A security flaw was found in bibtex, a tool for preparing bibliography for (La)Tex. An attacker could use this flaw to cause a denial of service (application crash), or, possibly cause memory corruption, by providing a big *.bib bibliography file for processing with the bibtex tool. References: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=520920
Created attachment 336659 [details] Reproducer Scenario: 1, Untar provided archive 2, bibtex livre_fp.aux
This issue affects all versions of the tetex package, as shipped with Red Hat Enterprise Linux 2.1, 3, 4, and 5. This issue affects all versions of the texlive-2007 package, as shipped with Fedora releases of 9, 10, and devel.
It seems that the aux files just exceed the 65000 string pool size limit per one reallocation. Increasing pool size to a higher value could work-around the problem for a while but not really fix it.
Created attachment 357191 [details] upstream proposed patch to fix the issue Provided by Karl Berry with the following comments: Here's the patch I came up with. It seems Oren forgot to check for enough room in the string pool in the substring bst function. I'll tell him so he can fix it in bibtex 1.0 :). I think this is worth applying to rawhide, but beyond that upstream doesn't see much in the way of a security issue here.
This has been assigned CVE-2009-1284. I still don't feel this is worth an update and have adjusted the impact to low. Jindrich, can you ensure the patch noted in comment #16 gets applied to Fedora 12 please? Thanks.
The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. More information regarding issue severity can be found here: http://www.redhat.com/security/updates/classification/
texlive-2007-45.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/texlive-2007-45.fc12
texlive-2007-45.fc11 has been submitted as an update for Fedora 11. http://admin.fedoraproject.org/updates/texlive-2007-45.fc11
texlive-2007-45.fc10 has been submitted as an update for Fedora 10. http://admin.fedoraproject.org/updates/texlive-2007-45.fc10
Jindrich, what fix was applied in texlive-2007-45? Just a pool size bump mentioned in comment #5?
Tomas, I applied the upstream patch noted in comment #16 and removed the pool size bump as it shouldn't be needed now. The upstream version looks more general solution to me.
Ah, right, I'm blind. Thank you!
texlive-2007-46.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report.
texlive-2007-46.fc11 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report.