+++ This bug was initially created as a clone of Bug #198229 +++ dviljk as shipped in app-text/tetex-3.0_p1-r4 is vulnerable to multiple buffer overflows and insecure temporary file creation. See attached patch for details.
Created attachment 135310 [details, diff] tetex-src-3.0-dviljk-security-fixes.patch Please note that the attached patch contains changes to configure.in, but does not include a regenerated configure file, (e)autoreconf is necessary befure building.
tex, please advise.
Created attachment 135312 [details, diff] tetex-src-3.0-dvips_bufferoverflow.patch For Details, see: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=447081
^^ As mentioned above, another set of buffer overflows exist in dvips.
fixed in tetex-3.0_p1-r5
This also contains the fix for Xpdf, bug 196735. Thanks for handling it so fast, Alexis. Arches, please test and mark stable app-text/tetex-3.0_p1-r5. Target keywords : "alpha amd64 arm hppa ia64 m68k mips ppc ppc64 s390 sh sparc x86"
Stable for HPPA.
x86 stable
Sparc stable.
alpha/ia64 stable
ppc64 stable
amd64 stable
Alexis, I just discovered that tetex does not link against the system t1lib, but its own version which is (probably) vulnerable to bug 193437. I'll stop stabling here and we'll restart it with a new -r that passes --with-system-t1lib to configure, ok?
hmmm... configure.in:test "$with_dvipng" != no && : ${needs_libt1=yes} configure.in:test "$with_xdvik" != no && : ${needs_libt1=yes} configure.in:test "$with_oxdvik" != no && : ${needs_libt1=yes} so in our case it only affects us with use=X; in tetex.eclass: if useq X ; then addwrite /var/cache/fonts xdvik="--with-xdvik --with-oxdvik" #xdvik="$xdvik --with-system-t1lib" else I'll have to check why it's commented out...
been added there, never touched again: http://sources.gentoo.org/viewcvs.py/gentoo-x86/eclass/tetex.eclass?r1=1.24&r2=1.25 what do you think, should we just uncomment it here, add the t1lib dep, and rev bump tetex ? or the other way, add it in the ebuild ? note that t1lib + use doc needs a latex compiler so this will cause circular deps... monolithic ebuilds suck :/
(In reply to comment #15) > note that t1lib + use doc needs a latex compiler so this will cause circular > deps... monolithic ebuilds suck :/ That indeed is a problem. So I would advise to patch the bundled t1lib, or is there any strategy to avoid this? The patch in /media-libs/t1lib/files/t1lib-5.0.2-SA26241_buffer_overflow.patch should work, if I remember the versions right.
(In reply to comment #16) > (In reply to comment #15) > > note that t1lib + use doc needs a latex compiler so this will cause circular > > deps... monolithic ebuilds suck :/ > > That indeed is a problem. So I would advise to patch the bundled t1lib, or is > there any strategy to avoid this? it should be possible to just not build xdvik in tetex, but as our tetex has been doing this for years, I suppose it's better to keep it like this, patching for security holes. > The patch in /media-libs/t1lib/files/t1lib-5.0.2-SA26241_buffer_overflow.patch > should work, if I remember the versions right. applied in tetex-3.0_p1-r6
Arches, please test and mark stable app-text/tetex-3.0_p1-r6. Target keywords : "alpha amd64 arm hppa ia64 m68k mips ppc ppc64 s390 sh sparc x86"
Stable for HPPA again.
Stable on sparc.
*** Bug 199421 has been marked as a duplicate of this bug. ***
ppc stable
compiles and works, amd64 stable.
Moving to [glsa] then.
GLSA 200711-26
Does not affect current (2008.0) release. Removing release.