217672 – (CVE-2006-5864) CVE-2006-5864 evince contains a buffer overflow in get_next_text()

Bug 217672 (CVE-2006-5864) - CVE-2006-5864 evince contains a buffer overflow in get_next_text()

Summary: CVE-2006-5864 evince contains a buffer overflow in get_next_text()

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	CVE-2006-5864
Product:	Fedora
Classification:	Fedora
Component:	evince
Sub Component:
Version:	6
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Kristian Høgsberg
QA Contact:
Docs Contact:
URL:	http://www.securityfocus.com/archive/...
Whiteboard:	source=bugtraq,reported=20061128,impa...
Depends On:
Blocks:	217674
TreeView+	depends on / blocked

Reported:	2006-11-29 10:27 UTC by Lubomir Kundrak
Modified:	2007-11-30 22:11 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2007-04-10 17:04:25 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Lubomir Kundrak 2006-11-29 10:27:53 UTC

+++ This bug was initially created as a clone of Bug #215593 +++

The original GNU gv issue is described here:
http://www.securityfocus.com/archive/1/archive/1/451057/100/0/threaded

Description of problem:

The function ps_gettext() in ps.c is vulnerable to a buffer overflow condition,
because it copies characters from input file to a fixed-sized array text[].

How reproducible:

With specially crafted files looking like either of those below this paragraph.
(Replace ... with something a bit longer than PSLINELENGTH (256), so it
overwrites stack. It can be potantially malicious code that might get executed
on functio return)

%!PS-Adobe-3.0
%%DocumentMedia: ...

%!PS-Adobe-3.0
%%DocumentPaperSizes: ...

%!PS-Adobe-3.0
%%EndComments
%%BeginDefaults
%%PageMedia: ...

%!PS-Adobe-3.0
%%EndComments
%%BeginSetup
%%PaperSize: ...

Alternatively use exploit attached to original advisory, which connects to
a TCP socket and opens a shell. The evince advisory contains another one.

Additional info:

Ggv and kghostview seem not to contain the affected code.

-- Additional comment from lkundrak on 2006-11-14 14:34 EST --
Created an attachment (id=141170)
A GNU gv patch from Gentoo Linux project

Comment 1 Kristian Høgsberg 2006-11-29 16:22:48 UTC

Evince doesn't contain ghostscript or gv code, it forks ghostscript to render
postscript documents.  Just to be sure, I did a

[krh@devserv evince-0.6.0]$ find . -name '*.c' |xargs grep ps_get
./dvi/mdvi-lib/fontmap.c:TFMInfo *mdvi_ps_get_metrics(const char *fontname)
./dvi/mdvi-lib/t1.c:    info->tfminfo = mdvi_ps_get_metrics(info->fontname);

There is no ps_gettext function anywhere in evince.

Am I missing something, or is this misfiled?

Comment 2 Lubomir Kundrak 2006-11-29 16:56:01 UTC

(In reply to comment #1)
> There is no ps_gettext function anywhere in evince.
> Am I missing something, or is this misfiled?

Oh, pardon me. In evince the function is named get_next_text(), unlike in
original GNU gv.

Comment 3 Matthias Clasen 2006-11-30 03:47:59 UTC

Kristian, if you look at get_next_text(), it clearly has overflow issues with 
char text[PSLINELENGTH]

Comment 4 Dean Brettle 2007-04-10 08:18:42 UTC

Shouldn't this bug be closed?  According to:

rpm -q --changelog evince

* Sun Dec 10 2006 Matthias Clasen <mclasen> - 0.6.0-5
- Fix an overflow in the PostScript backend (#217674, CVE-2006-5864)

Comment 5 Ray Strode [halfline] 2007-04-10 15:02:10 UTC

I'm not sure.  Matthias, should this be closed?

Comment 6 Matthias Clasen 2007-04-10 17:04:25 UTC

Yes

Note You need to log in before you can comment on or make changes to this bug.