Bug#580669: texlive-bin: Fix arbitrary code execution via memory corruption

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#580669: texlive-bin: Fix arbitrary code execution via memory corruption
From: أحمد المحمودي <aelmahmoudy@sabily.org>
Date: Fri, 07 May 2010 16:02:58 +0000
Message-id: <[🔎] 20100507160258.27942.78919.reportbug@alioth.debian.org>
Reply-to: أحمد المحمودي <aelmahmoudy@sabily.org>, 580669@bugs.debian.org

Package: texlive-bin
Version: 2009-5
Severity: grave
Tags: patch security
Justification: user security hole
User: ubuntu-devel@lists.ubuntu.com
Usertags: origin-ubuntu maverick ubuntu-patch



*** /tmp/tmpCGJT89
In Ubuntu, we've applied the attached patch to achieve the following:

  * SECURITY UPDATE: arbitrary code execution via memory corruption
    (LP: #537103)
    - debian/patches/security-CVE-2010-0827.patch: make sure name isn't
      too long in texk/dvipsk/virtualfont.c.
    - CVE-2010-0827

We thought you might be interested in doing the same. 


-- System Information:
Debian Release: 5.0.4
  APT prefers oldstable
  APT policy: (500, 'oldstable'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.18-6-xen-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

diff -u texlive-bin-2009/debian/changelog texlive-bin-2009/debian/changelog
only in patch2:
unchanged:
--- texlive-bin-2009.orig/debian/patches/security-CVE-2010-0827.patch
+++ texlive-bin-2009/debian/patches/security-CVE-2010-0827.patch
@@ -0,0 +1,27 @@
+Description: fix arbitrary code execution via memory corruption
+Author: Karl Berry <karl@freefriends.org>
+Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/texlive-bin/+bug/537103
+
+diff -Nur texlive-bin-2009/texk/dvipsk/virtualfont.c texlive-bin-2009.new/texk/dvipsk/virtualfont.c
+--- texlive-bin-2009/texk/dvipsk/virtualfont.c	2009-06-23 05:46:14.000000000 -0400
++++ texlive-bin-2009.new/texk/dvipsk/virtualfont.c	2010-04-22 08:57:50.000000000 -0400
+@@ -36,7 +36,7 @@
+  *   Subroutine vfbyte returns the next byte.
+  */
+ static FILE *vffile ;
+-static char name[50] ;
++static char name[500] ;
+ void
+ badvf(char *s)
+ {
+@@ -93,6 +93,10 @@
+    if (*d==0)
+       d = vfpath ;
+ #endif
++   if (strlen(n) + 5 >= sizeof (name)) {
++     /* 5 for vf() + null */
++     error("! VF file name too long in vfopen") ;
++   }
+ #ifdef MVSXA   /* IBM: MVS/XA */
+    (void)sprintf(name, "vf(%s)", n) ;
+ #else

Reply to:

Follow-Ups:
- Bug#580669: marked as done (texlive-bin: Fix arbitrary code execution via memory corruption)
  - From: owner@bugs.debian.org (Debian Bug Tracking System)

Prev by Date: Bug#580668: texlive-bin: Fix arbitrary code execution via integer overflow
Next by Date: Processed: merging 580668 580669
Previous by thread: Bug#580668: marked as done (texlive-bin: Fix arbitrary code execution via integer overflow)
Next by thread: Bug#580669: marked as done (texlive-bin: Fix arbitrary code execution via memory corruption)
Index(es):
- Date
- Thread