198229 – app-text/texlive-core Multiple issues in dviljk

Bug 198229 - app-text/texlive-core Multiple issues in dviljk

Summary: app-text/texlive-core Multiple issues in dviljk

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	High trivial (vote)
Assignee:	Gentoo Security

URL:
Whiteboard:	~2 [noglsa]
Keywords:

Depends on:
Blocks:

Reported:	2007-11-06 02:13 UTC by Robert Buchholz (RETIRED)
Modified:	2007-11-13 01:18 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
dviljk-security-fixes (dviljk-security-fixes,67.29 KB, patch) 2007-11-06 02:15 UTC, Robert Buchholz (RETIRED)	no flags	Details \| Diff
texlive-core-2007-dviljk-security-fixes.patch (texlive-core-2007-dviljk-security-fixes.patch,33.29 KB, patch) 2007-11-07 13:57 UTC, Robert Buchholz (RETIRED)	no flags	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Robert Buchholz (RETIRED) gentoo-dev

2007-11-06 02:13:50 UTC

dviljk as shipped in app-text/texlive-core-2007-r4 is vulnerable to multiple buffer overflows and insecure temporary file creation. See attached patch for details.

Comment 1 Robert Buchholz (RETIRED) gentoo-dev

2007-11-06 02:15:09 UTC

Created attachment 135304 [details, diff]
dviljk-security-fixes

Extracted from Debian's texlive package.

Comment 2 Robert Buchholz (RETIRED) gentoo-dev

2007-11-06 02:15:40 UTC

Alexis, please advise.

Comment 3 Alexis Ballier gentoo-dev

2007-11-06 09:32:46 UTC

wow this patch is ugly, lots of cosmetics changes. I 'll have to clean it a bit first.

Besides that, I'll have to check it very carfuly; somethings concern me:
+        if ( include_file ) {

include_file is a pointer, initialized to NULL so imho tests to zero should be replaced by test to be different of NULL (and sometimes its tested against NULL, some others against zero)

otherwise, as a first read, patch seems sane.

Comment 4 Robert Buchholz (RETIRED) gentoo-dev

2007-11-06 09:50:42 UTC

(In reply to comment #3)
> wow this patch is ugly, lots of cosmetics changes. I 'll have to clean it a bit
> first.

Sorry, it's they way upstream committed it.


> Besides that, I'll have to check it very carfuly; somethings concern me:
> +        if ( include_file ) {
> 
> include_file is a pointer, initialized to NULL so imho tests to zero should be
> replaced by test to be different of NULL (and sometimes its tested against
> NULL, some others against zero)

Isn't 0 == NULL ?

Comment 5 Alexis Ballier gentoo-dev

2007-11-06 09:52:58 UTC

(In reply to comment #4)
> > Besides that, I'll have to check it very carfuly; somethings concern me:
> > +        if ( include_file ) {
> > 
> > include_file is a pointer, initialized to NULL so imho tests to zero should be
> > replaced by test to be different of NULL (and sometimes its tested against
> > NULL, some others against zero)
> 
> Isn't 0 == NULL ?


usually yes, but iirc the standards dont specify it. I'll check that.

Comment 6 Alexis Ballier gentoo-dev

2007-11-06 23:28:37 UTC

after checking, if(mypointer) is perfectly valid for checking against null. that's mypointer=0 that is not.


fixed in -r5, I removed most of the cosmetic changes.

Comment 7 Robert Buchholz (RETIRED) gentoo-dev

2007-11-07 13:57:23 UTC

Created attachment 135423 [details, diff]
texlive-core-2007-dviljk-security-fixes.patch

Just for reference, the cleaned up patch Alexis applied.

Comment 8 Robert Buchholz (RETIRED) gentoo-dev

2007-11-13 01:18:22 UTC

*texlive-core-2007-r5 (06 Nov 2007)

  06 Nov 2007; Alexis Ballier <aballier@gentoo.org>
  -texlive-core-2007-r3.ebuild, -texlive-core-2007-r4.ebuild,
  +texlive-core-2007-r5.ebuild:
  fixes for buffer overflow in dviljk, bug #198229