Hi,
On Mon, Apr 11, 2005 at 03:17:36PM -0400, Joey Hess wrote:
>
> Let's make a bug in the bts for CAN-2005-0206. It's defined as:
>
> The patch for integer overflow vulnerabilities in Xpdf 2.0 and 3.0
> (CAN-2004-0888) is incomplete for 64-bit architectures on certain Linux
> distributions such as Red Hat, which could leave Xpdf users exposed to the
> original vulnerabilities.
>
> ----- Forwarded message from Moritz Muehlenhoff <[EMAIL PROTECTED]> -----
>
> I just reviewed all the xpdf incorporating packages wrt the 64 unclean
> fixes. All packages beside gpdf are fixed properly, could you NMU with
> the attached patch? (maintainer still doesn't have acked the previous)
<...>
> --- gpdf-2.8.2.orig/xpdf/Catalog.cc 2004-11-05 19:43:19.000000000 +0100
> +++ gpdf-2.8.2/xpdf/Catalog.cc 2005-04-09 23:30:20.000000000 +0200
> @@ -64,10 +64,8 @@
> }
> pagesSize = numPages0 = (int)obj.getNum();
> obj.free();
> - // The gcc doesnt optimize this away, so this check is ok,
> - // even if it looks like a pagesSize != pagesSize check
> - if (pagesSize*sizeof(Page *)/sizeof(Page *) != pagesSize ||
> - pagesSize*sizeof(Ref)/sizeof(Ref) != pagesSize) {
> + if (pagesSize >= INT_MAX/sizeof(Page *) ||
> + pagesSize >= INT_MAX/sizeof(Ref)) {
> error(-1, "Invalid 'pagesSize'");
> ok = gFalse;
> return;
I could be mistaken, but ISTR having applied a patch (supplied by security
team, they told me how to do it) which is along the lines of the above one
when the issue was initially discovered. I do remember most certainly
stripping out the comment about optimizing out, and security people told
me that optimization could occur.
I can't easily check the security team original mail ATM, and I'd have to
dig around for the version where I fixed it, but if this isn't in the last
version anymore then I would almost bet a leg on it that it went out with
an NMU.
Regards,
Filip
--
"Computers are not intelligent. They only think they are."
-- Martin Schulze
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
