Bug 198229 - app-text/texlive-core Multiple issues in dviljk
Bug#: 198229 Product:  Gentoo Security Version: unspecified Platform: All
OS/Version: Linux Status: RESOLVED Severity: trivial Priority: P2
Resolution: FIXED Assigned To: security@gentoo.org Reported By: rbu@gentoo.org
Component: Vulnerabilities
URL: 
Summary: app-text/texlive-core Multiple issues in dviljk
Keywords:  
Status Whiteboard: ~2 [noglsa]
Opened: 2007-11-06 02:13 0000
Description:   Opened: 2007-11-06 02:13 0000 
dviljk as shipped in app-text/texlive-core-2007-r4 is vulnerable to multiple
buffer overflows and insecure temporary file creation. See attached patch for
details.

------- Comment #1 From Robert Buchholz 2007-11-06 02:15:09 0000 ------- 
Created an attachment (id=135304) [details]
dviljk-security-fixes

Extracted from Debian's texlive package.

------- Comment #2 From Robert Buchholz 2007-11-06 02:15:40 0000 ------- 
Alexis, please advise.

------- Comment #3 From Alexis Ballier 2007-11-06 09:32:46 0000 ------- 
wow this patch is ugly, lots of cosmetics changes. I 'll have to clean it a bit
first.

Besides that, I'll have to check it very carfuly; somethings concern me:
+        if ( include_file ) {

include_file is a pointer, initialized to NULL so imho tests to zero should be
replaced by test to be different of NULL (and sometimes its tested against
NULL, some others against zero)

otherwise, as a first read, patch seems sane.

------- Comment #4 From Robert Buchholz 2007-11-06 09:50:42 0000 ------- 
(In reply to comment #3)
> wow this patch is ugly, lots of cosmetics changes. I 'll have to clean it a bit
> first.

Sorry, it's they way upstream committed it.


> Besides that, I'll have to check it very carfuly; somethings concern me:
> +        if ( include_file ) {
> 
> include_file is a pointer, initialized to NULL so imho tests to zero should be
> replaced by test to be different of NULL (and sometimes its tested against
> NULL, some others against zero)

Isn't 0 == NULL ?

------- Comment #5 From Alexis Ballier 2007-11-06 09:52:58 0000 ------- 
(In reply to comment #4)
> > Besides that, I'll have to check it very carfuly; somethings concern me:
> > +        if ( include_file ) {
> > 
> > include_file is a pointer, initialized to NULL so imho tests to zero should be
> > replaced by test to be different of NULL (and sometimes its tested against
> > NULL, some others against zero)
> 
> Isn't 0 == NULL ?


usually yes, but iirc the standards dont specify it. I'll check that.

------- Comment #6 From Alexis Ballier 2007-11-06 23:28:37 0000 ------- 
after checking, if(mypointer) is perfectly valid for checking against null.
that's mypointer=0 that is not.


fixed in -r5, I removed most of the cosmetic changes.

------- Comment #7 From Robert Buchholz 2007-11-07 13:57:23 0000 ------- 
Created an attachment (id=135423) [details]
texlive-core-2007-dviljk-security-fixes.patch

Just for reference, the cleaned up patch Alexis applied.

------- Comment #8 From Robert Buchholz 2007-11-13 01:18:22 0000 ------- 
*texlive-core-2007-r5 (06 Nov 2007)

  06 Nov 2007; Alexis Ballier <aballier@gentoo.org>
  -texlive-core-2007-r3.ebuild, -texlive-core-2007-r4.ebuild,
  +texlive-core-2007-r5.ebuild:
  fixes for buffer overflow in dviljk, bug #198229