Bug 225491 - CVE-2007-0650 Multiple buffer overflows in teTeX's makeindex
Summary: CVE-2007-0650 Multiple buffer overflows in teTeX's makeindex
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Fedora
Classification: Fedora
Component: tetex
Version: 8
Hardware: x86_64
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Jindrich Novy
QA Contact: David Lawrence
URL:
Whiteboard: bzcl34nup
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2007-01-30 21:37 UTC by Mark Richters
Modified: 2013-07-02 23:19 UTC (History)
2 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2009-01-09 07:55:01 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)
Proposed patch to fix the makeindex issues. (2.55 KB, patch)
2007-02-02 12:20 UTC, Jindrich Novy
no flags Details | Diff

Description Mark Richters 2007-01-30 21:37:35 UTC
Description of problem:

makeindex crashes with "*** buffer overflow detected ***: makeindex terminated"

Version-Release number of selected component (if applicable):

tetex-3.0-32.fc6
makeindex, version 2.14 [02-Oct-2002] (kpathsea + Thai support)

How reproducible:

Call makeindex with a long pathname argument to -s switch like this (file must
exist in that location):

makeindex -s
/home/mr/perforce/tools/dblatex-0.2.3/share/dblatex/latex/scripts/doc.ist

Shorter pathnames do work: "makeindex -s /home/mr/doc.ist" is fine.

Steps to Reproduce:
1. makeindex -s
/home/mr/perforce/tools/dblatex-0.2.3/share/dblatex/latex/scripts/doc.ist
  
Actual results:

10027:$ makeindex -s
/home/mr/perforce/tools/dblatex-0.2.3/share/dblatex/latex/scripts/doc.ist
*** buffer overflow detected ***: makeindex terminated
======= Backtrace: =========
/lib64/libc.so.6(__chk_fail+0x2f)[0x37220e0cdf]
makeindex[0x403082]
makeindex[0x40344b]
/lib64/libc.so.6(__libc_start_main+0xf4)[0x372201da44]
makeindex[0x4017e9]
======= Memory map: ========
00400000-00416000 r-xp 00000000 08:12 1780024                           
/usr/bin/makeindex
00615000-0061f000 rw-p 00015000 08:12 1780024                           
/usr/bin/makeindex
0061f000-00624000 rw-p 0061f000 00:00 0 
0081e000-00820000 rw-p 0001e000 08:12 1780024                           
/usr/bin/makeindex
00820000-00916000 rw-p 00820000 00:00 0                                  [heap]
3721c00000-3721c1a000 r-xp 00000000 08:12 2116942                       
/lib64/ld-2.5.so
3721e19000-3721e1a000 r--p 00019000 08:12 2116942                       
/lib64/ld-2.5.so
3721e1a000-3721e1b000 rw-p 0001a000 08:12 2116942                       
/lib64/ld-2.5.so
3722000000-3722144000 r-xp 00000000 08:12 2116943                       
/lib64/libc-2.5.so
3722144000-3722344000 ---p 00144000 08:12 2116943                       
/lib64/libc-2.5.so
3722344000-3722348000 r--p 00144000 08:12 2116943                       
/lib64/libc-2.5.so
3722348000-3722349000 rw-p 00148000 08:12 2116943                       
/lib64/libc-2.5.so
3722349000-372234e000 rw-p 3722349000 00:00 0 
3727c00000-3727c0d000 r-xp 00000000 08:12 2116947                       
/lib64/libgcc_s-4.1.1-20070105.so.1
3727c0d000-3727e0c000 ---p 0000d000 08:12 2116947                       
/lib64/libgcc_s-4.1.1-20070105.so.1
3727e0c000-3727e0d000 rw-p 0000c000 08:12 2116947                       
/lib64/libgcc_s-4.1.1-20070105.so.1
2aaaaaaab000-2aaaaaaac000 rw-p 2aaaaaaab000 00:00 0 
2aaaaaad4000-2aaaaaad6000 rw-p 2aaaaaad4000 00:00 0 
7fff26653000-7fff26669000 rw-p 7fff26653000 00:00 0                      [stack]
ffffffffff600000-ffffffffffe00000 ---p 00000000 00:00 0                  [vdso]
Aborted

Expected results:

No buffer overflow.

Comment 1 Lubomir Kundrak 2007-02-01 13:27:25 UTC
There is a minor heap overflow resulting in heap corruption in
check_idx() at mkind.c:410. It is definitely not a security issue,
because it doesn't allow an attacker to inject arbitrary data on stack.

But it might be unrelated, because it requires the filename to
be at least 252 characters long, which is not the case in
the above description.

Let's call makeindex this way:
$ makeindex `perl -e 'print "x" x 255'`

Here the filename length gets checked against STRING_MAX
which is 256 characters:

386     if (i < STRING_MAX)
387         base[i] = NUL;
388     else
389         FATAL2("Index file name %s too long (max %d).\n",
390                base, STRING_MAX);

(gdb) print STRING_MAX
$4 = 256

Then the same amount of data gets allocated to idx_fn and the file name
extended by 4 characters gets copied there:

408             if ((idx_fn = (char *) malloc(STRING_MAX)) == NULL)
409                 FATAL("Not enough core...abort.\n", "");
410             sprintf(idx_fn, "%s%s", base, INDEX_IDX);
	
(gdb) print INDEX_IDX
$5 = ".idx"
(gdb) print strlen(base)
$6 = 255

Shoul be fixed by adjusting the conditional on line 386 accordingly I guess.

Comment 2 Lubomir Kundrak 2007-02-01 14:44:13 UTC
The previous bug was really a different one.
The actual problem here is that makeindex does

516             strcpy(sty_fn, fn);

in open_sty (fn) at mkind.c. fn gets passed without any check from
a program agrument in main():

150                         /* style file */
151                     case 's':
152                         argc--;
153                         if (argc <= 0)
154                             FATAL("Expected -s <stylefile>\n","");
155                         open_sty(*++argv);
156                         sty_given = TRUE;
157                         break;

however, sty_fn is is only 72 characters wide. See mkindex.h:

 56 char    sty_fn[LINE_MAX];

(gdb) print LINE_MAX
$2 = 72
(gdb)

This allows a malicious attacker to owerwrite data that follows the
sty_fn[] buffer almost arbitrarily. This might lead to overwrite of
arbitrary files if pathnames were stored there or arbitrary code
execution in case there is a pointer to function there.

Comment 3 Jindrich Novy 2007-02-02 09:39:31 UTC
Yet another buffer overflow at mkind.c:182:

strcpy(pageno, *++argv);

where the argument string is immediatelly assigned to a global array.

Comment 4 Jindrich Novy 2007-02-02 12:20:04 UTC
Created attachment 147214 [details]
Proposed patch to fix the makeindex issues.

Comment 6 Fedora Update System 2007-04-13 19:37:00 UTC
tetex-3.0-34.fc6 has been pushed for fc6, which should resolve this issue.  If these problems are still present in this version, then please make note of it in this bug report.

Comment 7 Mark Richters 2007-06-30 18:56:25 UTC
Just tested it again with tetex-3.0-39.fc7.x86_64 on F7. The buffer overflow is
gone. Thanks for this. Although, the error message is a bit confusing:

10008:$ makeindex -s
/home/mr/perforce/tools/dblatex-0.2.3/share/dblatex/latex/scripts/doc.ist
Style file
/home/mr/perforce/tools/dblatex-0.2.3/share/dblatex/latex/scripts/doc.ist too long.

It says that the style file is too long, but actually it's the file name that is
too long. The same file works after copying to /tmp:

10010:$ cp
/home/mr/perforce/tools/dblatex-0.2.3/share/dblatex/latex/scripts/doc.ist /tmp
mr@ash:~
10011:$ makeindex -s /tmp/doc.ist 
Scanning style file /tmp/doc.ist....done (4 attributes redefined, 0 ignored).
This is makeindex, version 2.14 [02-Oct-2002] (kpathsea + Thai support).
Scanning input file stdin...

Still, I wonder why the file name length is so much limited at all (especially
since the path above is not really long).

Comment 8 Bug Zapper 2008-04-04 06:01:25 UTC
Fedora apologizes that these issues have not been resolved yet. We're
sorry it's taken so long for your bug to be properly triaged and acted
on. We appreciate the time you took to report this issue and want to
make sure no important bugs slip through the cracks.

If you're currently running a version of Fedora Core between 1 and 6,
please note that Fedora no longer maintains these releases. We strongly
encourage you to upgrade to a current Fedora release. In order to
refocus our efforts as a project we are flagging all of the open bugs
for releases which are no longer maintained and closing them.
http://fedoraproject.org/wiki/LifeCycle/EOL

If this bug is still open against Fedora Core 1 through 6, thirty days
from now, it will be closed 'WONTFIX'. If you can reporduce this bug in
the latest Fedora version, please change to the respective version. If
you are unable to do this, please add a comment to this bug requesting
the change.

Thanks for your help, and we apologize again that we haven't handled
these issues to this point.

The process we are following is outlined here:
http://fedoraproject.org/wiki/BugZappers/F9CleanUp

We will be following the process here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping to ensure this
doesn't happen again.

And if you'd like to join the bug triage team to help make things
better, check out http://fedoraproject.org/wiki/BugZappers

Comment 9 Mark Richters 2008-04-04 20:45:36 UTC
Comment #7 is also valid for Fedora 8 with tetex-3.0-44.8.fc8.x86_64.


Comment 10 John Poelstra 2008-04-04 21:44:24 UTC
thanks for the update!

Comment 11 Jindrich Novy 2008-04-05 08:15:34 UTC
Ok, I updated the CVE-2005-0650 patch to increase the file name size limit to
STRING_MAX (256) from LINE_MAX (72) and the error message. The fix for it should
occur in the next update.

Comment 12 Fedora Update System 2008-04-10 11:28:38 UTC
tetex-3.0-44.9.fc8 has been submitted as an update for Fedora 8

Comment 13 Fedora Update System 2008-04-17 03:55:09 UTC
tetex-3.0-44.9.fc8 has been pushed to the Fedora 8 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update tetex'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F8/FEDORA-2008-3158

Comment 14 Bug Zapper 2008-11-26 07:09:46 UTC
This message is a reminder that Fedora 8 is nearing its end of life.
Approximately 30 (thirty) days from now Fedora will stop maintaining
and issuing updates for Fedora 8.  It is Fedora's policy to close all
bug reports from releases that are no longer maintained.  At that time
this bug will be closed as WONTFIX if it remains open with a Fedora 
'version' of '8'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version prior to Fedora 8's end of life.

Bug Reporter: Thank you for reporting this issue and we are sorry that 
we may not be able to fix it before Fedora 8 is end of life.  If you 
would still like to see this bug fixed and are able to reproduce it 
against a later version of Fedora please change the 'version' of this 
bug to the applicable version.  If you are unable to change the version, 
please add a comment here and someone will do it for you.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events.  Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

The process we are following is described here: 
http://fedoraproject.org/wiki/BugZappers/HouseKeeping

Comment 15 Bug Zapper 2009-01-09 07:55:01 UTC
Fedora 8 changed to end-of-life (EOL) status on 2009-01-07. Fedora 8 is 
no longer maintained, which means that it will not receive any further 
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of 
Fedora please feel free to reopen this bug against that version.

Thank you for reporting this bug and we are sorry it could not be fixed.


Note You need to log in before you can comment on or make changes to this bug.