Bug#346086: tetex-bin: New integer overflows in xpdf copy [CVE-2005-3624, CVE-2005-3625, CVE-2005-3627]
severity 346086 important tags 346086 + woody # as discussed the bug is fixed in sid and sarge. In woody is a hunk # missing, which could lead to a hang of xpdf. We consider this not to # be critical. Lowering severity. Bug will be closed if the support # for woody has ended. stop On 31.01.06 Frank Küster ([EMAIL PROTECTED]) wrote: Hilmar Preusse [EMAIL PROTECTED] wrote: Hi, So, the last hunk seems not to exist in cupsys_1.1.14-5woody14. Should we submit a bug against it? Yes, definitely Done. #355122 Further I suggest to close the bug now or at least downgrade it to important and close it as soon as the support for woody has ended. I'd keep it open as important as long as woody is supported. OK, downgrading. H. -- sigmentation fault
Bug#346086: tetex-bin: New integer overflows in xpdf copy [CVE-2005-3624, CVE-2005-3625, CVE-2005-3627]
On 27.01.06 Martin Pitt ([EMAIL PROTECTED]) wrote: Hilmar Preusse [2006-01-27 9:56 +0100]: Hi, So, what is that now? - a security leak, which must be fixed - rather an inconvenience, which should be fixed? For CUPS it was a real DoS which must be fixed, but for tetex-bin it's just an inconvenience; there will be few systems which automatically process untrusted LaTeX documents with PDF files sent by remote attackers. So, the last hunk seems not to exist in cupsys_1.1.14-5woody14. Should we submit a bug against it? Further I suggest to close the bug now or at least downgrade it to important and close it as soon as the support for woody has ended. Regards, Hilmar -- sigmentation fault pgpbTi0A4hQD5.pgp Description: PGP signature
Bug#346086: [SPAM?]: Bug#346086: tetex-bin: New integer overflows in xpdf copy [CVE-2005-3624, CVE-2005-3625, CVE-2005-3627]
Hilmar Preusse [EMAIL PROTECTED] wrote: So, the last hunk seems not to exist in cupsys_1.1.14-5woody14. Should we submit a bug against it? Yes, definitely Further I suggest to close the bug now or at least downgrade it to important and close it as soon as the support for woody has ended. I'd keep it open as important as long as woody is supported. Regards, Frank -- Frank Küster Single Molecule Spectroscopy, Protein Folding @ Inst. f. Biochemie, Univ. Zürich Debian Developer (teTeX)
Bug#346086: tetex-bin: New integer overflows in xpdf copy [CVE-2005-3624, CVE-2005-3625, CVE-2005-3627]
notfound 346086 2.0.2-30sarge4 found 346086 1.0.7+20011202-7.7 stop On 26.01.06 Martin Pitt ([EMAIL PROTECTED]) wrote: Hilmar Preusse [2006-01-23 18:30 +0100]: Hi all, On the DSA page Joey states, that the problem is solved for oldstable too. The .orig.tar.gz contains a patched Stream.cc, which got the same modifications as your patch contain, except the last hunk. I'm attaching it. Could you evluate if the hunk is necessary. If not I guess we're done here and can close #346086. This is precisely the fix that is required to avoid endless loops with prematurely ending PDF files (CVE-2005-3625). So it is not exploitable to execute any code or something, but it's still a nasty DoS, particularly in Cups. So I would prefer to apply it, especially since it's such an easy and straightforward change. So, what is that now? - a security leak, which must be fixed - rather an inconvenience, which should be fixed? Does that bug deserve still the severity critical? If not I propose to lower the severity to important, keep that bug open until the support for oldstable has ended and close the bug then. For now I mark that bug as not found in 2.0.2-30sarge4 and found in 1.0.7+20011202-7.7 . Regards, Hilmar -- sigmentation fault pgp5AZ6f4wR9b.pgp Description: PGP signature
Bug#346086: tetex-bin: New integer overflows in xpdf copy [CVE-2005-3624, CVE-2005-3625, CVE-2005-3627]
Hi Hilmar! Hilmar Preusse [2006-01-27 9:56 +0100]: This is precisely the fix that is required to avoid endless loops with prematurely ending PDF files (CVE-2005-3625). So it is not exploitable to execute any code or something, but it's still a nasty DoS, particularly in Cups. So I would prefer to apply it, especially since it's such an easy and straightforward change. So, what is that now? - a security leak, which must be fixed - rather an inconvenience, which should be fixed? For CUPS it was a real DoS which must be fixed, but for tetex-bin it's just an inconvenience; there will be few systems which automatically process untrusted LaTeX documents with PDF files sent by remote attackers. Does that bug deserve still the severity critical? If not I propose to lower the severity to important, keep that bug open until the support for oldstable has ended and close the bug then. For now I mark that bug as not found in 2.0.2-30sarge4 and found in 1.0.7+20011202-7.7 . Works for me. Thanks, Martin -- Martin Pitthttp://www.piware.de Ubuntu Developer http://www.ubuntu.com Debian Developer http://www.debian.org In a world without walls and fences, who needs Windows and Gates? signature.asc Description: Digital signature
Bug#346086: tetex-bin: New integer overflows in xpdf copy [CVE-2005-3624, CVE-2005-3625, CVE-2005-3627]
Hi!
Hilmar Preusse [2006-01-23 18:30 +0100]:
On the DSA page Joey states, that the problem is solved for oldstable
too. The .orig.tar.gz contains a patched Stream.cc, which got the
same modifications as your patch contain, except the last hunk. I'm
attaching it. Could you evluate if the hunk is necessary.
If not I guess we're done here and can close #346086.
@@ -3100,9 +3107,11 @@ int DCTStream::readMarker() {
do {
do {
c = str-getChar();
+ if(c == EOF) return EOF;
} while (c != 0xff);
do {
c = str-getChar();
+ if(c == EOF) return EOF;
} while (c == 0xff);
} while (c == 0x00);
return c;
This is precisely the fix that is required to avoid endless loops with
prematurely ending PDF files (CVE-2005-3625). So it is not exploitable to
execute any code or something, but it's still a nasty DoS,
particularly in Cups. So I would prefer to apply it, especially since
it's such an easy and straightforward change.
Thanks,
Martin
--
Martin Pitthttp://www.piware.de
Ubuntu Developer http://www.ubuntu.com
Debian Developer http://www.debian.org
In a world without walls and fences, who needs Windows and Gates?
signature.asc
Description: Digital signature
Bug#346086: tetex-bin: New integer overflows in xpdf copy [CVE-2005-3624, CVE-2005-3625, CVE-2005-3627]
On 05.01.06 Martin Pitt ([EMAIL PROTECTED]) wrote:
Hi Martin,
Chris Evans found some more integer overflows in the xpdf code [1]
which affect tetex-bin as well. [1] also has demo exploit PDFs for
patch checking.
See [2] for the Ubuntu debdiff.
This only affects sarge (and woody); luckily sid is finally cured
forever due to poppler, so please mark this bug as fixed in sid.
Thanks,
Martin
[1] http://scary.beasts.org/security/b0dfca810501f2da/CESA-2005-003.txt
[2] http://patches.ubuntu.com/patches/tetex-bin.CVE-2005-3624_5_7.diff
The problem is for 3.0 solved as we use libpoppler.
http://www.debian.org/security/2006/dsa-937 refers to CVE-2005-3624,
CVE-2005-3625, CVE-2005-3627. In Debian stable (2.0.2-sarge4) is a
patch contained, named patch-CVE-2005-3624_5_7. That one is identical
to your patch posted on Ubuntu. Hence I guess that bug is solved for
stable.
On the DSA page Joey states, that the problem is solved for oldstable
too. The .orig.tar.gz contains a patched Stream.cc, which got the
same modifications as your patch contain, except the last hunk. I'm
attaching it. Could you evluate if the hunk is necessary.
If not I guess we're done here and can close #346086.
Thanks,
Hilmar
--
sigmentation fault
@@ -3100,9 +3107,11 @@ int DCTStream::readMarker() {
do {
do {
c = str-getChar();
+ if(c == EOF) return EOF;
} while (c != 0xff);
do {
c = str-getChar();
+ if(c == EOF) return EOF;
} while (c == 0xff);
} while (c == 0x00);
return c;
Bug#346086: tetex-bin: New integer overflows in xpdf copy [CVE-2005-3624, CVE-2005-3625, CVE-2005-3627]
Package: tetex-bin Version: 2.0.2-30 Severity: critical Tags: security patch Hi! Chris Evans found some more integer overflows in the xpdf code [1] which affect tetex-bin as well. [1] also has demo exploit PDFs for patch checking. See [2] for the Ubuntu debdiff. This only affects sarge (and woody); luckily sid is finally cured forever due to poppler, so please mark this bug as fixed in sid. Thanks, Martin [1] http://scary.beasts.org/security/b0dfca810501f2da/CESA-2005-003.txt [2] http://patches.ubuntu.com/patches/tetex-bin.CVE-2005-3624_5_7.diff -- Martin Pitthttp://www.piware.de Ubuntu Developer http://www.ubuntu.com Debian Developer http://www.debian.org In a world without walls and fences, who needs Windows and Gates? signature.asc Description: Digital signature
