Bug 217674 - CVE-2006-5864 evince contains a buffer overflow in get_next_text()
Summary: CVE-2006-5864 evince contains a buffer overflow in get_next_text()
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: evince
Version: 5.0
Hardware: All
OS: Linux
low
low
Target Milestone: ---
: ---
Assignee: Kristian Høgsberg
QA Contact:
URL: http://www.securityfocus.com/archive/...
Whiteboard: source=bugtraq,reported=20061128,impa...
Keywords: Desktop, Security
Depends On: CVE-2006-5864
Blocks:
TreeView+ depends on / blocked
 
Reported: 2006-11-29 10:42 UTC by Lubomir Kundrak
Modified: 2007-11-30 22:07 UTC (History)
2 users (show)

(edit)
Clone Of:
(edit)
Last Closed: 2006-12-19 15:33:36 UTC


Attachments (Terms of Use)
the upstream fix (822 bytes, patch)
2006-12-11 02:50 UTC, Matthias Clasen
no flags Details | Diff

Description Lubomir Kundrak 2006-11-29 10:42:32 UTC
+++ This bug was initially created as a clone of Bug #217672 +++
+++ This bug was initially created as a clone of Bug #215593 +++

The original GNU gv issue is described here:
http://www.securityfocus.com/archive/1/archive/1/451057/100/0/threaded

Description of problem:

The function ps_gettext() in ps.c is vulnerable to a buffer overflow condition,
because it copies characters from input file to a fixed-sized array text[].

How reproducible:

With specially crafted files looking like either of those below this paragraph.
(Replace ... with something a bit longer than PSLINELENGTH (256), so it
overwrites stack. It can be potantially malicious code that might get executed
on functio return)

%!PS-Adobe-3.0
%%DocumentMedia: ...

%!PS-Adobe-3.0
%%DocumentPaperSizes: ...

%!PS-Adobe-3.0
%%EndComments
%%BeginDefaults
%%PageMedia: ...

%!PS-Adobe-3.0
%%EndComments
%%BeginSetup
%%PaperSize: ...

Alternatively use exploit attached to original advisory, which connects to
a TCP socket and opens a shell. The evince advisory contains another one.

Additional info:

Ggv and kghostview seem not to contain the affected code.

-- Additional comment from lkundrak@redhat.com on 2006-11-14 14:34 EST --
Created an attachment (id=141170)
A GNU gv patch from Gentoo Linux project

Comment 1 Kristian Høgsberg 2006-11-29 16:22:25 UTC
Evince doesn't contain ghostscript or gv code, it forks ghostscript to render
postscript documents.  Just to be sure, I did a

[krh@devserv evince-0.6.0]$ find . -name '*.c' |xargs grep ps_get
./dvi/mdvi-lib/fontmap.c:TFMInfo *mdvi_ps_get_metrics(const char *fontname)
./dvi/mdvi-lib/t1.c:    info->tfminfo = mdvi_ps_get_metrics(info->fontname);

There is no ps_gettext function anywhere in evince.

Am I missing something, or is this misfiled?

Comment 2 Matthias Clasen 2006-11-30 03:51:21 UTC
Kristian, if you look at get_next_text(), it clearly has an overflow issue with 
the text array.

Comment 3 Matthias Clasen 2006-12-01 19:51:53 UTC
Fixed Ubuntu packages: http://lwn.net/Articles/212283/

Comment 4 Matthias Clasen 2006-12-11 02:50:48 UTC
Created attachment 143256 [details]
the upstream fix

Comment 5 Matthias Clasen 2006-12-11 03:10:29 UTC
Fix is in evince-0.6.0-8.el5

Comment 6 Mark J. Cox 2006-12-15 09:43:33 UTC
20061214

Comment 7 Jay Turner 2006-12-19 15:33:36 UTC
evince-0.6.0-8.el5 included in 20061218.1 trees.


Note You need to log in before you can comment on or make changes to this bug.