Description of problem: DVI file that contains a hypertex reference with long title can trigger a stack based buffer overflow of a statically sized char array when dvips is called with -z argument. This could possibly result in arbitrary code execution in case user was tricked into open a specially crafted DVI file. Additional info: This issue affects the versions of the tetex package, as shipped with Red Hat Enterprise Linux 3 and 4. This issue has no security impact on tetex package version, as shipped in Red Hat Enterprise Linux 5 due to _FORTIFY_SOURCE protection that terminates the process before the memory corruption occurs. This issue has no security impact on texlive package versions, as shipped with Fedora releases of 11 and 12, due to _FORTIFY_SOURCE protection that terminates the process before the memory corruption occurs. See URL field for the orginal bug report from Debian project.
Created attachment 249461 [details] Fix for dvips -z long href title stack overflow from Debian
The CVE identifier for this issue was requested.
Pinged Mitre about the need for CVE.
Fixed in rawhide. F8, F7, FC-6 pending.
tetex-3.0-44.2.fc8 has been pushed to the Fedora 8 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update tetex'
tetex-3.0-40.3.fc7 has been pushed to the Fedora 7 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update tetex'
tetex-3.0-40.3.fc7 has been pushed to the Fedora 7 stable repository. If problems still persist, please make note of it in this bug report.
tetex-3.0-44.3.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.
The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw.
Reporter changed to security-response-team by request of Jay Turner.
Public reproducer from Debian bug tracking system: [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=447081 \documentclass{article} \usepackage[hypertex]{hyperref} \begin{document} \href{/XXXX/XXXXXXX/XXX/XXXXX/XXXXXXXXXXXXXXX/XXXXXXX/XXXXXXXXXXXXXXXXX/XXXXXXXXXX XXXXXXXXXXXXXXXXXXX/XXXXXXXXXX XXXXX XXXXXXXXXXXXX - XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX}{solot} \end{document}
This issue has been addressed in following products: Red Hat Enterprise Linux 4 Via RHSA-2010:0399 https://rhn.redhat.com/errata/RHSA-2010-0399.html
This issue has been addressed in following products: Red Hat Enterprise Linux 3 Via RHSA-2010:0401 https://rhn.redhat.com/errata/RHSA-2010-0401.html