On Wednesday 01 April 2009, Jan Lieskovsky wrote: > 1, bibtex invalid reads/writes when parsing big *.bib file > (valgrind reports suspicious behavior) > References: > http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=520920 > (texlive-base-bin) https://bugzilla.redhat.com/show_bug.cgi?id=492136 > (tetex, texlive) > > The problem is in bibtex, but looks like it is shipped > in various packages for various vendors. We ship bibtex in teTeX, TeX Live and pTeX. Since pTeX is based on teTeX 2, I do not know whether it is affected. The other two products seem to be. Do we want to provide an upgrade path to teTeX, or will this be the moment for masking it?
> Do we want to provide an upgrade path to teTeX, No. See bug 227443 for its current status.
Ok, adding that bug as a blocker then.
(In reply to comment #0) > We ship bibtex in teTeX, TeX Live and pTeX. Since pTeX is based on teTeX 2, I > do not know whether it is affected. The other two products seem to be. Confirming that bibtex 0.99c as shipped in app-text/texlive-core-2008-r4 is vulnerable.
CVE-2009-1284 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1284): Buffer overflow in BibTeX 0.99 allows context-dependent attackers to cause a denial of service (memory corruption and crash) via a long .bib bibliography file.
treecleaner this from the tree. Do what you would like now.
Karl posted a patch on the texlive ml fixing this issue; it is now applied in texlive-core-2008-r7, sorry for the delay.
Split ptex off to bug 282874 to make things a little less complicated here. Alexis can -r7 go stable?
(In reply to comment #7) > Alexis can -r7 go stable? Yes
Arches, please test and mark stable: =app-text/texlive-core-2008-r7 Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86"
x86 stable
amd64 stable
alpha/arm/ia64/s390/sh/sparc stabl
Stable for HPPA.
ppc64 done
ppc stable
GLSA request filed.
Thank you all. <app-text/texlive-core-2008-r7 is gone from tree long time ago. Removing tex herd from cc.
This issue was resolved and addressed in GLSA 201206-28 at http://security.gentoo.org/glsa/glsa-201206-28.xml by GLSA coordinator Stefan Behte (craig).