Red Hat Bugzilla – Bug 217674
CVE-2006-5864 evince contains a buffer overflow in get_next_text()
Last modified: 2007-11-30 17:07:38 EST
+++ This bug was initially created as a clone of Bug #217672 +++
+++ This bug was initially created as a clone of Bug #215593 +++
The original GNU gv issue is described here:
Description of problem:
The function ps_gettext() in ps.c is vulnerable to a buffer overflow condition,
because it copies characters from input file to a fixed-sized array text.
With specially crafted files looking like either of those below this paragraph.
(Replace ... with something a bit longer than PSLINELENGTH (256), so it
overwrites stack. It can be potantially malicious code that might get executed
on functio return)
Alternatively use exploit attached to original advisory, which connects to
a TCP socket and opens a shell. The evince advisory contains another one.
Ggv and kghostview seem not to contain the affected code.
-- Additional comment from firstname.lastname@example.org on 2006-11-14 14:34 EST --
Created an attachment (id=141170)
A GNU gv patch from Gentoo Linux project
Evince doesn't contain ghostscript or gv code, it forks ghostscript to render
postscript documents. Just to be sure, I did a
[krh@devserv evince-0.6.0]$ find . -name '*.c' |xargs grep ps_get
./dvi/mdvi-lib/fontmap.c:TFMInfo *mdvi_ps_get_metrics(const char *fontname)
./dvi/mdvi-lib/t1.c: info->tfminfo = mdvi_ps_get_metrics(info->fontname);
There is no ps_gettext function anywhere in evince.
Am I missing something, or is this misfiled?
Kristian, if you look at get_next_text(), it clearly has an overflow issue with
the text array.
Fixed Ubuntu packages: http://lwn.net/Articles/212283/
Created attachment 143256 [details]
the upstream fix
Fix is in evince-0.6.0-8.el5
evince-0.6.0-8.el5 included in 20061218.1 trees.