Bug List: (This bug is not in your last search results)   Show last search results      Search page      Enter new bug
Bug#: 198229
Alias:
Product:
Component:
Status: RESOLVED
Resolution: FIXED
Assigned To: Gentoo Security <security@gentoo.org>
Hardware:
OS:
Version:
Priority:
Severity:
Reporter: Robert Buchholz <rbu@gentoo.org>
Add CC:
CC:
Remove selected CCs
URL:
Summary:
Status Whiteboard:
Keywords:
Flags: Requestee:
 
 
  ()

Filename Description Type Creator Created Size Actions
dviljk-security-fixes dviljk-security-fixes patch Robert Buchholz 2007-11-06 02:15 0000 67.29 KB Details | Diff
texlive-core-2007-dviljk-security-fixes.patch texlive-core-2007-dviljk-security-fixes.patch patch Robert Buchholz 2007-11-07 13:57 0000 33.29 KB Details | Diff
Create a New Attachment (proposed patch, testcase, etc.) View All

Bug 198229 depends on: Show dependency tree
Bug 198229 blocks:

Additional Comments: (this is where you put emerge --info)


Not eligible to see or edit group visibility for this bug.






View Bug Activity   |   Format For Printing   |   XML   |   Clone This Bug

Description:   Opened: 2007-11-06 02:13 0000 
dviljk as shipped in app-text/texlive-core-2007-r4 is vulnerable to multiple
buffer overflows and insecure temporary file creation. See attached patch for
details.

------- Comment #1 From Robert Buchholz 2007-11-06 02:15:09 0000 ------- 
Created an attachment (id=135304) [details]
dviljk-security-fixes

Extracted from Debian's texlive package.

------- Comment #2 From Robert Buchholz 2007-11-06 02:15:40 0000 ------- 
Alexis, please advise.

------- Comment #3 From Alexis Ballier 2007-11-06 09:32:46 0000 ------- 
wow this patch is ugly, lots of cosmetics changes. I 'll have to clean it a bit
first.

Besides that, I'll have to check it very carfuly; somethings concern me:
+        if ( include_file ) {

include_file is a pointer, initialized to NULL so imho tests to zero should be
replaced by test to be different of NULL (and sometimes its tested against
NULL, some others against zero)

otherwise, as a first read, patch seems sane.

------- Comment #4 From Robert Buchholz 2007-11-06 09:50:42 0000 ------- 
(In reply to comment #3)
> wow this patch is ugly, lots of cosmetics changes. I 'll have to clean it a bit
> first.

Sorry, it's they way upstream committed it.


> Besides that, I'll have to check it very carfuly; somethings concern me:
> +        if ( include_file ) {
> 
> include_file is a pointer, initialized to NULL so imho tests to zero should be
> replaced by test to be different of NULL (and sometimes its tested against
> NULL, some others against zero)

Isn't 0 == NULL ?

------- Comment #5 From Alexis Ballier 2007-11-06 09:52:58 0000 ------- 
(In reply to comment #4)
> > Besides that, I'll have to check it very carfuly; somethings concern me:
> > +        if ( include_file ) {
> > 
> > include_file is a pointer, initialized to NULL so imho tests to zero should be
> > replaced by test to be different of NULL (and sometimes its tested against
> > NULL, some others against zero)
> 
> Isn't 0 == NULL ?


usually yes, but iirc the standards dont specify it. I'll check that.

------- Comment #6 From Alexis Ballier 2007-11-06 23:28:37 0000 ------- 
after checking, if(mypointer) is perfectly valid for checking against null.
that's mypointer=0 that is not.


fixed in -r5, I removed most of the cosmetic changes.

------- Comment #7 From Robert Buchholz 2007-11-07 13:57:23 0000 ------- 
Created an attachment (id=135423) [details]
texlive-core-2007-dviljk-security-fixes.patch

Just for reference, the cleaned up patch Alexis applied.

------- Comment #8 From Robert Buchholz 2007-11-13 01:18:22 0000 ------- 
*texlive-core-2007-r5 (06 Nov 2007)

  06 Nov 2007; Alexis Ballier <aballier@gentoo.org>
  -texlive-core-2007-r3.ebuild, -texlive-core-2007-r4.ebuild,
  +texlive-core-2007-r5.ebuild:
  fixes for buffer overflow in dviljk, bug #198229
Bug List: (This bug is not in your last search results)   Show last search results      Search page      Enter new bug