154316 – sys-apps/texinfo buffer overflow (CVE-2006-4810)

Bug 154316 - sys-apps/texinfo buffer overflow (CVE-2006-4810)

Summary: sys-apps/texinfo buffer overflow (CVE-2006-4810)

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	High normal
Assignee:	Gentoo Security

URL:
Whiteboard:	B2? [glsa] jaervosz
Keywords:

Depends on:
Blocks:

Reported:	2006-11-06 23:44 UTC by Sune Kloppenborg Jeppesen (RETIRED)
Modified:	2019-12-29 11:12 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
texindex.patch (texindex.patch,437 bytes, patch) 2006-11-06 23:48 UTC, Sune Kloppenborg Jeppesen (RETIRED)	no flags	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2006-11-06 23:44:42 UTC

Slightly edited:

Miloslav Trmac from Red Hat, discovered a buffer overflow in
texinfo.  The testcase and a patch are attached.  The testcase will crash
when texi2dvi is run on the demo file.  This generates a file called
long-index.cp, which will crash when texindex is run on it (for a shorter
debug path).

Upstream has added this patch to their public CVS, but it's not well known.
It would be appreciated if nobody released an update until 2006-11-07.
I've assigned the name CVE-2006-4810 to this issue.

Here are the gory details:

From what I see, it looks like the code in readline() of texindex.c has
some crazy arithmetic.

char *buffer = linebuffer->buffer;
char *p = linebuffer->buffer;
char *end = p + linebuffer->size;

while (1)
  {
    int c = getc (stream);
    if (p == end)
  {
  buffer = (char *) xrealloc (buffer, linebuffer->size *= 2);
  p += buffer - linebuffer->buffer;
  end += buffer - linebuffer->buffer;
  linebuffer->buffer = buffer;

It would seem that when p == end, p and end are assigned what could be a
random memory addresses as the location of buffer is likely to change with
a realloc from a size of 200 to 400 bytes. p then proceeds to dump trash
on the heap until the current line ends.

Comment 1 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2006-11-06 23:48:04 UTC

Embargo ends today.

Comment 2 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2006-11-06 23:48:48 UTC

Created attachment 101376 [details, diff]
texindex.patch

Comment 3 Matthias Geerdsen (RETIRED) gentoo-dev

2006-11-07 03:29:20 UTC

vapier, you seem to have done the last changes to texinfo

Could you prepare an updated ebuild? 
This is still more or less confidential, so don't commit anything yet.

P.S.: rating still missing, I need some coffee first

Comment 4 SpanKY gentoo-dev

2006-11-08 20:05:23 UTC

ok, but what do you want ?  an update ebuild would simply add the patch posted here

have a local one sitting my cvs that built fine ...

Comment 5 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2006-11-09 01:52:20 UTC

This is public now. Vapier please commit.

Comment 6 SpanKY gentoo-dev

2006-11-09 15:48:03 UTC

in portage

Comment 7 Matthias Geerdsen (RETIRED) gentoo-dev

2006-11-10 02:26:15 UTC

arches, pls test sys-apps/texinfo-4.8-r5 and mark stable if possible

Comment 8 Christian Faulhammer (RETIRED) gentoo-dev

2006-11-10 05:04:57 UTC

x86 done

Comment 9 Gustavo Zacarias (RETIRED) gentoo-dev

2006-11-10 05:13:05 UTC

sparc stable.

Comment 10 Michael Weyershäuser 2006-11-10 18:26:21 UTC

Emerges fine on amd64 and seems to work.

Portage 2.1.1-r1 (default-linux/amd64/2006.1/desktop, gcc-4.1.1, glibc-2.4-r4, 2.6.18-suspend2-Dudebox-Edition x86_64)
=================================================================
System uname: 2.6.18-suspend2-Dudebox-Edition x86_64 AMD Athlon(tm) 64 Processor 3200+
Gentoo Base System version 1.12.6
Last Sync: Wed, 08 Nov 2006 05:00:01 +0000
distcc 2.18.3 x86_64-pc-linux-gnu (protocols 1 and 2) (default port 3632) [enabled]
ccache version 2.3 [enabled]
app-admin/eselect-compiler: [Not Present]
dev-java/java-config: 1.3.7, 2.0.30
dev-lang/python:     2.4.3-r4
dev-python/pycrypto: 2.0.1-r5
dev-util/ccache:     2.3
dev-util/confcache:  [Not Present]
sys-apps/sandbox:    1.2.17
sys-devel/autoconf:  2.13, 2.60
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2
sys-devel/binutils:  2.16.1-r3
sys-devel/gcc-config: 1.3.13-r4
sys-devel/libtool:   1.5.22
virtual/os-headers:  2.6.11-r2
ACCEPT_KEYWORDS="amd64"
AUTOCLEAN="yes"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-march=k8 -msse3 -Os -pipe"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config /var/qmail/control"
CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf /etc/java-config/vms/ /etc/revdep-rebuild /etc/terminfo"
CXXFLAGS="-march=k8 -msse3 -Os -pipe"
DISTDIR="/usr/portage/distfiles"
FEATURES="autoconfig ccache collision-protect distcc distlocks metadata-transfer multilib-strict parallel-fetch sandbox sfperms strict test"
GENTOO_MIRRORS="ftp://linux.rz.ruhr-uni-bochum.de/gentoo-mirror/ ftp:///ftp-stud.fht-esslingen.de/pub/Mirrors/gentoo/"
LDFLAGS="-Wl,-O1"
MAKEOPTS="-j4"
PKGDIR="/usr/portage/packages"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude='/distfiles' --exclude='/local' --exclude='/packages'"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/local/portage_overlay"
SYNC="rsync://server/gentoo-portage"
USE="amd64 X alsa apache2 berkdb bitmap-fonts cairo cdr cli cracklib crypt cups dbus dlloader dri dvd dvdr eds elibc_glibc emboss encode esd fam firefox fortran gcj gdbm gif gpm gstreamer gtk gtk2 hal iconv imap input_devices_keyboard input_devices_mouse isdnlog jpeg kde kdeenablefinal kdehiddenvisibility kernel_linux libg++ mad mikmod mp3 mpeg mysql ncurses nls nptl nptlonly objc objc++ ogg oss pam pcre perl png ppds pppd python qt3 qt4 quicktime readline reflection sdl session spell spl sqlite ssl tcpd test truetype truetype-fonts type1-fonts udev unicode userland_GNU video_cards_radeon vorbis xml xorg xv zlib"
Unset:  CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, LINGUAS, PORTAGE_RSYNC_EXTRA_OPTS

Comment 11 Malcolm Lashley (RETIRED) gentoo-dev

2006-11-11 04:37:54 UTC

'Horse-house' on amd64.

Comment 12 Tobias Scherbaum (RETIRED) gentoo-dev

2006-11-13 09:24:59 UTC

ppc stable

Comment 13 Bryan Østergaard (RETIRED) gentoo-dev

2006-11-14 08:25:36 UTC

Alpha stable.

Comment 14 Jeroen Roovers (RETIRED) gentoo-dev

2006-11-14 16:48:35 UTC

Stable for HPPA.

Comment 15 Markus Rothe (RETIRED) gentoo-dev

2006-11-15 05:19:21 UTC

ppc64 stable

Comment 16 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2006-11-21 07:36:10 UTC

GLSA 200611-16