Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 282874 - <app-text/ptex-3.1.10_p20090610: bibtex invalid reads/writes when parsing big *.bib file (CVE-2009-1284)
Summary: <app-text/ptex-3.1.10_p20090610: bibtex invalid reads/writes when parsing big...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: B2 [noglsa]
Keywords:
Depends on: 289339
Blocks:
  Show dependency tree
 
Reported: 2009-08-27 08:16 UTC by Alex Legler (RETIRED)
Modified: 2014-05-31 21:57 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Alex Legler (RETIRED) archtester gentoo-dev Security 2009-08-27 08:16:31 UTC
+++ This bug was initially created as a clone of Bug #264598 +++

On Wednesday 01 April 2009, Jan Lieskovsky wrote:
> 1, bibtex invalid reads/writes when parsing big *.bib file
>           (valgrind reports suspicious behavior)
>    References:
>    http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=520920 
> (texlive-base-bin) https://bugzilla.redhat.com/show_bug.cgi?id=492136
> (tetex, texlive)
>
>    The problem is in bibtex, but looks like it is shipped
>    in various packages for various vendors.

We ship bibtex in teTeX, TeX Live and pTeX. Since pTeX is based on teTeX 2, I do not know whether it is affected.

Splitting this off of the original bug for investigation.
Comment 1 Ulrich Müller gentoo-dev 2009-08-27 09:01:22 UTC
> We ship bibtex in teTeX, TeX Live and pTeX. Since pTeX is based on teTeX 2,
> I do not know whether it is affected.

It takes bibtex.ch from teTeX 3.0_p1, so most likely it is. And the patch from upstream applies cleanly.

Comment 2 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-08-27 09:06:28 UTC
Then bump, please. ;)
Comment 3 Ulrich Müller gentoo-dev 2009-08-27 10:25:34 UTC
(In reply to comment #2)
> Then bump, please. ;)

Problem is that it doesn't build:

checking whether gcc -O accepts -g... (cached) yes
checking for a BSD compatible install... (cached) /usr/bin/install -c
checking whether ln -s works... (cached) yes
checking whether make sets ${MAKE}... (cached) yes
checking whether to enable maintainer-specific portions of Makefiles... no
checking for loader (symbol LD)... (cached) ld
checking for archiver (symbol AR)... (cached) ar
checking for archiver options (symbol ARFLAGS)... (cached) rc
checking where the main texmf tree is located... /usr/share/texmf
creating ./config.status
creating Makefile
[--tetex--] make
gmake: invalid option -- 'O'
Usage: gmake [options] [target] ...
Options:
  -b, -m                      Ignored for compatibility.
  -B, --always-make           Unconditionally make all targets.
  -C DIRECTORY, --directory=DIRECTORY
                              Change to DIRECTORY before doing anything.
  -d                          Print lots of debugging information.
  --debug[=FLAGS]             Print various types of debugging information.
  -e, --environment-overrides
                              Environment variables override makefiles.
  -f FILE, --file=FILE, --makefile=FILE
                              Read FILE as a makefile.
  -h, --help                  Print this message and exit.
  -i, --ignore-errors         Ignore errors from commands.
  -I DIRECTORY, --include-dir=DIRECTORY
                              Search DIRECTORY for included makefiles.
  -j [N], --jobs[=N]          Allow N jobs at once; infinite jobs with no arg.
  -k, --keep-going            Keep going when some targets can't be made.
  -l [N], --load-average[=N], --max-load[=N]
                              Don't start multiple jobs unless load is below N.
  -L, --check-symlink-times   Use the latest mtime between symlinks and target.
  -n, --just-print, --dry-run, --recon
                              Don't actually run any commands; just print them.
  -o FILE, --old-file=FILE, --assume-old=FILE
                              Consider FILE to be very old and don't remake it.
  -p, --print-data-base       Print make's internal database.
  -q, --question              Run no commands; exit status says if up to date.
  -r, --no-builtin-rules      Disable the built-in implicit rules.
  -R, --no-builtin-variables  Disable the built-in variable settings.
  -s, --silent, --quiet       Don't echo commands.
  -S, --no-keep-going, --stop
                              Turns off -k.
  -t, --touch                 Touch targets instead of remaking them.
  -v, --version               Print the version number of make and exit.
  -w, --print-directory       Print the current directory.
  --no-print-directory        Turn off -w, even if it was turned on implicitly.
  -W FILE, --what-if=FILE, --new-file=FILE, --assume-new=FILE
                              Consider FILE to be infinitely new.
  --warn-undefined-variables  Warn when an undefined variable is referenced.
This program built for x86_64-pc-linux-gnu
Report bugs to <bug-make@gnu.org>
make: *** [stage4] Error 2
 * 
 * ERROR: app-text/ptex-3.1.10_p20080414 failed.
 * Call stack:
 *               ebuild.sh, line   49:  Called src_compile
 *             environment, line 3163:  Called die
 * The specific snippet of code:
 *       emake -j1 c || die "emake c failed";
 *  The die message:
 *   emake c failed


And after working around above problem it then aborts with a libtool failure (it takes the wrong libtool probably):

'libtool' --mode=compile gcc -DHAVE_CONFIG_H  -I. -I. -I.. -I./..  -I/usr/include/freetype2  -march=core2 -O2 -pipe  -DMAKE_KPSE_DLL -c tex-file.c
libtool: compile: unable to infer tagged configuration
libtool: compile: specify a tag with `--tag'
gmake[3]: *** [tex-file.lo] Error 1
gmake[3]: Leaving directory `/var/tmp/portage/app-text/ptex-3.1.10_p20080414/work/tetex-src-3.0/texk/kpathsea'
gmake[2]: *** [do-kpathsea] Error 2
gmake[2]: Leaving directory `/var/tmp/portage/app-text/ptex-3.1.10_p20080414/work/tetex-src-3.0/texk'
gmake[1]: *** [all] Error 1
gmake[1]: Leaving directory `/var/tmp/portage/app-text/ptex-3.1.10_p20080414/work/tetex-src-3.0'
make: *** [stage4] Error 2
Comment 4 Ulrich Müller gentoo-dev 2009-08-28 15:27:51 UTC
On the long term the way to go is to switch from ptex (i.e. ptetex3) to ptexlive: <http://tutimura.ath.cx/ptexlive/>

So IMHO any effort invested in the old ptex ebuilds is wasted.
Comment 5 MATSUU Takuto (RETIRED) gentoo-dev 2009-09-02 00:06:46 UTC
sorry for delay.
I'll migrate from ptetex to ptexlive by this weekend.
Comment 6 Robert Buchholz (RETIRED) gentoo-dev 2009-09-28 03:15:22 UTC
ping
Comment 7 MATSUU Takuto (RETIRED) gentoo-dev 2009-09-30 14:25:57 UTC
fixed in cvs. ptex-3.1.10_p20090610
Comment 8 Samuli Suominen (RETIRED) gentoo-dev 2010-07-03 23:53:54 UTC
all arch's got this stabilized from another bug already, changed whiteboard to [glsa], hope I got it right
Comment 9 Stefan Behte (RETIRED) gentoo-dev Security 2010-07-04 11:58:36 UTC
We change bugs to [glsa] only after the glsa request is filed in glsamaker, otherwise we can't keep track which bugs are already in glsamaker and which aren't.

GLSA request filed.
Comment 10 Alexis Ballier gentoo-dev 2011-10-06 20:16:07 UTC
ptex is gone -> wontfix i guess
Comment 11 Tim Sammut (RETIRED) gentoo-dev 2011-10-09 23:32:30 UTC
(In reply to comment #10)
> ptex is gone -> wontfix i guess

We need to publish a GLSA before the bug can be closed.
Comment 12 Johannes Huber (RETIRED) gentoo-dev 2012-05-17 13:39:37 UTC
Thank you all. Remove tex from CC as its nothing to do here anymore.
Comment 13 Sean Amoss (RETIRED) gentoo-dev Security 2014-05-31 21:57:52 UTC
This issue has been fixed since Dec 13, 2009. No GLSA will be released.