196673 – (CVE-2007-0650) app-text/{cstetex, ptex} Multiple issues (CVE-2007-{0650,2756,3387,3472,3473,3474,3475,3476,3477,3478})

pTeX and CSTeX are vulnerable to three issues fixed for teTex in GLSA 200709-17:
1) Makeindex buffer overflows, bug 170861.
CVE-2007-0650:
 Buffer overflow in the open_sty function in mkind.c for makeindex 2.14
 in teTeX might allow user-assisted remote attackers to overwrite files
 and possibly execute arbitrary code via a long filename. NOTE: other
 overflows exist but might not be exploitable, such as a heap-based
 overflow in the check_idx function.
2) Vulerable XPDF code, bug 188172.
CVE-2007-3387:
 Integer overflow in gpdf before 2.8.2 might allow remote attackers to
 execute arbitrary code via a crafted PDF file.
3) Several issues in GD code, bug 182055.
CVE-2007-3478:
 Race condition in gdImageStringFTEx (gdft_draw_bitmap) in gdft.c in
 the GD Graphics Library (libgd) before 2.0.35 allows user-assisted
 remote attackers to cause a denial of service (crash) via unspecified
 vectors, possibly involving truetype font (TTF) support.
CVE-2007-3477:
 The (a) imagearc and (b) imagefilledarc functions in GD Graphics
 Library (libgd) before 2.0.35 allows attackers to cause a denial of
 service (CPU consumption) via a large (1) start or (2) end angle
 degree value.
CVE-2007-3476:
 Array index error in gd_gif_in.c in the GD Graphics Library (libgd)
 before 2.0.35 allows user-assisted remote attackers to cause a denial
 of service (crash and heap corruption) via large color index values in
 crafted image data, which results in a segmentation fault.
CVE-2007-3475:
 The GD Graphics Library (libgd) before 2.0.35 allows user-assisted
 remote attackers to cause a denial of service (crash) via a GIF image
 that has no global color map.
CVE-2007-3474:
 Multiple unspecified vulnerabilities in the GIF reader in the GD
 Graphics Library (libgd) before 2.0.35 allow user-assisted remote
 attackers to have unspecified attack vectors and impact.
CVE-2007-3473:
 The gdImageCreateXbm function in the GD Graphics Library (libgd)
 before 2.0.35 allows user-assisted remote attackers to cause a denial
 of service (crash) via unspecified vectors involving a gdImageCreate
 failure.
CVE-2007-3472:
 Integer overflow in gdImageCreateTrueColor function in the GD Graphics
 Library (libgd) before 2.0.35 allows user-assisted remote attackers
 has unspecified attack vectors and impact.
CVE-2007-2756:
 The gdPngReadData function in libgd 2.0.34 allows user-assisted
 attackers to cause a denial of service (CPU consumption) via a crafted
 PNG image with truncated data, which causes an infinite loop in the
 png_read_info function in libpng.

Created attachment 134087 [details, diff]
tetex-2.0.2-makeindex-CVE-2007-0650.patch
Patch for (1)

Created attachment 134089 [details, diff]
tetex-2.0.2-xpdf-CVE-2007-3387.patch
Patch for (2)

For (3) you should probably upgrade the bundled GD lib to 2.0.35. teTeX 3 can link to the system GD lib, but teTeX 2 unfortunately cannot.

Maintainers, please advise. Is upstream alive? If not, please patch as necessary.

Ping, anyone?

sorry for delay.
I (cjk herd) try to fix it, but makes tetex-2.0.2-xpdf-CVE-2007-3387.patch compile failed.
Stream.cc: In constructor 'StreamPredictor::StreamPredictor(Stream*, int, int, int, int)':
Stream.cc:428: error: 'gfxColorMaxComps' was not declared in this scope
make[1]: *** [Stream.o] Error 1
make[1]: Leaving directory `/var/tmp/portage/app-text/ptex-3.1.5-r3/work/tetex-src-2.0.2/libs/xpdf/xpdf'
make: *** [libs/xpdf/xpdf/libxpdf.a] Error 2
it is under survey.

Please note bug 196735 and bug 198238 contains more issues that both ptex and cstetex are affected by.

I asked about cstetex usage @ http://www.abclinuxu.cz/forum/show/199391 so lets see if there's a *real* reason to keep this package 'alive' or whether we should rather just dump it.

(In reply to comment #8)
> I asked about cstetex usage @ http://www.abclinuxu.cz/forum/show/199391 
A brief conclusion of discussion: Nobody insits upon cstetex. The experience with babel in tetex-3, texlive and xetex is good. Skilled users recommended to migrate.
Since there are good alternatives, it's ok to remove cstetex from portage.

# Alexis Ballier <aballier@gentoo.org> (11 Nov 2007)
# Lots of security issues: bug #196673
# The experience with babel in tetex-3, texlive 
# and xetex is good. Skilled users recommended to migrate.
# Masking for removal: Due 11 Dec 2007
app-text/cstetex

CJK and Matsuu, we will be removing CSTeX from the tree.
Do you actually still need PTeX with teTeX's support for other languages and if so, what's the status of the issues piling up here?

Created attachment 136217 [details]
ptex-3.1.10_p20071030.ebuild
sorry for delay.
now I create ptex-3.1.10_p20071030.ebuild, it fixed CVE-2007-{0650,3387}, and it use --with-system-gd and --without-dviljk(#198238). but perhaps it doesn't fix some security bugs.

Created attachment 136218 [details, diff]
files/ptex-3.1.10_p20071030-gentoo.patch

Matsuu, please also apply the patches for the XPDF issues from bug 196735 and the dvips patches from bug 198238. Then you're good to go.
You can find an xpdf patch ported to tetex at the tetex-3 ebuilds in the tree.

(In reply to comment #14)
> Matsuu, please also apply the patches for the XPDF issues from bug 196735 and
> the dvips patches from bug 198238. Then you're good to go.
Add the patch from t1lib to that list -- bug 193437 

GLSA 200711-34 for cstetex, still waiting for ptex.

sorry for long long delay.
the attached ebuild doesn't work well, so I added app-text/ptex to package.mask transiently.

app-i18n/canna-3.7_p2: nonsolvable depset(depends) keyword(x86) profile (default-linux/x86/2007.0/desktop): solutions: [ app-text/ptex ]
app-text/xdvik-22.84.10: nonsolvable depset(rdepends) keyword(x86) profile (default-linux/x86/2007.0/desktop): solutions: [ app-text/texlive-core, app-text/ptex ]
Need to fix up the dep breakage before masking. I commented out the mask. Deps should never be broken by package masking.

Added ptex-3.1.10_p20071122.ebuild in cvs. It WORKSFORME(tm).
Please test and mark stable.

Does it include patches for the XPDF issues from bug 196735? At a first glance, it does not look like it. All other issues seem to be resolved.

Added ptex-3.1.10_p20071203 and xpdf patch.

Arches, please test and mark stable app-text/ptex-ptex-3.1.10_p20071203. Target "alpha amd64 arm hppa ia64 ppc ppc-macos ppc64 sh sparc x86"

x86 stable

ppc64 stable

fyi: cstetex is gone

amd64 is gone.

Stable for HPPA.

alpha/ia64/sparc stable

ppc stable

cstetex is gone, ptex no longer keyworded ppc-macos. Sorry for the long wait.

This bug does not affect 2008.0 shapshot, removing release@ from CC.

glsa request filed for ptex

GLSA 200805-13 for Ptex, sorry for the delay.