Bug 196673 (CVE-2007-0650)

Summary:

app-text/{cstetex, ptex} Multiple issues (CVE-2007-{0650,2756,3387,3472,3473,3474,3475,3476,3477,3478})

Product:

Gentoo Security

Reporter:

Robert Buchholz (RETIRED) <rbu>

Component:

Vulnerabilities

Assignee:

Gentoo Security <security>

Status:

RESOLVED FIXED

Severity:

normal

CC:

cjk, hkmaly, malenko, mr_bones_, tex, usata

Priority:

High

Version:

unspecified

Hardware:

All

OS:

Linux

Whiteboard:

B2 [glsa]

Package list:

Runtime testing required:

---

Bug Depends on:

Bug Blocks:

140507, 196735

Attachments:

Description	Flags
tetex-2.0.2-makeindex-CVE-2007-0650.patch	none
tetex-2.0.2-xpdf-CVE-2007-3387.patch	none
ptex-3.1.10_p20071030.ebuild	none
files/ptex-3.1.10_p20071030-gentoo.patch	none

Description Robert Buchholz (RETIRED) gentoo-dev

2007-10-21 22:39:59 UTC

pTeX and CSTeX are vulnerable to three issues fixed for teTex in GLSA 200709-17:

1) Makeindex buffer overflows, bug 170861.

CVE-2007-0650:
         Buffer overflow in the open_sty function in mkind.c for makeindex 2.14
         in teTeX might allow user-assisted remote attackers to overwrite files
         and possibly execute arbitrary code via a long filename.  NOTE: other
         overflows exist but might not be exploitable, such as a heap-based
         overflow in the check_idx function.


2) Vulerable XPDF code, bug 188172.

CVE-2007-3387:
         Integer overflow in gpdf before 2.8.2 might allow remote attackers to
         execute arbitrary code via a crafted PDF file.

3) Several issues in GD code, bug 182055.

CVE-2007-3478:
         Race condition in gdImageStringFTEx (gdft_draw_bitmap) in gdft.c in
         the GD Graphics Library (libgd) before 2.0.35 allows user-assisted
         remote attackers to cause a denial of service (crash) via unspecified
         vectors, possibly involving truetype font (TTF) support.
CVE-2007-3477:
         The (a) imagearc and (b) imagefilledarc functions in GD Graphics
         Library (libgd) before 2.0.35 allows attackers to cause a denial of
         service (CPU consumption) via a large (1) start or (2) end angle
         degree value.
CVE-2007-3476:
         Array index error in gd_gif_in.c in the GD Graphics Library (libgd)
         before 2.0.35 allows user-assisted remote attackers to cause a denial
         of service (crash and heap corruption) via large color index values in
         crafted image data, which results in a segmentation fault.
CVE-2007-3475:
         The GD Graphics Library (libgd) before 2.0.35 allows user-assisted
         remote attackers to cause a denial of service (crash) via a GIF image
         that has no global color map.
CVE-2007-3474:
         Multiple unspecified vulnerabilities in the GIF reader in the GD
         Graphics Library (libgd) before 2.0.35 allow user-assisted remote
         attackers to have unspecified attack vectors and impact.
CVE-2007-3473:
         The gdImageCreateXbm function in the GD Graphics Library (libgd)
         before 2.0.35 allows user-assisted remote attackers to cause a denial
         of service (crash) via unspecified vectors involving a gdImageCreate
         failure.
CVE-2007-3472:
         Integer overflow in gdImageCreateTrueColor function in the GD Graphics
         Library (libgd) before 2.0.35 allows user-assisted remote attackers
         has unspecified attack vectors and impact.
CVE-2007-2756:
         The gdPngReadData function in libgd 2.0.34 allows user-assisted
         attackers to cause a denial of service (CPU consumption) via a crafted
         PNG image with truncated data, which causes an infinite loop in the
         png_read_info function in libpng.

Comment 1 Robert Buchholz (RETIRED) gentoo-dev

2007-10-21 22:40:37 UTC

Created attachment 134087 [details, diff]
tetex-2.0.2-makeindex-CVE-2007-0650.patch

Patch for (1)

Comment 2 Robert Buchholz (RETIRED) gentoo-dev

2007-10-21 22:40:52 UTC

Created attachment 134089 [details, diff]
tetex-2.0.2-xpdf-CVE-2007-3387.patch

Patch for (2)

Comment 3 Robert Buchholz (RETIRED) gentoo-dev

2007-10-21 22:42:29 UTC

For (3) you should probably upgrade the bundled GD lib to 2.0.35. teTeX 3 can link to the system GD lib, but teTeX 2 unfortunately cannot.

Comment 4 Robert Buchholz (RETIRED) gentoo-dev

2007-10-21 22:43:52 UTC

Maintainers, please advise. Is upstream alive? If not, please patch as necessary.

Comment 5 Robert Buchholz (RETIRED) gentoo-dev

2007-10-29 22:39:00 UTC

Ping, anyone?

Comment 6 MATSUU Takuto (RETIRED) gentoo-dev

2007-11-01 17:21:56 UTC

sorry for delay.
I (cjk herd) try to fix it, but makes tetex-2.0.2-xpdf-CVE-2007-3387.patch compile failed.

Stream.cc: In constructor 'StreamPredictor::StreamPredictor(Stream*, int, int, int, int)':
Stream.cc:428: error: 'gfxColorMaxComps' was not declared in this scope
make[1]: *** [Stream.o] Error 1
make[1]: Leaving directory `/var/tmp/portage/app-text/ptex-3.1.5-r3/work/tetex-src-2.0.2/libs/xpdf/xpdf'
make: *** [libs/xpdf/xpdf/libxpdf.a] Error 2

it is under survey.

Comment 7 Robert Buchholz (RETIRED) gentoo-dev

2007-11-07 23:47:40 UTC

Please note bug 196735 and bug 198238 contains more issues that both ptex and cstetex are affected by.

Comment 8 Jakub Moc (RETIRED) gentoo-dev

2007-11-08 15:09:01 UTC

I asked about cstetex usage @ http://www.abclinuxu.cz/forum/show/199391 so lets see if there's a *real* reason to keep this package 'alive' or whether we should rather just dump it.

Comment 9 Jaromir Malenko 2007-11-10 10:55:17 UTC

(In reply to comment #8)
> I asked about cstetex usage @ http://www.abclinuxu.cz/forum/show/199391

A brief conclusion of discussion: Nobody insits upon cstetex. The experience with babel in tetex-3, texlive and xetex is good. Skilled users recommended to migrate.

Since there are good alternatives, it's ok to remove cstetex from portage.

Comment 10 Robert Buchholz (RETIRED) gentoo-dev

2007-11-12 23:55:41 UTC

# Alexis Ballier <aballier@gentoo.org> (11 Nov 2007)
# Lots of security issues: bug #196673
# The experience with babel in tetex-3, texlive 
# and xetex is good. Skilled users recommended to migrate.
# Masking for removal: Due 11 Dec 2007
app-text/cstetex

Comment 11 Robert Buchholz (RETIRED) gentoo-dev

2007-11-13 01:21:00 UTC

CJK and Matsuu, we will be removing CSTeX from the tree.

Do you actually still need PTeX  with teTeX's support for other languages and if so, what's the status of the issues piling up here?

Comment 12 MATSUU Takuto (RETIRED) gentoo-dev

2007-11-18 06:22:54 UTC

Created attachment 136217 [details]
ptex-3.1.10_p20071030.ebuild

sorry for delay.

now I create ptex-3.1.10_p20071030.ebuild, it fixed CVE-2007-{0650,3387}, and it use --with-system-gd and --without-dviljk(#198238). but perhaps it doesn't fix some security bugs.

Comment 13 MATSUU Takuto (RETIRED) gentoo-dev

2007-11-18 06:23:34 UTC

Created attachment 136218 [details, diff]
files/ptex-3.1.10_p20071030-gentoo.patch

Comment 14 Robert Buchholz (RETIRED) gentoo-dev

2007-11-18 14:15:11 UTC

Matsuu, please also apply the patches for the XPDF issues from bug 196735 and the dvips patches from bug 198238. Then you're good to go.

You can find an xpdf patch ported to tetex at the tetex-3 ebuilds in the tree.

Comment 15 Robert Buchholz (RETIRED) gentoo-dev

2007-11-18 23:11:46 UTC

(In reply to comment #14)
> Matsuu, please also apply the patches for the XPDF issues from bug 196735 and
> the dvips patches from bug 198238. Then you're good to go.

Add the patch from t1lib to that list -- bug 193437

Comment 16 Pierre-Yves Rofes (RETIRED) gentoo-dev

2007-11-25 22:50:38 UTC

GLSA 200711-34 for cstetex, still waiting for ptex.

Comment 17 MATSUU Takuto (RETIRED) gentoo-dev

2007-11-27 17:37:14 UTC

sorry for long long delay.

the attached ebuild doesn't work well, so I added app-text/ptex to package.mask transiently.

Comment 18 Mr. Bones. (RETIRED) gentoo-dev

2007-11-27 18:53:48 UTC

app-i18n/canna-3.7_p2: nonsolvable depset(depends) keyword(x86) profile (default-linux/x86/2007.0/desktop): solutions: [ app-text/ptex ]
app-text/xdvik-22.84.10: nonsolvable depset(rdepends) keyword(x86) profile (default-linux/x86/2007.0/desktop): solutions: [ app-text/texlive-core, app-text/ptex ]

Need to fix up the dep breakage before masking.  I commented out the mask.  Deps should never be broken by package masking.

Comment 19 MATSUU Takuto (RETIRED) gentoo-dev

2007-11-30 14:32:22 UTC

Added ptex-3.1.10_p20071122.ebuild in cvs. It WORKSFORME(tm).
Please test and mark stable.

Comment 20 Robert Buchholz (RETIRED) gentoo-dev

2007-12-04 01:41:42 UTC

Does it include patches for the XPDF issues from bug 196735? At a first glance, it does not look like it. All other issues seem to be resolved.

Comment 21 MATSUU Takuto (RETIRED) gentoo-dev

2007-12-06 14:57:23 UTC

Added ptex-3.1.10_p20071203 and xpdf patch.

Comment 22 Pierre-Yves Rofes (RETIRED) gentoo-dev

2007-12-10 21:33:08 UTC

Arches, please test and mark stable app-text/ptex-ptex-3.1.10_p20071203. Target "alpha amd64 arm hppa ia64 ppc ppc-macos ppc64 sh sparc x86"

Comment 23 Christian Faulhammer (RETIRED) gentoo-dev

2007-12-11 10:12:20 UTC

x86 stable

Comment 24 Markus Rothe (RETIRED) gentoo-dev

2007-12-11 16:58:27 UTC

ppc64 stable

Comment 25 Alexis Ballier gentoo-dev

2007-12-11 21:11:59 UTC

fyi: cstetex is gone

Comment 26 Peter Weller (RETIRED) gentoo-dev

2007-12-12 07:13:31 UTC

amd64 is gone.

Comment 27 Jeroen Roovers (RETIRED) gentoo-dev

2007-12-13 07:47:47 UTC

Stable for HPPA.

Comment 28 Raúl Porcel (RETIRED) gentoo-dev

2007-12-13 12:00:45 UTC

alpha/ia64/sparc stable

Comment 29 Tobias Scherbaum (RETIRED) gentoo-dev

2007-12-14 18:15:27 UTC

ppc stable

Comment 30 Fabian Groffen gentoo-dev

2008-01-15 17:06:39 UTC

cstetex is gone, ptex no longer keyworded ppc-macos.  Sorry for the long wait.

Comment 31 Peter Volkov (RETIRED) gentoo-dev

2008-02-25 10:45:18 UTC

This bug does not affect 2008.0 shapshot, removing release@ from CC.

Comment 32 Pierre-Yves Rofes (RETIRED) gentoo-dev

2008-05-07 22:31:57 UTC

glsa request filed for ptex

Comment 33 Pierre-Yves Rofes (RETIRED) gentoo-dev

2008-05-12 21:33:40 UTC

GLSA 200805-13 for Ptex, sorry for the delay.