Bug 196673 - app-text/{cstetex, ptex} Multiple issues (CVE-2007-{0650,2756,3387,3472,3473,3474,3475,3476,3477,3478})
Bug#: 196673 (CVE-2007-0650) Product:  Gentoo Security Version: unspecified Platform: All
OS/Version: Linux Status: RESOLVED Severity: normal Priority: P2
Resolution: FIXED Assigned To: security@gentoo.org Reported By: rbu@gentoo.org
Component: Vulnerabilities
URL: 
Summary: app-text/{cstetex, ptex} Multiple issues (CVE-2007-{0650,2756,3387,3472,3473,3474,3475,3476,3477,3478})
Keywords:  
Status Whiteboard: B2 [glsa]
Opened: 2007-10-21 22:39 0000
Description:   Opened: 2007-10-21 22:39 0000 
pTeX and CSTeX are vulnerable to three issues fixed for teTex in GLSA
200709-17:

1) Makeindex buffer overflows, bug 170861.

CVE-2007-0650:
         Buffer overflow in the open_sty function in mkind.c for makeindex 2.14
         in teTeX might allow user-assisted remote attackers to overwrite files
         and possibly execute arbitrary code via a long filename.  NOTE: other
         overflows exist but might not be exploitable, such as a heap-based
         overflow in the check_idx function.


2) Vulerable XPDF code, bug 188172.

CVE-2007-3387:
         Integer overflow in gpdf before 2.8.2 might allow remote attackers to
         execute arbitrary code via a crafted PDF file.

3) Several issues in GD code, bug 182055.

CVE-2007-3478:
         Race condition in gdImageStringFTEx (gdft_draw_bitmap) in gdft.c in
         the GD Graphics Library (libgd) before 2.0.35 allows user-assisted
         remote attackers to cause a denial of service (crash) via unspecified
         vectors, possibly involving truetype font (TTF) support.
CVE-2007-3477:
         The (a) imagearc and (b) imagefilledarc functions in GD Graphics
         Library (libgd) before 2.0.35 allows attackers to cause a denial of
         service (CPU consumption) via a large (1) start or (2) end angle
         degree value.
CVE-2007-3476:
         Array index error in gd_gif_in.c in the GD Graphics Library (libgd)
         before 2.0.35 allows user-assisted remote attackers to cause a denial
         of service (crash and heap corruption) via large color index values in
         crafted image data, which results in a segmentation fault.
CVE-2007-3475:
         The GD Graphics Library (libgd) before 2.0.35 allows user-assisted
         remote attackers to cause a denial of service (crash) via a GIF image
         that has no global color map.
CVE-2007-3474:
         Multiple unspecified vulnerabilities in the GIF reader in the GD
         Graphics Library (libgd) before 2.0.35 allow user-assisted remote
         attackers to have unspecified attack vectors and impact.
CVE-2007-3473:
         The gdImageCreateXbm function in the GD Graphics Library (libgd)
         before 2.0.35 allows user-assisted remote attackers to cause a denial
         of service (crash) via unspecified vectors involving a gdImageCreate
         failure.
CVE-2007-3472:
         Integer overflow in gdImageCreateTrueColor function in the GD Graphics
         Library (libgd) before 2.0.35 allows user-assisted remote attackers
         has unspecified attack vectors and impact.
CVE-2007-2756:
         The gdPngReadData function in libgd 2.0.34 allows user-assisted
         attackers to cause a denial of service (CPU consumption) via a crafted
         PNG image with truncated data, which causes an infinite loop in the
         png_read_info function in libpng.

------- Comment #1 From Robert Buchholz 2007-10-21 22:40:37 0000 ------- 
Created an attachment (id=134087) [details]
tetex-2.0.2-makeindex-CVE-2007-0650.patch

Patch for (1)

------- Comment #2 From Robert Buchholz 2007-10-21 22:40:52 0000 ------- 
Created an attachment (id=134089) [details]
tetex-2.0.2-xpdf-CVE-2007-3387.patch

Patch for (2)

------- Comment #3 From Robert Buchholz 2007-10-21 22:42:29 0000 ------- 
For (3) you should probably upgrade the bundled GD lib to 2.0.35. teTeX 3 can
link to the system GD lib, but teTeX 2 unfortunately cannot.

------- Comment #4 From Robert Buchholz 2007-10-21 22:43:52 0000 ------- 
Maintainers, please advise. Is upstream alive? If not, please patch as
necessary.

------- Comment #5 From Robert Buchholz 2007-10-29 22:39:00 0000 ------- 
Ping, anyone?

------- Comment #6 From MATSUU Takuto 2007-11-01 17:21:56 0000 ------- 
sorry for delay.
I (cjk herd) try to fix it, but makes tetex-2.0.2-xpdf-CVE-2007-3387.patch
compile failed.

Stream.cc: In constructor 'StreamPredictor::StreamPredictor(Stream*, int, int,
int, int)':
Stream.cc:428: error: 'gfxColorMaxComps' was not declared in this scope
make[1]: *** [Stream.o] Error 1
make[1]: Leaving directory
`/var/tmp/portage/app-text/ptex-3.1.5-r3/work/tetex-src-2.0.2/libs/xpdf/xpdf'
make: *** [libs/xpdf/xpdf/libxpdf.a] Error 2

it is under survey.

------- Comment #7 From Robert Buchholz 2007-11-07 23:47:40 0000 ------- 
Please note bug 196735 and bug 198238 contains more issues that both ptex and
cstetex are affected by.

------- Comment #8 From Jakub Moc (RETIRED) 2007-11-08 15:09:01 0000 ------- 
I asked about cstetex usage @ http://www.abclinuxu.cz/forum/show/199391 so lets
see if there's a *real* reason to keep this package 'alive' or whether we
should rather just dump it.

------- Comment #9 From Jaromir Malenko 2007-11-10 10:55:17 0000 ------- 
(In reply to comment #8)
> I asked about cstetex usage @ http://www.abclinuxu.cz/forum/show/199391

A brief conclusion of discussion: Nobody insits upon cstetex. The experience
with babel in tetex-3, texlive and xetex is good. Skilled users recommended to
migrate.

Since there are good alternatives, it's ok to remove cstetex from portage.

------- Comment #10 From Robert Buchholz 2007-11-12 23:55:41 0000 ------- 
# Alexis Ballier <aballier@gentoo.org> (11 Nov 2007)
# Lots of security issues: bug #196673
# The experience with babel in tetex-3, texlive 
# and xetex is good. Skilled users recommended to migrate.
# Masking for removal: Due 11 Dec 2007
app-text/cstetex

------- Comment #11 From Robert Buchholz 2007-11-13 01:21:00 0000 ------- 
CJK and Matsuu, we will be removing CSTeX from the tree.

Do you actually still need PTeX  with teTeX's support for other languages and
if so, what's the status of the issues piling up here?

------- Comment #12 From MATSUU Takuto 2007-11-18 06:22:54 0000 ------- 
Created an attachment (id=136217) [details]
ptex-3.1.10_p20071030.ebuild

sorry for delay.

now I create ptex-3.1.10_p20071030.ebuild, it fixed CVE-2007-{0650,3387}, and
it use --with-system-gd and --without-dviljk(#198238). but perhaps it doesn't
fix some security bugs.

------- Comment #13 From MATSUU Takuto 2007-11-18 06:23:34 0000 ------- 
Created an attachment (id=136218) [details]
files/ptex-3.1.10_p20071030-gentoo.patch

------- Comment #14 From Robert Buchholz 2007-11-18 14:15:11 0000 ------- 
Matsuu, please also apply the patches for the XPDF issues from bug 196735 and
the dvips patches from bug 198238. Then you're good to go.

You can find an xpdf patch ported to tetex at the tetex-3 ebuilds in the tree.

------- Comment #15 From Robert Buchholz 2007-11-18 23:11:46 0000 ------- 
(In reply to comment #14)
> Matsuu, please also apply the patches for the XPDF issues from bug 196735 and
> the dvips patches from bug 198238. Then you're good to go.

Add the patch from t1lib to that list -- bug 193437

------- Comment #16 From Pierre-Yves Rofes 2007-11-25 22:50:38 0000 ------- 
GLSA 200711-34 for cstetex, still waiting for ptex.

------- Comment #17 From MATSUU Takuto 2007-11-27 17:37:14 0000 ------- 
sorry for long long delay.

the attached ebuild doesn't work well, so I added app-text/ptex to package.mask
transiently.

------- Comment #18 From Mr. Bones. 2007-11-27 18:53:48 0000 ------- 
app-i18n/canna-3.7_p2: nonsolvable depset(depends) keyword(x86) profile
(default-linux/x86/2007.0/desktop): solutions: [ app-text/ptex ]
app-text/xdvik-22.84.10: nonsolvable depset(rdepends) keyword(x86) profile
(default-linux/x86/2007.0/desktop): solutions: [ app-text/texlive-core,
app-text/ptex ]

Need to fix up the dep breakage before masking.  I commented out the mask. 
Deps should never be broken by package masking.

------- Comment #19 From MATSUU Takuto 2007-11-30 14:32:22 0000 ------- 
Added ptex-3.1.10_p20071122.ebuild in cvs. It WORKSFORME(tm).
Please test and mark stable.

------- Comment #20 From Robert Buchholz 2007-12-04 01:41:42 0000 ------- 
Does it include patches for the XPDF issues from bug 196735? At a first glance,
it does not look like it. All other issues seem to be resolved.

------- Comment #21 From MATSUU Takuto 2007-12-06 14:57:23 0000 ------- 
Added ptex-3.1.10_p20071203 and xpdf patch.

------- Comment #22 From Pierre-Yves Rofes 2007-12-10 21:33:08 0000 ------- 
Arches, please test and mark stable app-text/ptex-ptex-3.1.10_p20071203. Target
"alpha amd64 arm hppa ia64 ppc ppc-macos ppc64 sh sparc x86"

------- Comment #23 From Christian Faulhammer 2007-12-11 10:12:20 0000 ------- 
x86 stable

------- Comment #24 From Markus Rothe 2007-12-11 16:58:27 0000 ------- 
ppc64 stable

------- Comment #25 From Alexis Ballier 2007-12-11 21:11:59 0000 ------- 
fyi: cstetex is gone

------- Comment #26 From Peter Weller 2007-12-12 07:13:31 0000 ------- 
amd64 is gone.

------- Comment #27 From Jeroen Roovers 2007-12-13 07:47:47 0000 ------- 
Stable for HPPA.

------- Comment #28 From Raúl Porcel 2007-12-13 12:00:45 0000 ------- 
alpha/ia64/sparc stable

------- Comment #29 From Tobias Scherbaum 2007-12-14 18:15:27 0000 ------- 
ppc stable

------- Comment #30 From Fabian Groffen 2008-01-15 17:06:39 0000 ------- 
cstetex is gone, ptex no longer keyworded ppc-macos.  Sorry for the long wait.

------- Comment #31 From Peter Volkov 2008-02-25 10:45:18 0000 ------- 
This bug does not affect 2008.0 shapshot, removing release@ from CC.

------- Comment #32 From Pierre-Yves Rofes 2008-05-07 22:31:57 0000 ------- 
glsa request filed for ptex

------- Comment #33 From Pierre-Yves Rofes 2008-05-12 21:33:40 0000 ------- 
GLSA 200805-13 for Ptex, sorry for the delay.