sun, 11 Dec 2005 13:27:37 +0100
Martin Schulze <joey@infodrom.org> wrote:

> Frank Küster wrote:
>> Hi Joey,
>> 
>> Martin Schulze <joey@infodrom.org> wrote:
>> 
>> > The original patch was not sufficient.  I'm attaching the entire and the
>> > incremental patch.  Please apply the incremental patch to the version in
>> > sid as well.
>> 
>> Did you see Martin Pitt's "enhanced" patch - do both address the same
>> problems?
>
> The appendix removes the douplette Martin found, so yes.

I looked at both, and it seems that Martin's does more.  I'm speaking of
the patch attached to http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=342292;msg=136

It introduces limits.h and does the same we did for the xpdf patches at
the beginning of the year, namely change code that can be optimized away
by compilers.  

It seems to me that Martin Pitt's patch also has everything that yours
(Joey's) has, but I'm not completely sure; anyway it seems that also the
stable packages should use the code with limits.h.

Am I correct that the other issues that Florian found are not addressed
by any patch yet, and have not yet been widely published?  Should I
delay an upload to sid until this can be fixed, too?

>> P.S. Did you see my mail to -release regarding the tetex-base upload to
>> stable/proposed-updates?
>
> No.  Could you forward it?

Sent in a separate mail.

Regards, Frank
-- 
Frank Küster
Inst. f. Biochemie der Univ. Zürich
Debian Developer




Information forwarded to debian-bugs-dist@lists.debian.org, teTeX maintainers <debian-tetex-maint@lists.debian.org>:
Bug#342292; Package tetex-bin. Full text and rfc822 format available.

Acknowledgement sent to Martin Pitt <mpitt@debian.org>:
Extra info received and forwarded to list. Copy sent to teTeX maintainers <debian-tetex-maint@lists.debian.org>. Full text and rfc822 format available.

Message #161 received at 342292@bugs.debian.org (full text, mbox):

From: Martin Pitt <mpitt@debian.org>
To: Frank Küster <frank@debian.org>
Cc: 342292@bugs.debian.org, Florian Weimer <fw@deneb.enyo.de>, Martin Schulze <joey@infodrom.org>
Subject: Re: Bug#342292: Fwd: Re: [vendor-sec] xpdf update - patch wrong?
Date: Mon, 12 Dec 2005 07:35:08 +0100
Hi Frank, hi Joey!

Frank Küster [2005-12-09 19:01 +0100]:
> Martin Pitt <mpitt@debian.org> wrote:
> 
> > After discovering that the same flawed multiplication is also present
> > in upstream's other two patches, I decided to completely rework the
> > patch.
> >
> > I attach the debdiff with separated out changelog. Florian, maybe you
> > can peer-review the patch?
> 
> Martin and Florian,  Joey Schulze also sent a "fixed" patch to the bug,
> see http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=342292;msg=131
> 
> Would you be so kind and review it?

Sorry for the delay, lots of private stuff to do on the weekend.

+   nVals = width * nComps;
++  totalBits = nVals * nBits;
++  if (totalBits == 0 ||
++      (totalBits / nBits) / nComps != width ||
++      totalBits + 7 < 0) {
++    return;
++  }

Please do not use this part of Joey's patch. As already disdussed,
this way of checking a multiplication overflow is unreliable. Please
use the var1 >= INT_MAX/var2 approach, which is the 'standard way' and
avoids integer overflows.

Thanks,

Martin

P. S. Frank, I'm this ---><--- close to build tetex-bin against
poppler, I already have working debs. Just fighting with the build
system a bit. :)

-- 
Martin Pitt              http://www.piware.de
Ubuntu Developer   http://www.ubuntulinux.org
Debian Developer        http://www.debian.org



Information forwarded to debian-bugs-dist@lists.debian.org, teTeX maintainers <debian-tetex-maint@lists.debian.org>:
Bug#342292; Package tetex-bin. Full text and rfc822 format available.

Acknowledgement sent to Martin Pitt <martin.pitt@canonical.com>:
Extra info received and forwarded to list. Copy sent to teTeX maintainers <debian-tetex-maint@lists.debian.org>. Full text and rfc822 format available.

Message #166 received at 342292@bugs.debian.org (full text, mbox):

From: Martin Pitt <martin.pitt@canonical.com>
To: Frank Küster <frank@debian.org>
Cc: Martin Schulze <joey@infodrom.org>, 342292@bugs.debian.org, Debian Security Team <team@security.debian.org>, Florian Weimer <fw@deneb.enyo.de>
Subject: Re: Bug#342292: tetex-bin: Multiple exploitable heap overflows in embedded xpdf copy
Date: Mon, 12 Dec 2005 07:46:31 +0100
Hi!

Frank Küster [2005-12-11 13:27 +0100]:
> >> Did you see Martin Pitt's "enhanced" patch - do both address the same
> >> problems?
> >
> > The appendix removes the douplette Martin found, so yes.
> 
> I looked at both, and it seems that Martin's does more.  I'm speaking of
> the patch attached to http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=342292;msg=136
> 
> It introduces limits.h and does the same we did for the xpdf patches at
> the beginning of the year, namely change code that can be optimized away
> by compilers.  

... or cause an undefined integer overflow.

> It seems to me that Martin Pitt's patch also has everything that yours
> (Joey's) has

As far as I can see, yes.

> Am I correct that the other issues that Florian found are not addressed
> by any patch yet, and have not yet been widely published?  Should I
> delay an upload to sid until this can be fixed, too?

Hm, I'm not aware of any additional issues. Florian raised and
explained why 'p = f1*f2; if (p/f1 != f2)' is flawed, so I updated the
patch to not use it any more. Are there any additional issues I
missed?

Thanks,

Martin

-- 
Martin Pitt              http://www.piware.de
Ubuntu Developer   http://www.ubuntulinux.org
Debian Developer        http://www.debian.org



Information forwarded to debian-bugs-dist@lists.debian.org, teTeX maintainers <debian-tetex-maint@lists.debian.org>:
Bug#342292; Package tetex-bin. Full text and rfc822 format available.

Acknowledgement sent to Frank Küster <frank@kuesterei.ch>:
Extra info received and forwarded to list. Copy sent to teTeX maintainers <debian-tetex-maint@lists.debian.org>. Full text and rfc822 format available.

Message #171 received at 342292@bugs.debian.org (full text, mbox):

From: Frank Küster <frank@kuesterei.ch>
To: Martin Pitt <martin.pitt@canonical.com>
Cc: Martin Schulze <joey@infodrom.org>, 342292@bugs.debian.org, Debian Security Team <team@security.debian.org>, Florian Weimer <fw@deneb.enyo.de>
Subject: Re: Bug#342292: tetex-bin: Multiple exploitable heap overflows in embedded xpdf copy
Date: Mon, 12 Dec 2005 09:01:15 +0100
Martin Pitt <martin.pitt@canonical.com> wrote:

> Frank Küster [2005-12-11 13:27 +0100]:
>
>> Am I correct that the other issues that Florian found are not addressed
>> by any patch yet, and have not yet been widely published?  Should I
>> delay an upload to sid until this can be fixed, too?
>
> Hm, I'm not aware of any additional issues. Florian raised and
> explained why 'p = f1*f2; if (p/f1 != f2)' is flawed, so I updated the
> patch to not use it any more. Are there any additional issues I
> missed?

He said that the function gmallocn is flawed; but you're right, this
does not affect tetex-bin (yet), only xpdf.

Regards, Frank
-- 
Frank Küster
Inst. f. Biochemie der Univ. Zürich
Debian Developer




Information forwarded to debian-bugs-dist@lists.debian.org, teTeX maintainers <debian-tetex-maint@lists.debian.org>:
Bug#342292; Package tetex-bin. Full text and rfc822 format available.

Acknowledgement sent to Martin Schulze <joey@infodrom.org>:
Extra info received and forwarded to list. Copy sent to teTeX maintainers <debian-tetex-maint@lists.debian.org>. Full text and rfc822 format available.

Message #176 received at 342292@bugs.debian.org (full text, mbox):

From: Martin Schulze <joey@infodrom.org>
To: Frank Küster <frank@debian.org>
Cc: 342292@bugs.debian.org, Debian Security Team <team@security.debian.org>, Martin Pitt <mpitt@debian.org>, Florian Weimer <fw@deneb.enyo.de>
Subject: Re: Bug#342292: tetex-bin: Multiple exploitable heap overflows in embedded xpdf copy
Date: Mon, 12 Dec 2005 08:52:39 +0100
Hi Frank!

Frank Küster wrote:
> I looked at both, and it seems that Martin's does more.  I'm speaking of
> the patch attached to http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=342292;msg=136
> 
> It introduces limits.h and does the same we did for the xpdf patches at
> the beginning of the year, namely change code that can be optimized away
> by compilers.  

*sigh* You are correct.  I'll add the missing bits as well.

> It seems to me that Martin Pitt's patch also has everything that yours
> (Joey's) has, but I'm not completely sure; anyway it seems that also the
> stable packages should use the code with limits.h.

Aye.

> Am I correct that the other issues that Florian found are not addressed
> by any patch yet, and have not yet been widely published?  Should I
> delay an upload to sid until this can be fixed, too?

Which issues?  *phear*

Regards,

	Joey

-- 
If nothing changes, everything will remain the same.  -- Barne's Law

Please always Cc to me when replying to me on the lists.



Information forwarded to debian-bugs-dist@lists.debian.org, teTeX maintainers <debian-tetex-maint@lists.debian.org>:
Bug#342292; Package tetex-bin. Full text and rfc822 format available.

Acknowledgement sent to Martin Schulze <joey@infodrom.org>:
Extra info received and forwarded to list. Copy sent to teTeX maintainers <debian-tetex-maint@lists.debian.org>. Full text and rfc822 format available.

Message #181 received at 342292@bugs.debian.org (full text, mbox):

From: Martin Schulze <joey@infodrom.org>
To: Martin Pitt <mpitt@debian.org>
Cc: Frank Küster <frank@debian.org>, 342292@bugs.debian.org, Florian Weimer <fw@deneb.enyo.de>
Subject: Re: Bug#342292: Fwd: Re: [vendor-sec] xpdf update - patch wrong?
Date: Mon, 12 Dec 2005 15:51:09 +0100
Martin Pitt wrote:
> > > After discovering that the same flawed multiplication is also present
> > > in upstream's other two patches, I decided to completely rework the
> > > patch.
> > >
> > > I attach the debdiff with separated out changelog. Florian, maybe you
> > > can peer-review the patch?
> > 
> > Martin and Florian,  Joey Schulze also sent a "fixed" patch to the bug,
> > see http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=342292;msg=131
> > 
> > Would you be so kind and review it?
> 
> Sorry for the delay, lots of private stuff to do on the weekend.
> 
> +   nVals = width * nComps;
> ++  totalBits = nVals * nBits;
> ++  if (totalBits == 0 ||
> ++      (totalBits / nBits) / nComps != width ||
> ++      totalBits + 7 < 0) {
> ++    return;
> ++  }
> 
> Please do not use this part of Joey's patch. As already disdussed,
> this way of checking a multiplication overflow is unreliable. Please
> use the var1 >= INT_MAX/var2 approach, which is the 'standard way' and
> avoids integer overflows.

Sorry, that slipped through from one of the load of different patches.

It's not that problematic, the line

> ++      (totalBits / nBits) / nComps != width ||

might be optimised by the compiler, but it's not a problem since the
proper check is above the code (at least in my local copy):

+      nComps >= INT_MAX/nBits ||
+      width >= INT_MAX/nComps/nBits) {

Regards,

	Joey

-- 
If nothing changes, everything will remain the same.  -- Barne's Law

Please always Cc to me when replying to me on the lists.



Information forwarded to debian-bugs-dist@lists.debian.org, teTeX maintainers <debian-tetex-maint@lists.debian.org>:
Bug#342292; Package tetex-bin. Full text and rfc822 format available.

Acknowledgement sent to Frank Küster <frank@debian.org>:
Extra info received and forwarded to list. Copy sent to teTeX maintainers <debian-tetex-maint@lists.debian.org>. Full text and rfc822 format available.

Message #186 received at 342292@bugs.debian.org (full text, mbox):

From: Frank Küster <frank@debian.org>
To: Martin Schulze <joey@infodrom.org>
Cc: 342292@bugs.debian.org, Debian Security Team <team@security.debian.org>, Martin Pitt <mpitt@debian.org>, Florian Weimer <fw@deneb.enyo.de>
Subject: Re: Bug#342292: tetex-bin: Multiple exploitable heap overflows in embedded xpdf copy
Date: Tue, 13 Dec 2005 18:17:03 +0100
Martin Schulze <joey@infodrom.org> wrote:

>> Am I correct that the other issues that Florian found are not addressed
>> by any patch yet, and have not yet been widely published?  Should I
>> delay an upload to sid until this can be fixed, too?
>
> Which issues?  *phear*

Florian said that the new function gmallocn (used in xpdf >= 3.01 and
derivatives, but not in tetex-bin) isn't save, either.

I'm currently preparing an upload of tetex-bin linked against libpoppler.

Regards, Frank
-- 
Frank Küster
Inst. f. Biochemie der Univ. Zürich
Debian Developer




Bug marked as not found in version 3.0-12. Request was from Frank Küster <frank@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, teTeX maintainers <debian-tetex-maint@lists.debian.org>:
Bug#342292; Package tetex-bin. Full text and rfc822 format available.

Acknowledgement sent to Martin Schulze <joey@infodrom.org>:
Extra info received and forwarded to list. Copy sent to teTeX maintainers <debian-tetex-maint@lists.debian.org>. Full text and rfc822 format available.

Message #193 received at 342292@bugs.debian.org (full text, mbox):

From: Martin Schulze <joey@infodrom.org>
To: Frank Küster <frank@debian.org>
Cc: 342292@bugs.debian.org, Debian Security Team <team@security.debian.org>, Martin Pitt <mpitt@debian.org>, Florian Weimer <fw@deneb.enyo.de>
Subject: Re: Bug#342292: tetex-bin: Multiple exploitable heap overflows in embedded xpdf copy
Date: Wed, 11 Jan 2006 20:50:35 +0100
[Message part 1 (text/plain, inline)]
Frank Küster wrote:
> I'm currently preparing an upload of tetex-bin linked against libpoppler.

I'm attaching the current patch against the version in sarge.  Please
let me know which version in sid fixes these problems.

The corresponding CVE names are:

CVE IDs        : CAN-2005-3191 CAN-2005-3192 CVE-2005-3624 CVE-2005-3625
                 CVE-2005-3626 CVE-2005-3627 CVE-2005-3628


Regards,

	Joey

-- 
Never trust an operating system you don't have source for!

Please always Cc to me when replying to me on the lists.
[x (text/plain, attachment)]
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, teTeX maintainers <debian-tetex-maint@lists.debian.org>:
Bug#342292; Package tetex-bin. Full text and rfc822 format available.

Acknowledgement sent to Frank Küster <frank@kuesterei.ch>:
Extra info received and forwarded to list. Copy sent to teTeX maintainers <debian-tetex-maint@lists.debian.org>. Full text and rfc822 format available.

Message #198 received at 342292@bugs.debian.org (full text, mbox):

From: Frank Küster <frank@kuesterei.ch>
To: Martin Schulze <joey@infodrom.org>
Cc: 342292@bugs.debian.org, Debian Security Team <team@security.debian.org>, Martin Pitt <mpitt@debian.org>, Florian Weimer <fw@deneb.enyo.de>
Subject: Re: Bug#342292: tetex-bin: Multiple exploitable heap overflows in embedded xpdf copy
Date: Thu, 12 Jan 2006 10:43:05 +0100
Martin Schulze <joey@infodrom.org> wrote:

> Frank Küster wrote:
>> I'm currently preparing an upload of tetex-bin linked against libpoppler.
>
> I'm attaching the current patch against the version in sarge.  Please
> let me know which version in sid fixes these problems.

None: Since the version in sid links against libpoppler, no changes need
to be made to it.  We just need an up-to-date poppler - and according to
its changelog

poppler (0.4.3-2) unstable; urgency=high

  [ Martin Pitt ]
  * SECURITY UPDATE: Multiple integer/buffer overflows.
  * Add debian/patches/003-CVE-2005-3624_5_7.patch:
[...]
  * Add debian/patches/004-fix-CVE-2005-3192.patch:
[...]
poppler (0.4.3-1) unstable; urgency=high

  * New upstream release.
  * New maintainer (Closes: #344738)
  * CVE-2005-3191 and CAN-2005-2097 fixes merged upstream.

it seems everything is okay there.

Regards, Frank
-- 
Frank Küster
Inst. f. Biochemie der Univ. Zürich
Debian Developer




Information forwarded to debian-bugs-dist@lists.debian.org, teTeX maintainers <debian-tetex-maint@lists.debian.org>:
Bug#342292; Package tetex-bin. Full text and rfc822 format available.

Acknowledgement sent to Martin Pitt <mpitt@debian.org>:
Extra info received and forwarded to list. Copy sent to teTeX maintainers <debian-tetex-maint@lists.debian.org>. Full text and rfc822 format available.

Message #203 received at 342292@bugs.debian.org (full text, mbox):

From: Martin Pitt <mpitt@debian.org>
To: Martin Schulze <joey@infodrom.org>
Cc: Frank Küster <frank@debian.org>, 342292@bugs.debian.org, Debian Security Team <team@security.debian.org>, Florian Weimer <fw@deneb.enyo.de>
Subject: Re: Bug#342292: tetex-bin: Multiple exploitable heap overflows in embedded xpdf copy
Date: Thu, 12 Jan 2006 11:57:46 +0100
[Message part 1 (text/plain, inline)]
Hi Joey!

Martin Schulze [2006-01-11 20:50 +0100]:
> I'm attaching the current patch against the version in sarge.  Please
> let me know which version in sid fixes these problems.

BTW, in order to keep a record of these duplicates, I recently created

  http://wiki.debian.org/EmbeddedCodeCopies

Martin
-- 
Martin Pitt        http://www.piware.de
Ubuntu Developer   http://www.ubuntu.com
Debian Developer   http://www.debian.org

In a world without walls and fences, who needs Windows and Gates?
[signature.asc (application/pgp-signature, inline)]

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Wed, 27 Jun 2007 04:05:47 GMT) Full text and rfc822 format available.

Bug unarchived. Request was from Stefano Zacchiroli <zack@debian.org> to control@bugs.debian.org. (Sun, 10 Apr 2011 08:47:33 GMT) Full text and rfc822 format available.

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 09 May 2011 07:50:57 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Apr 19 15:42:51 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.