pTeX and CSTeX are vulnerable to three issues fixed for teTex in GLSA 200709-17: 1) Makeindex buffer overflows, bug 170861. CVE-2007-0650: Buffer overflow in the open_sty function in mkind.c for makeindex 2.14 in teTeX might allow user-assisted remote attackers to overwrite files and possibly execute arbitrary code via a long filename. NOTE: other overflows exist but might not be exploitable, such as a heap-based overflow in the check_idx function. 2) Vulerable XPDF code, bug 188172. CVE-2007-3387: Integer overflow in gpdf before 2.8.2 might allow remote attackers to execute arbitrary code via a crafted PDF file. 3) Several issues in GD code, bug 182055. CVE-2007-3478: Race condition in gdImageStringFTEx (gdft_draw_bitmap) in gdft.c in the GD Graphics Library (libgd) before 2.0.35 allows user-assisted remote attackers to cause a denial of service (crash) via unspecified vectors, possibly involving truetype font (TTF) support. CVE-2007-3477: The (a) imagearc and (b) imagefilledarc functions in GD Graphics Library (libgd) before 2.0.35 allows attackers to cause a denial of service (CPU consumption) via a large (1) start or (2) end angle degree value. CVE-2007-3476: Array index error in gd_gif_in.c in the GD Graphics Library (libgd) before 2.0.35 allows user-assisted remote attackers to cause a denial of service (crash and heap corruption) via large color index values in crafted image data, which results in a segmentation fault. CVE-2007-3475: The GD Graphics Library (libgd) before 2.0.35 allows user-assisted remote attackers to cause a denial of service (crash) via a GIF image that has no global color map. CVE-2007-3474: Multiple unspecified vulnerabilities in the GIF reader in the GD Graphics Library (libgd) before 2.0.35 allow user-assisted remote attackers to have unspecified attack vectors and impact. CVE-2007-3473: The gdImageCreateXbm function in the GD Graphics Library (libgd) before 2.0.35 allows user-assisted remote attackers to cause a denial of service (crash) via unspecified vectors involving a gdImageCreate failure. CVE-2007-3472: Integer overflow in gdImageCreateTrueColor function in the GD Graphics Library (libgd) before 2.0.35 allows user-assisted remote attackers has unspecified attack vectors and impact. CVE-2007-2756: The gdPngReadData function in libgd 2.0.34 allows user-assisted attackers to cause a denial of service (CPU consumption) via a crafted PNG image with truncated data, which causes an infinite loop in the png_read_info function in libpng.
Created attachment 134087 [details, diff] tetex-2.0.2-makeindex-CVE-2007-0650.patch Patch for (1)
Created attachment 134089 [details, diff] tetex-2.0.2-xpdf-CVE-2007-3387.patch Patch for (2)
For (3) you should probably upgrade the bundled GD lib to 2.0.35. teTeX 3 can link to the system GD lib, but teTeX 2 unfortunately cannot.
Maintainers, please advise. Is upstream alive? If not, please patch as necessary.
Ping, anyone?
sorry for delay. I (cjk herd) try to fix it, but makes tetex-2.0.2-xpdf-CVE-2007-3387.patch compile failed. Stream.cc: In constructor 'StreamPredictor::StreamPredictor(Stream*, int, int, int, int)': Stream.cc:428: error: 'gfxColorMaxComps' was not declared in this scope make[1]: *** [Stream.o] Error 1 make[1]: Leaving directory `/var/tmp/portage/app-text/ptex-3.1.5-r3/work/tetex-src-2.0.2/libs/xpdf/xpdf' make: *** [libs/xpdf/xpdf/libxpdf.a] Error 2 it is under survey.
Please note bug 196735 and bug 198238 contains more issues that both ptex and cstetex are affected by.
I asked about cstetex usage @ http://www.abclinuxu.cz/forum/show/199391 so lets see if there's a *real* reason to keep this package 'alive' or whether we should rather just dump it.
(In reply to comment #8) > I asked about cstetex usage @ http://www.abclinuxu.cz/forum/show/199391 A brief conclusion of discussion: Nobody insits upon cstetex. The experience with babel in tetex-3, texlive and xetex is good. Skilled users recommended to migrate. Since there are good alternatives, it's ok to remove cstetex from portage.
# Alexis Ballier <aballier@gentoo.org> (11 Nov 2007) # Lots of security issues: bug #196673 # The experience with babel in tetex-3, texlive # and xetex is good. Skilled users recommended to migrate. # Masking for removal: Due 11 Dec 2007 app-text/cstetex
CJK and Matsuu, we will be removing CSTeX from the tree. Do you actually still need PTeX with teTeX's support for other languages and if so, what's the status of the issues piling up here?
Created attachment 136217 [details] ptex-3.1.10_p20071030.ebuild sorry for delay. now I create ptex-3.1.10_p20071030.ebuild, it fixed CVE-2007-{0650,3387}, and it use --with-system-gd and --without-dviljk(#198238). but perhaps it doesn't fix some security bugs.
Created attachment 136218 [details, diff] files/ptex-3.1.10_p20071030-gentoo.patch
Matsuu, please also apply the patches for the XPDF issues from bug 196735 and the dvips patches from bug 198238. Then you're good to go. You can find an xpdf patch ported to tetex at the tetex-3 ebuilds in the tree.
(In reply to comment #14) > Matsuu, please also apply the patches for the XPDF issues from bug 196735 and > the dvips patches from bug 198238. Then you're good to go. Add the patch from t1lib to that list -- bug 193437
GLSA 200711-34 for cstetex, still waiting for ptex.
sorry for long long delay. the attached ebuild doesn't work well, so I added app-text/ptex to package.mask transiently.
app-i18n/canna-3.7_p2: nonsolvable depset(depends) keyword(x86) profile (default-linux/x86/2007.0/desktop): solutions: [ app-text/ptex ] app-text/xdvik-22.84.10: nonsolvable depset(rdepends) keyword(x86) profile (default-linux/x86/2007.0/desktop): solutions: [ app-text/texlive-core, app-text/ptex ] Need to fix up the dep breakage before masking. I commented out the mask. Deps should never be broken by package masking.
Added ptex-3.1.10_p20071122.ebuild in cvs. It WORKSFORME(tm). Please test and mark stable.
Does it include patches for the XPDF issues from bug 196735? At a first glance, it does not look like it. All other issues seem to be resolved.
Added ptex-3.1.10_p20071203 and xpdf patch.
Arches, please test and mark stable app-text/ptex-ptex-3.1.10_p20071203. Target "alpha amd64 arm hppa ia64 ppc ppc-macos ppc64 sh sparc x86"
x86 stable
ppc64 stable
fyi: cstetex is gone
amd64 is gone.
Stable for HPPA.
alpha/ia64/sparc stable
ppc stable
cstetex is gone, ptex no longer keyworded ppc-macos. Sorry for the long wait.
This bug does not affect 2008.0 shapshot, removing release@ from CC.
glsa request filed for ptex
GLSA 200805-13 for Ptex, sorry for the delay.
