Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 154316

Summary: sys-apps/texinfo buffer overflow (CVE-2006-4810)
Product: Gentoo Security Reporter: Sune Kloppenborg Jeppesen (RETIRED) <jaervosz>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Severity: normal CC: bernd, chainsaw
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B2? [glsa] jaervosz
Package list:
Runtime testing required: ---
Description Flags
texindex.patch none

Description Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-11-06 23:44:42 UTC
Slightly edited:

Miloslav Trmac from Red Hat, discovered a buffer overflow in
texinfo.  The testcase and a patch are attached.  The testcase will crash
when texi2dvi is run on the demo file.  This generates a file called
long-index.cp, which will crash when texindex is run on it (for a shorter
debug path).

Upstream has added this patch to their public CVS, but it's not well known.
It would be appreciated if nobody released an update until 2006-11-07.
I've assigned the name CVE-2006-4810 to this issue.

Here are the gory details:

From what I see, it looks like the code in readline() of texindex.c has
some crazy arithmetic.

char *buffer = linebuffer->buffer;
char *p = linebuffer->buffer;
char *end = p + linebuffer->size;

while (1)
    int c = getc (stream);
    if (p == end)
  buffer = (char *) xrealloc (buffer, linebuffer->size *= 2);
  p += buffer - linebuffer->buffer;
  end += buffer - linebuffer->buffer;
  linebuffer->buffer = buffer;

It would seem that when p == end, p and end are assigned what could be a
random memory addresses as the location of buffer is likely to change with
a realloc from a size of 200 to 400 bytes. p then proceeds to dump trash
on the heap until the current line ends.
Comment 1 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-11-06 23:48:04 UTC
Embargo ends today.
Comment 2 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-11-06 23:48:48 UTC
Created attachment 101376 [details, diff]
Comment 3 Matthias Geerdsen (RETIRED) gentoo-dev 2006-11-07 03:29:20 UTC
vapier, you seem to have done the last changes to texinfo

Could you prepare an updated ebuild? 
This is still more or less confidential, so don't commit anything yet.

P.S.: rating still missing, I need some coffee first
Comment 4 SpanKY gentoo-dev 2006-11-08 20:05:23 UTC
ok, but what do you want ?  an update ebuild would simply add the patch posted here

have a local one sitting my cvs that built fine ...
Comment 5 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-11-09 01:52:20 UTC
This is public now. Vapier please commit.
Comment 6 SpanKY gentoo-dev 2006-11-09 15:48:03 UTC
in portage
Comment 7 Matthias Geerdsen (RETIRED) gentoo-dev 2006-11-10 02:26:15 UTC
arches, pls test sys-apps/texinfo-4.8-r5 and mark stable if possible
Comment 8 Christian Faulhammer (RETIRED) gentoo-dev 2006-11-10 05:04:57 UTC
x86 done
Comment 9 Gustavo Zacarias (RETIRED) gentoo-dev 2006-11-10 05:13:05 UTC
sparc stable.
Comment 10 Michael Weyershäuser 2006-11-10 18:26:21 UTC
Emerges fine on amd64 and seems to work.

Portage 2.1.1-r1 (default-linux/amd64/2006.1/desktop, gcc-4.1.1, glibc-2.4-r4, 2.6.18-suspend2-Dudebox-Edition x86_64)
System uname: 2.6.18-suspend2-Dudebox-Edition x86_64 AMD Athlon(tm) 64 Processor 3200+
Gentoo Base System version 1.12.6
Last Sync: Wed, 08 Nov 2006 05:00:01 +0000
distcc 2.18.3 x86_64-pc-linux-gnu (protocols 1 and 2) (default port 3632) [enabled]
ccache version 2.3 [enabled]
app-admin/eselect-compiler: [Not Present]
dev-java/java-config: 1.3.7, 2.0.30
dev-lang/python:     2.4.3-r4
dev-python/pycrypto: 2.0.1-r5
dev-util/ccache:     2.3
dev-util/confcache:  [Not Present]
sys-apps/sandbox:    1.2.17
sys-devel/autoconf:  2.13, 2.60
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2
sys-devel/binutils:  2.16.1-r3
sys-devel/gcc-config: 1.3.13-r4
sys-devel/libtool:   1.5.22
virtual/os-headers:  2.6.11-r2
CFLAGS="-march=k8 -msse3 -Os -pipe"
CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config /var/qmail/control"
CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf /etc/java-config/vms/ /etc/revdep-rebuild /etc/terminfo"
CXXFLAGS="-march=k8 -msse3 -Os -pipe"
FEATURES="autoconfig ccache collision-protect distcc distlocks metadata-transfer multilib-strict parallel-fetch sandbox sfperms strict test"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude='/distfiles' --exclude='/local' --exclude='/packages'"
USE="amd64 X alsa apache2 berkdb bitmap-fonts cairo cdr cli cracklib crypt cups dbus dlloader dri dvd dvdr eds elibc_glibc emboss encode esd fam firefox fortran gcj gdbm gif gpm gstreamer gtk gtk2 hal iconv imap input_devices_keyboard input_devices_mouse isdnlog jpeg kde kdeenablefinal kdehiddenvisibility kernel_linux libg++ mad mikmod mp3 mpeg mysql ncurses nls nptl nptlonly objc objc++ ogg oss pam pcre perl png ppds pppd python qt3 qt4 quicktime readline reflection sdl session spell spl sqlite ssl tcpd test truetype truetype-fonts type1-fonts udev unicode userland_GNU video_cards_radeon vorbis xml xorg xv zlib"
Comment 11 Malcolm Lashley (RETIRED) gentoo-dev 2006-11-11 04:37:54 UTC
'Horse-house' on amd64.
Comment 12 Tobias Scherbaum (RETIRED) gentoo-dev 2006-11-13 09:24:59 UTC
ppc stable
Comment 13 Bryan Østergaard (RETIRED) gentoo-dev 2006-11-14 08:25:36 UTC
Alpha stable.
Comment 14 Jeroen Roovers (RETIRED) gentoo-dev 2006-11-14 16:48:35 UTC
Stable for HPPA.
Comment 15 Markus Rothe (RETIRED) gentoo-dev 2006-11-15 05:19:21 UTC
ppc64 stable
Comment 16 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-11-21 07:36:10 UTC
GLSA 200611-16