Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 198238 - app-text/tetex < 3.0_p1-r6 Multiple issues in dviljk and dvips (CVE-2007-{5935,5936,5937})
Summary: app-text/tetex < 3.0_p1-r6 Multiple issues in dviljk and dvips (CVE-2007-{593...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B2 [glsa]
Keywords:
: 199421 (view as bug list)
Depends on:
Blocks: 196735
  Show dependency tree
 
Reported: 2007-11-06 03:15 UTC by Robert Buchholz (RETIRED)
Modified: 2020-04-03 22:49 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
tetex-src-3.0-dviljk-security-fixes.patch (tetex-src-3.0-dviljk-security-fixes.patch,64.58 KB, patch)
2007-11-06 03:17 UTC, Robert Buchholz (RETIRED)
no flags Details | Diff
tetex-src-3.0-dvips_bufferoverflow.patch (tetex-src-3.0-dvips_bufferoverflow.patch,2.98 KB, patch)
2007-11-06 03:29 UTC, Robert Buchholz (RETIRED)
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Buchholz (RETIRED) gentoo-dev 2007-11-06 03:15:46 UTC
+++ This bug was initially created as a clone of Bug #198229 +++

dviljk as shipped in app-text/tetex-3.0_p1-r4 is vulnerable to multiple buffer overflows and insecure temporary file creation. See attached patch for details.
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2007-11-06 03:17:52 UTC
Created attachment 135310 [details, diff]
tetex-src-3.0-dviljk-security-fixes.patch

Please note that the attached patch contains changes to configure.in, but does not include a regenerated configure file, (e)autoreconf is necessary befure building.
Comment 2 Robert Buchholz (RETIRED) gentoo-dev 2007-11-06 03:18:38 UTC
tex, please advise.
Comment 3 Robert Buchholz (RETIRED) gentoo-dev 2007-11-06 03:29:40 UTC
Created attachment 135312 [details, diff]
tetex-src-3.0-dvips_bufferoverflow.patch

For Details, see: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=447081
Comment 4 Robert Buchholz (RETIRED) gentoo-dev 2007-11-06 03:30:45 UTC
^^ As mentioned above, another set of buffer overflows exist in dvips.
Comment 5 Alexis Ballier gentoo-dev 2007-11-07 23:04:50 UTC
fixed in tetex-3.0_p1-r5
Comment 6 Robert Buchholz (RETIRED) gentoo-dev 2007-11-07 23:30:05 UTC
This also contains the fix for Xpdf, bug 196735. Thanks for handling it so fast, Alexis.

Arches, please test and mark stable app-text/tetex-3.0_p1-r5.
Target keywords : "alpha amd64 arm hppa ia64 m68k mips ppc ppc64 s390 sh sparc x86"
Comment 7 Jeroen Roovers gentoo-dev 2007-11-08 08:21:41 UTC
Stable for HPPA.
Comment 8 Christian Faulhammer (RETIRED) gentoo-dev 2007-11-08 09:14:34 UTC
x86 stable
Comment 9 Ferris McCormick (RETIRED) gentoo-dev 2007-11-08 13:33:00 UTC
Sparc stable.
Comment 10 Raúl Porcel (RETIRED) gentoo-dev 2007-11-08 18:07:37 UTC
alpha/ia64 stable
Comment 11 Markus Rothe (RETIRED) gentoo-dev 2007-11-08 18:13:52 UTC
ppc64 stable
Comment 12 Samuli Suominen gentoo-dev 2007-11-13 17:24:45 UTC
amd64 stable
Comment 13 Robert Buchholz (RETIRED) gentoo-dev 2007-11-15 00:17:32 UTC
Alexis, I just discovered that tetex does not link against the system t1lib, but its own version which is (probably) vulnerable to bug 193437.

I'll stop stabling here and we'll restart it with a new -r that passes --with-system-t1lib to configure, ok?
Comment 14 Alexis Ballier gentoo-dev 2007-11-15 08:26:03 UTC
hmmm...

configure.in:test "$with_dvipng"  != no    && : ${needs_libt1=yes}
configure.in:test "$with_xdvik"   != no    && : ${needs_libt1=yes}
configure.in:test "$with_oxdvik"  != no    && : ${needs_libt1=yes}

so in our case it only affects us with use=X;
in tetex.eclass:
  if useq X ; then
        addwrite /var/cache/fonts
        xdvik="--with-xdvik --with-oxdvik"
        #xdvik="$xdvik --with-system-t1lib"
    else

I'll have to check why it's commented out...
Comment 15 Alexis Ballier gentoo-dev 2007-11-15 08:34:59 UTC
been added there, never touched again:

http://sources.gentoo.org/viewcvs.py/gentoo-x86/eclass/tetex.eclass?r1=1.24&r2=1.25

what do you think, should we just uncomment it here, add the t1lib dep, and rev bump tetex ? or the other way, add it in the ebuild ?

note that t1lib + use doc needs a latex compiler so this will cause circular deps... monolithic ebuilds suck :/
Comment 16 Robert Buchholz (RETIRED) gentoo-dev 2007-11-15 11:36:10 UTC
(In reply to comment #15)
> note that t1lib + use doc needs a latex compiler so this will cause circular
> deps... monolithic ebuilds suck :/

That indeed is a problem. So I would advise to patch the bundled t1lib, or is there any strategy to avoid this?

The patch in /media-libs/t1lib/files/t1lib-5.0.2-SA26241_buffer_overflow.patch should work, if I remember the versions right.
Comment 17 Alexis Ballier gentoo-dev 2007-11-15 18:03:57 UTC
(In reply to comment #16)
> (In reply to comment #15)
> > note that t1lib + use doc needs a latex compiler so this will cause circular
> > deps... monolithic ebuilds suck :/
> 
> That indeed is a problem. So I would advise to patch the bundled t1lib, or is
> there any strategy to avoid this?

it should be possible to just not build xdvik in tetex, but as our tetex has been doing this for years, I suppose it's better to keep it like this, patching for security holes.

> The patch in /media-libs/t1lib/files/t1lib-5.0.2-SA26241_buffer_overflow.patch
> should work, if I remember the versions right.
 

applied in tetex-3.0_p1-r6
Comment 18 Robert Buchholz (RETIRED) gentoo-dev 2007-11-15 19:05:47 UTC
Arches, please test and mark stable app-text/tetex-3.0_p1-r6.
Target keywords : "alpha amd64 arm hppa ia64 m68k mips ppc ppc64 s390 sh sparc
x86"
Comment 19 Markus Meier gentoo-dev 2007-11-15 19:53:33 UTC
x86 stable
Comment 20 Jeroen Roovers gentoo-dev 2007-11-16 02:17:53 UTC
Stable for HPPA again.
Comment 21 Ferris McCormick (RETIRED) gentoo-dev 2007-11-16 13:51:25 UTC
Stable on sparc.
Comment 22 Raúl Porcel (RETIRED) gentoo-dev 2007-11-16 16:31:07 UTC
alpha/ia64 stable
Comment 23 Jakub Moc (RETIRED) gentoo-dev 2007-11-17 09:34:31 UTC
*** Bug 199421 has been marked as a duplicate of this bug. ***
Comment 24 Tobias Scherbaum (RETIRED) gentoo-dev 2007-11-18 09:25:04 UTC
ppc stable
Comment 25 Markus Rothe (RETIRED) gentoo-dev 2007-11-18 13:47:04 UTC
ppc64 stable
Comment 26 Robert Buchholz (RETIRED) gentoo-dev 2007-11-18 21:46:02 UTC
compiles and works, amd64 stable.
Comment 27 Robert Buchholz (RETIRED) gentoo-dev 2007-11-18 21:46:23 UTC
Moving to [glsa] then.
Comment 28 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-11-18 23:00:51 UTC
GLSA 200711-26
Comment 29 Peter Volkov (RETIRED) gentoo-dev 2008-03-06 09:47:02 UTC
Does not affect current (2008.0) release. Removing release.