Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 154316 - sys-apps/texinfo buffer overflow (CVE-2006-4810)
Summary: sys-apps/texinfo buffer overflow (CVE-2006-4810)
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
Whiteboard: B2? [glsa] jaervosz
Depends on:
Reported: 2006-11-06 23:44 UTC by Sune Kloppenborg Jeppesen
Modified: 2006-11-21 07:36 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---

texindex.patch (texindex.patch,437 bytes, patch)
2006-11-06 23:48 UTC, Sune Kloppenborg Jeppesen
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Sune Kloppenborg Jeppesen gentoo-dev 2006-11-06 23:44:42 UTC
Slightly edited:

Miloslav Trmac from Red Hat, discovered a buffer overflow in
texinfo.  The testcase and a patch are attached.  The testcase will crash
when texi2dvi is run on the demo file.  This generates a file called
long-index.cp, which will crash when texindex is run on it (for a shorter
debug path).

Upstream has added this patch to their public CVS, but it's not well known.
It would be appreciated if nobody released an update until 2006-11-07.
I've assigned the name CVE-2006-4810 to this issue.

Here are the gory details:

From what I see, it looks like the code in readline() of texindex.c has
some crazy arithmetic.

char *buffer = linebuffer->buffer;
char *p = linebuffer->buffer;
char *end = p + linebuffer->size;

while (1)
    int c = getc (stream);
    if (p == end)
  buffer = (char *) xrealloc (buffer, linebuffer->size *= 2);
  p += buffer - linebuffer->buffer;
  end += buffer - linebuffer->buffer;
  linebuffer->buffer = buffer;

It would seem that when p == end, p and end are assigned what could be a
random memory addresses as the location of buffer is likely to change with
a realloc from a size of 200 to 400 bytes. p then proceeds to dump trash
on the heap until the current line ends.
Comment 1 Sune Kloppenborg Jeppesen gentoo-dev 2006-11-06 23:48:04 UTC
Embargo ends today.
Comment 2 Sune Kloppenborg Jeppesen gentoo-dev 2006-11-06 23:48:48 UTC
Created attachment 101376 [details, diff]
Comment 3 Matthias Geerdsen (RETIRED) gentoo-dev 2006-11-07 03:29:20 UTC
vapier, you seem to have done the last changes to texinfo

Could you prepare an updated ebuild? 
This is still more or less confidential, so don't commit anything yet.

P.S.: rating still missing, I need some coffee first
Comment 4 SpanKY gentoo-dev 2006-11-08 20:05:23 UTC
ok, but what do you want ?  an update ebuild would simply add the patch posted here

have a local one sitting my cvs that built fine ...
Comment 5 Sune Kloppenborg Jeppesen gentoo-dev 2006-11-09 01:52:20 UTC
This is public now. Vapier please commit.
Comment 6 SpanKY gentoo-dev 2006-11-09 15:48:03 UTC
in portage
Comment 7 Matthias Geerdsen (RETIRED) gentoo-dev 2006-11-10 02:26:15 UTC
arches, pls test sys-apps/texinfo-4.8-r5 and mark stable if possible
Comment 8 Christian Faulhammer (RETIRED) gentoo-dev 2006-11-10 05:04:57 UTC
x86 done
Comment 9 Gustavo Zacarias (RETIRED) gentoo-dev 2006-11-10 05:13:05 UTC
sparc stable.
Comment 10 Michael Weyershäuser 2006-11-10 18:26:21 UTC
Emerges fine on amd64 and seems to work.

Portage 2.1.1-r1 (default-linux/amd64/2006.1/desktop, gcc-4.1.1, glibc-2.4-r4, 2.6.18-suspend2-Dudebox-Edition x86_64)
System uname: 2.6.18-suspend2-Dudebox-Edition x86_64 AMD Athlon(tm) 64 Processor 3200+
Gentoo Base System version 1.12.6
Last Sync: Wed, 08 Nov 2006 05:00:01 +0000
distcc 2.18.3 x86_64-pc-linux-gnu (protocols 1 and 2) (default port 3632) [enabled]
ccache version 2.3 [enabled]
app-admin/eselect-compiler: [Not Present]
dev-java/java-config: 1.3.7, 2.0.30
dev-lang/python:     2.4.3-r4
dev-python/pycrypto: 2.0.1-r5
dev-util/ccache:     2.3
dev-util/confcache:  [Not Present]
sys-apps/sandbox:    1.2.17
sys-devel/autoconf:  2.13, 2.60
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2
sys-devel/binutils:  2.16.1-r3
sys-devel/gcc-config: 1.3.13-r4
sys-devel/libtool:   1.5.22
virtual/os-headers:  2.6.11-r2
CFLAGS="-march=k8 -msse3 -Os -pipe"
CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config /var/qmail/control"
CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf /etc/java-config/vms/ /etc/revdep-rebuild /etc/terminfo"
CXXFLAGS="-march=k8 -msse3 -Os -pipe"
FEATURES="autoconfig ccache collision-protect distcc distlocks metadata-transfer multilib-strict parallel-fetch sandbox sfperms strict test"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude='/distfiles' --exclude='/local' --exclude='/packages'"
USE="amd64 X alsa apache2 berkdb bitmap-fonts cairo cdr cli cracklib crypt cups dbus dlloader dri dvd dvdr eds elibc_glibc emboss encode esd fam firefox fortran gcj gdbm gif gpm gstreamer gtk gtk2 hal iconv imap input_devices_keyboard input_devices_mouse isdnlog jpeg kde kdeenablefinal kdehiddenvisibility kernel_linux libg++ mad mikmod mp3 mpeg mysql ncurses nls nptl nptlonly objc objc++ ogg oss pam pcre perl png ppds pppd python qt3 qt4 quicktime readline reflection sdl session spell spl sqlite ssl tcpd test truetype truetype-fonts type1-fonts udev unicode userland_GNU video_cards_radeon vorbis xml xorg xv zlib"
Comment 11 Malcolm Lashley (RETIRED) gentoo-dev 2006-11-11 04:37:54 UTC
'Horse-house' on amd64.
Comment 12 Tobias Scherbaum (RETIRED) gentoo-dev 2006-11-13 09:24:59 UTC
ppc stable
Comment 13 Bryan Østergaard (RETIRED) gentoo-dev 2006-11-14 08:25:36 UTC
Alpha stable.
Comment 14 Jeroen Roovers gentoo-dev 2006-11-14 16:48:35 UTC
Stable for HPPA.
Comment 15 Markus Rothe (RETIRED) gentoo-dev 2006-11-15 05:19:21 UTC
ppc64 stable
Comment 16 Sune Kloppenborg Jeppesen gentoo-dev 2006-11-21 07:36:10 UTC
GLSA 200611-16