Bug 492136 (CVE-2009-1284)
| Summary: | CVE-2009-1284 tetex, texlive: bibtex's invalid reads/writes when parsing big *.bib file | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Jan Lieskovsky <jlieskov> | ||||||
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> | ||||||
| Status: | CLOSED ERRATA | QA Contact: | |||||||
| Severity: | low | Docs Contact: | |||||||
| Priority: | low | ||||||||
| Version: | unspecified | CC: | vdanen | ||||||
| Target Milestone: | --- | Keywords: | Security | ||||||
| Target Release: | --- | ||||||||
| Hardware: | All | ||||||||
| OS: | Linux | ||||||||
| URL: | http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=520920 | ||||||||
| Whiteboard: | |||||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||||
| Doc Text: | Story Points: | --- | |||||||
| Clone Of: | Environment: | ||||||||
| Last Closed: | 2021-10-19 09:06:44 UTC | Type: | --- | ||||||
| Regression: | --- | Mount Type: | --- | ||||||
| Documentation: | --- | CRM: | |||||||
| Verified Versions: | Category: | --- | |||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||
| Embargoed: | |||||||||
| Attachments: |
|
||||||||
|
Description
Jan Lieskovsky
2009-03-25 15:08:07 UTC
Created attachment 336659 [details]
Reproducer
Scenario:
1, Untar provided archive
2, bibtex livre_fp.aux
This issue affects all versions of the tetex package, as shipped with Red Hat Enterprise Linux 2.1, 3, 4, and 5. This issue affects all versions of the texlive-2007 package, as shipped with Fedora releases of 9, 10, and devel. It seems that the aux files just exceed the 65000 string pool size limit per one reallocation. Increasing pool size to a higher value could work-around the problem for a while but not really fix it. Created attachment 357191 [details]
upstream proposed patch to fix the issue
Provided by Karl Berry with the following comments:
Here's the patch I came up with. It seems Oren forgot to check for
enough room in the string pool in the substring bst function. I'll tell
him so he can fix it in bibtex 1.0 :).
I think this is worth applying to rawhide, but beyond that upstream doesn't see much in the way of a security issue here.
This has been assigned CVE-2009-1284. I still don't feel this is worth an update and have adjusted the impact to low. Jindrich, can you ensure the patch noted in comment #16 gets applied to Fedora 12 please? Thanks. The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. More information regarding issue severity can be found here: http://www.redhat.com/security/updates/classification/ texlive-2007-45.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/texlive-2007-45.fc12 texlive-2007-45.fc11 has been submitted as an update for Fedora 11. http://admin.fedoraproject.org/updates/texlive-2007-45.fc11 texlive-2007-45.fc10 has been submitted as an update for Fedora 10. http://admin.fedoraproject.org/updates/texlive-2007-45.fc10 Jindrich, what fix was applied in texlive-2007-45? Just a pool size bump mentioned in comment #5? Tomas, I applied the upstream patch noted in comment #16 and removed the pool size bump as it shouldn't be needed now. The upstream version looks more general solution to me. Ah, right, I'm blind. Thank you! texlive-2007-46.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report. texlive-2007-46.fc11 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report. |