[Secure-testing-team] Re: xpdf vulnerability?
Frank Küster
frank at debian.org
Tue Mar 22 10:57:01 UTC 2005
Hamish Moffatt <hamish at debian.org> wrote:
> On Fri, Mar 18, 2005 at 09:38:14AM +0100, Hilmar Preusse wrote:
>> As thex extension to CAN-2004-0888 (CAN-2005-0206) came in after the
>> latest tetex-bin upload we can't have the fix in sarge. I'll file a
>> bug against tetex-bin and I guess Frank will upload ASAP. I'll check
>> the woody version too.
>
> I'm a bit confused.
>
> We have the 2005-0206 fix in Xpdf 3.00-10 (last November).
>
> However it's marked as being a followup to for 2004-0889, not -0888.
> The Xpdf changelog mentions 0889, but not 0888. I'm no longer sure which
> patch is which.
Me neither. I find these CVE pages on mitre.org annyoing, giving no
real information, only meta-information which is again just vendor stuff
without code.
> It looks like we are missing part of 2005-0064. I am about to upload
> that change (upstream patch 3.00pl3).
>
> I was tempted to revert all the security patches and apply upstream's
> versions, but I'm not sure that all the changes are there. Especially as
> I don't know how 0888 and 0889 differ.
Note also that the security team advised not to use the upstream patches
which rely on specific compiler properties, namely the non-optimizing of
constructs like
if (size*sizeof(XRefEntry)/sizeof(XRefEntry) != size) {
which are intended to be triggered if size is too large
(size*sizeof(XRefEntry) would then be more than what fits in an int,
truncated to an int (or does it start again with negative numbers?), and
not give size if divided again by sizeof(XRefEntry). The security team
instead suggested to use
if (size < 0 || size >= INT_MAX/sizeof(XRefEntry)) {
which I think is safe also on 64bit platforms. Since I don't speak C++,
however, I am not sure about that. I would be grateful if you could
check my analysis at
http://lists.debian.org/debian-tetex-maint/2005/03/msg00237.html
- nobody else has responded so far.
Regards, Frank
--
Frank Küster
Inst. f. Biochemie der Univ. Zürich
Debian Developer
More information about the Secure-testing-team
mailing list