Red Hat Bugzilla – Bug 217672
CVE-2006-5864 evince contains a buffer overflow in get_next_text()
Last modified: 2007-11-30 17:11:50 EST
+++ This bug was initially created as a clone of Bug #215593 +++
The original GNU gv issue is described here:
Description of problem:
The function ps_gettext() in ps.c is vulnerable to a buffer overflow condition,
because it copies characters from input file to a fixed-sized array text.
With specially crafted files looking like either of those below this paragraph.
(Replace ... with something a bit longer than PSLINELENGTH (256), so it
overwrites stack. It can be potantially malicious code that might get executed
on functio return)
Alternatively use exploit attached to original advisory, which connects to
a TCP socket and opens a shell. The evince advisory contains another one.
Ggv and kghostview seem not to contain the affected code.
-- Additional comment from firstname.lastname@example.org on 2006-11-14 14:34 EST --
Created an attachment (id=141170)
A GNU gv patch from Gentoo Linux project
Evince doesn't contain ghostscript or gv code, it forks ghostscript to render
postscript documents. Just to be sure, I did a
[krh@devserv evince-0.6.0]$ find . -name '*.c' |xargs grep ps_get
./dvi/mdvi-lib/fontmap.c:TFMInfo *mdvi_ps_get_metrics(const char *fontname)
./dvi/mdvi-lib/t1.c: info->tfminfo = mdvi_ps_get_metrics(info->fontname);
There is no ps_gettext function anywhere in evince.
Am I missing something, or is this misfiled?
(In reply to comment #1)
> There is no ps_gettext function anywhere in evince.
> Am I missing something, or is this misfiled?
Oh, pardon me. In evince the function is named get_next_text(), unlike in
original GNU gv.
Kristian, if you look at get_next_text(), it clearly has overflow issues with
Shouldn't this bug be closed? According to:
rpm -q --changelog evince
* Sun Dec 10 2006 Matthias Clasen <email@example.com> - 0.6.0-5
- Fix an overflow in the PostScript backend (#217674, CVE-2006-5864)
I'm not sure. Matthias, should this be closed?