This service will be undergoing maintenance at 00:00 UTC, 2016-08-01. It is expected to last about 1 hours
Bug 492136 - (CVE-2009-1284) CVE-2009-1284 tetex, texlive: bibtex's invalid reads/writes when parsing big *.bib file
CVE-2009-1284 tetex, texlive: bibtex's invalid reads/writes when parsing big ...
Status: NEW
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
http://bugs.debian.org/cgi-bin/bugrep...
reported=20090323,public=20090323,sou...
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2009-03-25 11:08 EDT by Jan Lieskovsky
Modified: 2015-03-04 20:21 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)
Reproducer (66.65 KB, application/x-bzip2)
2009-03-25 11:11 EDT, Jan Lieskovsky
no flags Details
upstream proposed patch to fix the issue (634 bytes, patch)
2009-08-12 11:48 EDT, Vincent Danen
no flags Details | Diff

  None (edit)
Description Jan Lieskovsky 2009-03-25 11:08:07 EDT
A security flaw was found in bibtex, a tool for preparing bibliography for
(La)Tex. An attacker could use this flaw to cause a denial of 
service (application crash), or, possibly cause memory corruption, by
providing a big *.bib bibliography file for processing with the bibtex
tool.

References:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=520920
Comment 1 Jan Lieskovsky 2009-03-25 11:11:13 EDT
Created attachment 336659 [details]
Reproducer

Scenario:
1, Untar provided archive
2, bibtex livre_fp.aux
Comment 2 Jan Lieskovsky 2009-03-25 11:13:05 EDT
This issue affects all versions of the tetex package, as shipped 
with Red Hat Enterprise Linux 2.1, 3, 4, and 5.

This issue affects all versions of the texlive-2007 package, as shipped
with Fedora releases of 9, 10, and devel.
Comment 5 Jindrich Novy 2009-03-31 03:02:51 EDT
It seems that the aux files just exceed the 65000 string pool size limit per one reallocation. Increasing pool size to a higher value could work-around the problem for a while but not really fix it.
Comment 16 Vincent Danen 2009-08-12 11:48:00 EDT
Created attachment 357191 [details]
upstream proposed patch to fix the issue

Provided by Karl Berry with the following comments:

Here's the patch I came up with.  It seems Oren forgot to check for
enough room in the string pool in the substring bst function.  I'll tell
him so he can fix it in bibtex 1.0 :).



I think this is worth applying to rawhide, but beyond that upstream doesn't see much in the way of a security issue here.
Comment 17 Vincent Danen 2009-08-27 10:39:15 EDT
This has been assigned CVE-2009-1284.  I still don't feel this is worth an update and have adjusted the impact to low.

Jindrich, can you ensure the patch noted in comment #16 gets applied to Fedora 12 please?  Thanks.
Comment 18 Vincent Danen 2009-08-28 14:56:22 EDT
The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw.  More  information regarding issue severity can be found here:

http://www.redhat.com/security/updates/classification/
Comment 19 Fedora Update System 2009-10-21 15:08:27 EDT
texlive-2007-45.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/texlive-2007-45.fc12
Comment 20 Fedora Update System 2009-10-21 15:09:55 EDT
texlive-2007-45.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/texlive-2007-45.fc11
Comment 21 Fedora Update System 2009-10-21 15:11:44 EDT
texlive-2007-45.fc10 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/texlive-2007-45.fc10
Comment 22 Tomas Hoger 2009-10-22 02:59:28 EDT
Jindrich, what fix was applied in texlive-2007-45?  Just a pool size bump mentioned in comment #5?
Comment 23 Jindrich Novy 2009-10-22 03:31:18 EDT
Tomas, I applied the upstream patch noted in comment #16 and removed the pool size bump as it shouldn't be needed now. The upstream version looks more general solution to me.
Comment 24 Tomas Hoger 2009-10-22 03:39:13 EDT
Ah, right, I'm blind.  Thank you!
Comment 25 Fedora Update System 2009-11-12 21:24:08 EST
texlive-2007-46.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 26 Fedora Update System 2009-11-12 21:25:32 EST
texlive-2007-46.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.