Bug 492136 (CVE-2009-1284)

Summary: CVE-2009-1284 tetex, texlive: bibtex's invalid reads/writes when parsing big *.bib file
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: vdanen
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=520920
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-19 09:06:44 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Description Flags
upstream proposed patch to fix the issue none

Description Jan Lieskovsky 2009-03-25 15:08:07 UTC
A security flaw was found in bibtex, a tool for preparing bibliography for
(La)Tex. An attacker could use this flaw to cause a denial of 
service (application crash), or, possibly cause memory corruption, by
providing a big *.bib bibliography file for processing with the bibtex


Comment 1 Jan Lieskovsky 2009-03-25 15:11:13 UTC
Created attachment 336659 [details]

1, Untar provided archive
2, bibtex livre_fp.aux

Comment 2 Jan Lieskovsky 2009-03-25 15:13:05 UTC
This issue affects all versions of the tetex package, as shipped 
with Red Hat Enterprise Linux 2.1, 3, 4, and 5.

This issue affects all versions of the texlive-2007 package, as shipped
with Fedora releases of 9, 10, and devel.

Comment 5 Jindrich Novy 2009-03-31 07:02:51 UTC
It seems that the aux files just exceed the 65000 string pool size limit per one reallocation. Increasing pool size to a higher value could work-around the problem for a while but not really fix it.

Comment 16 Vincent Danen 2009-08-12 15:48:00 UTC
Created attachment 357191 [details]
upstream proposed patch to fix the issue

Provided by Karl Berry with the following comments:

Here's the patch I came up with.  It seems Oren forgot to check for
enough room in the string pool in the substring bst function.  I'll tell
him so he can fix it in bibtex 1.0 :).

I think this is worth applying to rawhide, but beyond that upstream doesn't see much in the way of a security issue here.

Comment 17 Vincent Danen 2009-08-27 14:39:15 UTC
This has been assigned CVE-2009-1284.  I still don't feel this is worth an update and have adjusted the impact to low.

Jindrich, can you ensure the patch noted in comment #16 gets applied to Fedora 12 please?  Thanks.

Comment 18 Vincent Danen 2009-08-28 18:56:22 UTC
The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw.  More  information regarding issue severity can be found here:


Comment 19 Fedora Update System 2009-10-21 19:08:27 UTC
texlive-2007-45.fc12 has been submitted as an update for Fedora 12.

Comment 20 Fedora Update System 2009-10-21 19:09:55 UTC
texlive-2007-45.fc11 has been submitted as an update for Fedora 11.

Comment 21 Fedora Update System 2009-10-21 19:11:44 UTC
texlive-2007-45.fc10 has been submitted as an update for Fedora 10.

Comment 22 Tomas Hoger 2009-10-22 06:59:28 UTC
Jindrich, what fix was applied in texlive-2007-45?  Just a pool size bump mentioned in comment #5?

Comment 23 Jindrich Novy 2009-10-22 07:31:18 UTC
Tomas, I applied the upstream patch noted in comment #16 and removed the pool size bump as it shouldn't be needed now. The upstream version looks more general solution to me.

Comment 24 Tomas Hoger 2009-10-22 07:39:13 UTC
Ah, right, I'm blind.  Thank you!

Comment 25 Fedora Update System 2009-11-13 02:24:08 UTC
texlive-2007-46.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 26 Fedora Update System 2009-11-13 02:25:32 UTC
texlive-2007-46.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.