Created attachment 151059 [details, diff]
render_contents() patch

Comment 2 Pierre-Yves Rofes (RETIRED) 2008-04-26 20:36:38 UTC

Thanks for your report, but have you tried contacting the upstream developers first? They should directly fix their code, so every distro benefits from the fix, instead of just patching the Gentoo version. 

No, I haven't contacted the upstream developers, can you please try it?

Comment 4 Pierre-Yves Rofes (RETIRED) 2008-04-26 20:56:30 UTC

Hmm, for using their bug report system you need to be registered :/
Carlo, as the maintainer, do you have an account by any chance?

Have you managed to succeed in your attempts to contact upstream?  Is there any minimal test case available that reproduces the issue?  Thanks!

Comment 6 Matthias Geerdsen (RETIRED) 2008-06-17 12:17:47 UTC

So did anyone contact upstream yet? Carlo?

Marek, do you have a testcase for this?

Comment 7 Robert Buchholz (RETIRED) 2008-07-18 02:50:42 UTC

It is my understanding that exploitation of this error would not allow 
execution of arbitrary code due to the fact the buffer is just read 
over its boundaries, but not accessed with a write operation.
Since we do not treat user-assisted DoS in user applications as security issues, I will reassign this bug to the maintainer.

Marek, could you please attach the file that caused the segfault, or mail it to security@g.o ?

Plus, I have contacted upstream.

Comment 8 Robert Buchholz (RETIRED) 2008-07-18 15:25:58 UTC

upstream bug: http://www.htmldoc.org/str.php?L183

This bug shell hit your eye, you don't really need any test case, nor patch from the author.

Function render_contents() doesn't check the number of headings, it naively tries to read an index out of bounds, then crashes.

With my patch, it checks the bounds before reading. Every programmer must recognize this is extremely obvious.

I couldn't believe my patch hasn't been accepted yet. Now, I cannot be more helpful, since I already deleted that ebook (testcase).

Comment 10 Robert Buchholz (RETIRED) 2008-11-26 21:37:13 UTC

This bug has been resolved upstream, but not within Gentoo.

Upstream accepted the patch, it can be found in revision 1579 at http://svn.easysw.com/public/htmldoc/

Comment 11 Pacho Ramos 2012-02-11 12:51:38 UTC

+*htmldoc-1.8.27-r3 (11 Feb 2012)
+
+  11 Feb 2012; Pacho Ramos <pacho@gentoo.org> +files/htmldoc-1.8.27-crash.patch,
+  +htmldoc-1.8.27-r3.ebuild:
+  Fix crash, bug #219373 by Marek Cruz.
+

Arches, please test and mark it stable

Comment 12 Aaron Bauman (RETIRED) 2012-02-11 15:36:35 UTC

scanelf shows the following missing dependencies.

sys-libs/zlib-1.2.5-r2
x11-libs/libXpm-3.5.9

(In reply to comment #12)
> scanelf shows the following missing dependencies.
> 
> sys-libs/zlib-1.2.5-r2
> x11-libs/libXpm-3.5.9

apart this amd64 is ok

Comment 14 Agostino Sarubbo 2012-02-12 14:36:54 UTC

amd64 stable

Comment 15 Jeroen Roovers (RETIRED) 2012-02-15 16:16:43 UTC

Stable for HPPA.

Comment 16 Paweł Hajdan, Jr. (RETIRED) 2012-02-16 18:41:56 UTC

x86 stable

Comment 17 Tobias Klausmann (RETIRED) 2012-02-17 21:18:55 UTC

Stable on alpha.

Comment 18 Raúl Porcel (RETIRED) 2012-03-25 16:06:37 UTC

ia64/sparc stable

Comment 19 Brent Baude (RETIRED) 2012-04-16 19:23:57 UTC

ppc done

Comment 20 Kacper Kowalik (Xarthisius) (RETIRED) 2012-05-06 11:40:56 UTC

+  06 May 2012; Kacper Kowalik <xarthisius@gentoo.org> -htmldoc-1.8.27-r2.ebuild,
+  htmldoc-1.8.27-r3.ebuild:
+  ppc64 stable wrt #219373, drop old