Bug 170861 - app-text/tetex < 3.0_p1-r4 Multiple buffer overflows (CVE-2007-0650)
Bug#: 170861 Product:  Gentoo Security Version: unspecified Platform: All
OS/Version: Linux Status: RESOLVED Severity: normal Priority: P2
Resolution: FIXED Assigned To: security@gentoo.org Reported By: jaervosz@gentoo.org
Component: Vulnerabilities
URL:  https://issues.rpath.com/browse/RPL-1036
Summary: app-text/tetex < 3.0_p1-r4 Multiple buffer overflows (CVE-2007-0650)
Keywords:  
Status Whiteboard: B2 [glsa] Falco
Opened: 2007-03-14 12:38 0000
Description:   Opened: 2007-03-14 12:38 0000 
Buffer overflow in the open_sty function in mkind.c for makeindex 2.14 in teTeX
might allow user-assisted remote attackers to overwrite files and possibly
execute arbitrary code via a long filename. NOTE: other overflows exist but
might not be exploitable, such as a heap-based overflow in the check_idx
function.

------- Comment #1 From Raphael Marichez 2007-03-14 12:56:56 0000 ------- 
CCign herd

------- Comment #2 From Raphael Marichez 2007-03-14 13:26:43 0000 ------- 
not all issues are patched according to
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=225491

------- Comment #3 From Sune Kloppenborg Jeppesen 2007-05-08 10:28:37 0000 ------- 
Fixes for rPath are out.

------- Comment #4 From Pierre-Yves Rofes 2007-05-31 09:40:04 0000 ------- 
any news here?

------- Comment #5 From Pierre-Yves Rofes 2007-07-19 08:05:09 0000 ------- 
text-markup, any news here?

------- Comment #6 From Robert Buchholz 2007-09-01 13:29:15 0000 ------- 
py, this is maintained by the tex herd in the meantime.

------- Comment #7 From Robert Buchholz 2007-09-01 17:16:40 0000 ------- 
Fixed in app-text/tetex-3.0_p1-r4.

------- Comment #8 From Pierre-Yves Rofes 2007-09-01 22:04:17 0000 ------- 
Thanks rbu. Arches, please test and mark stable app-text/tetex-3.0_p1-r4.
Target keywords are: "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc
x86 ~x86-fbsd"

------- Comment #9 From Robert Buchholz 2007-09-01 23:53:23 0000 ------- 
py: shouldn't this bug also block bug 188172?

------- Comment #10 From Christian Faulhammer 2007-09-02 07:52:46 0000 ------- 
x86 stable and I added a other_bugs as suggested by rbu.

------- Comment #11 From Raúl Porcel 2007-09-02 14:37:27 0000 ------- 
alpha/ia64 stable

------- Comment #12 From Markus Rothe 2007-09-02 15:04:17 0000 ------- 
ppc64 stable

------- Comment #13 From Jeroen Roovers 2007-09-02 17:29:27 0000 ------- 
Stable for HPPA.

------- Comment #14 From Jose Luis Rivero (yoswink) 2007-09-02 18:58:32 0000 ------- 
During the merging I saw the message:
"/usr/portage/eclass/tetex-3.eclass: line 36: tetex_pkg_setup: command not
found"

tetex-3.eclass run the function tetex_pkg_setup which is inherited from
tetex.eclass. Problem is that QA remove the whole function as you can see in
bug #156213.

Please remove it from tetex-3.eclass (if is no longer needed).

------- Comment #15 From Robert Buchholz 2007-09-02 19:22:22 0000 ------- 
(In reply to comment #14)
> During the merging I saw the message:
> "/usr/portage/eclass/tetex-3.eclass: line 36: tetex_pkg_setup: command not
> found"
> 
> tetex-3.eclass run the function tetex_pkg_setup which is inherited from
> tetex.eclass. Problem is that QA remove the whole function as you can see in
> bug #156213.
> 
> Please remove it from tetex-3.eclass (if is no longer needed).

This has been reported as bug #191046, too.

------- Comment #16 From Tobias Scherbaum 2007-09-03 17:43:22 0000 ------- 
ppc stable

------- Comment #17 From Jose Luis Rivero (yoswink) 2007-09-04 09:04:44 0000 ------- 
(In reply to comment #15)
> (In reply to comment #14)
> > During the merging I saw the message:
> > "/usr/portage/eclass/tetex-3.eclass: line 36: tetex_pkg_setup: command not
> > found"
> > 
> > tetex-3.eclass run the function tetex_pkg_setup which is inherited from
> > tetex.eclass. Problem is that QA remove the whole function as you can see in
> > bug #156213.
> > 
> > Please remove it from tetex-3.eclass (if is no longer needed).
> 
> This has been reported as bug #191046, too.
> 

Any chance to get it solved before marking tetex as stable?

------- Comment #18 From Bo Ørsted Andresen (RETIRED) 2007-09-04 11:52:05 0000 ------- 
Wrt. bug #189716 (upstream changed the tarball with no bump) thus far two arch
maintainers on this bug has stabled the wrong tarball. For the remaining arch
teams do make sure to fetch the right tarball before stabilizing.. ;)

------- Comment #19 From Robert Buchholz 2007-09-04 12:09:07 0000 ------- 
(In reply to comment #18)
> For the remaining arch
> teams do make sure to fetch the right tarball before stabilizing.. ;)

To be more specific. Please make sure your Manifest contains:
DIST tetex-texmf-3.0.tar.gz 91402377 RMD160
a1e87733fa3cbef04e39a690ed8549aeaaddb241 SHA1
1be97f57a26a6e9b72ebfd932e45914a959aff16 SHA256
6c3b8fa619749cbb28ca0f8847e56773d13e0bb92f1ea34287420950373640c2

(In reply to comment #17)
> > bug #191046.
> Any chance to get it solved before marking tetex as stable?

Peper just fixed it.

------- Comment #20 From Jose Luis Rivero (yoswink) 2007-09-05 10:01:20 0000 ------- 
(In reply to comment #19)
> (In reply to comment #18)
> > For the remaining arch
> > teams do make sure to fetch the right tarball before stabilizing.. ;)
> 
> To be more specific. Please make sure your Manifest contains:
> DIST tetex-texmf-3.0.tar.gz 91402377 RMD160
> a1e87733fa3cbef04e39a690ed8549aeaaddb241 SHA1
> 1be97f57a26a6e9b72ebfd932e45914a959aff16 SHA256
> 6c3b8fa619749cbb28ca0f8847e56773d13e0bb92f1ea34287420950373640c2

Tested the new tarball, works fine.

> 
> (In reply to comment #17)
> > > bug #191046.
> > Any chance to get it solved before marking tetex as stable?
> 
> Peper just fixed it.
> 

Thanks, sparc stable.

------- Comment #21 From Steve Dibb 2007-09-08 01:11:50 0000 ------- 
amd64 stable

------- Comment #22 From Peter Ansell 2007-09-08 08:50:44 0000 ------- 
Please make sure the manifest is correct when stabilising this bug :) It caused
me  about 600MB of download that I know of so far re-downloading the file so it
does have an impact on users.

See bug #189716

------- Comment #23 From Christian Faulhammer 2007-09-08 22:12:28 0000 ------- 
All security supported arches done, glsa should be emitted combining this bug
with bug 182055 and bug 188172.

------- Comment #24 From Robert Buchholz 2007-09-08 23:10:09 0000 ------- 
(In reply to comment #23)
> All security supported arches done, glsa should be emitted combining this bug
> with bug 182055 and bug 188172.

I'd also bet on the outcome, but shouldn't there be a vote?

------- Comment #25 From Pierre-Yves Rofes 2007-09-08 23:18:32 0000 ------- 
nope, not with B2 ;-)

------- Comment #26 From Pierre-Yves Rofes 2007-09-28 08:51:07 0000 ------- 
GLSA 200709-17, thanks everybody and sorry for the delay.

------- Comment #27 From Honza 2007-10-01 08:28:29 0000 ------- 
Isn't cstetex (last version - app-text/cstetex-2.0.2-r2) also affected by this
bug ?

------- Comment #28 From Robert Buchholz 2007-10-21 22:46:34 0000 ------- 
(In reply to comment #27)
> Isn't cstetex (last version - app-text/cstetex-2.0.2-r2) also affected by this
> bug ?

Yes, thanks for reporting. See bug 196673.