+++ This bug was initially created as a clone of Bug #217672 +++ +++ This bug was initially created as a clone of Bug #215593 +++ The original GNU gv issue is described here: http://www.securityfocus.com/archive/1/archive/1/451057/100/0/threaded Description of problem: The function ps_gettext() in ps.c is vulnerable to a buffer overflow condition, because it copies characters from input file to a fixed-sized array text[]. How reproducible: With specially crafted files looking like either of those below this paragraph. (Replace ... with something a bit longer than PSLINELENGTH (256), so it overwrites stack. It can be potantially malicious code that might get executed on functio return) %!PS-Adobe-3.0 %%DocumentMedia: ... %!PS-Adobe-3.0 %%DocumentPaperSizes: ... %!PS-Adobe-3.0 %%EndComments %%BeginDefaults %%PageMedia: ... %!PS-Adobe-3.0 %%EndComments %%BeginSetup %%PaperSize: ... Alternatively use exploit attached to original advisory, which connects to a TCP socket and opens a shell. The evince advisory contains another one. Additional info: Ggv and kghostview seem not to contain the affected code. -- Additional comment from lkundrak on 2006-11-14 14:34 EST -- Created an attachment (id=141170) A GNU gv patch from Gentoo Linux project
Evince doesn't contain ghostscript or gv code, it forks ghostscript to render postscript documents. Just to be sure, I did a [krh@devserv evince-0.6.0]$ find . -name '*.c' |xargs grep ps_get ./dvi/mdvi-lib/fontmap.c:TFMInfo *mdvi_ps_get_metrics(const char *fontname) ./dvi/mdvi-lib/t1.c: info->tfminfo = mdvi_ps_get_metrics(info->fontname); There is no ps_gettext function anywhere in evince. Am I missing something, or is this misfiled?
Kristian, if you look at get_next_text(), it clearly has an overflow issue with the text array.
Fixed Ubuntu packages: http://lwn.net/Articles/212283/
Created attachment 143256 [details] the upstream fix
Fix is in evince-0.6.0-8.el5
20061214
evince-0.6.0-8.el5 included in 20061218.1 trees.