[tex-live] Updates to dviljk, in branch2007

Tue Jul 3 12:09:28 CEST 2007

Hi,

A few minutes ago, I committed an update to dviljk to branch2007; it
shall go into the next TeX-Live update.

This update is all about security fixes:

 1) dviljk did not check any memory bounds. Any read operation, any
    string handling was done without bounds checking and could be
    exploited for buffer overflows.

    I discovered ca. 30 places where this happens and fixed all of
    them. I did not do a full code review and therefore can not
    promise that there are even more, but all occurences of fread()
    with arbitrary lengths, strcpy and friends, string copying by
    "*dest++ = *src++", and other fixed array accesses are now
    checked.

 2) dviljk had a tempfile creation race condition, due to the usage of
    tmpnam(). (There are more cases in the texk source tree, btw.)
    Since mkstemp() cannot be utilized here, I changed the code to use
    a temporary directory created with mkdtemp(). (If mkdtemp() is not
    available, I fall back to use tmpnam(); it's not worse than
    before.) At the same time, the temporary files (and directory) are
    deleted now at the end of the program run.

The risk of these security issues is very low: One needs to construct
a DVI file that exploits these issues and convince a victim to print
it with dviljk. And then it can only do actions with the capabilities
of the calling user. Nevertheless, these are vulnerabilities, so we
decided that they should be committed to branch2007, for a quicker
release than the next TL DVD.

I would like to thank Karl, Norbert, and Frank for a focused and
productive off-list discussion how to handle these security issues
best.

The complete changeset is available as

svn diff -r4533:4534 svn://tug.org/texlive/branches/branch2007/Build/source/texk/dviljk

But if you want to review the code, you're probably better better off
with

svn diff -r4522:4531 svn://tug.org/texlive/trunk/Build/source/texk/dviljk/dvi2xx.c

or even with smaller diffs as fits the following log.
(dviljk/ChangeLog has been updated, too.)

------------------------------------------------------------------------
r4531 | jschrod | 2007-07-02 22:55:41 +0200 (Mon, 02 Jul 2007) | 4 lines

    Security issue: Repaired tempfile creation race condition.
    Include file special parsing does not access unrelated variables
any more.

------------------------------------------------------------------------
r4530 | jschrod | 2007-07-02 16:41:34 +0200 (Mon, 02 Jul 2007) | 4 lines

    Interpret KPSE_TEX_HUSH "special" to ignore only unrecognized
specials, but still output warnings on recognized dviljk specials that
have wrong parameter values or other semantic errors.

------------------------------------------------------------------------
r4525 | jschrod | 2007-06-28 15:22:22 +0200 (Thu, 28 Jun 2007) | 2 lines

    Fix core dump: Check mandatory parameters for psfile special.

------------------------------------------------------------------------
r4524 | jschrod | 2007-06-28 15:16:06 +0200 (Thu, 28 Jun 2007) | 3 lines

    Fix more buffer overflows: Ghostscript command construction, read
from files into static arrays.

------------------------------------------------------------------------
r4523 | jschrod | 2007-06-28 13:34:05 +0200 (Thu, 28 Jun 2007) | 3 lines

    Fix many buffer overflows, caused by unchecked string operations
and arbitrary access to arrays.

------------------------------------------------------------------------
r4522 | jschrod | 2007-06-28 12:47:07 +0200 (Thu, 28 Jun 2007) | 3 lines

    Test commit rights. Incidentially, discard spaces at the end of
lines in files that I will change anyhow.

I will now work on special feature enhancements for dviljk, they will
only go into trunk/.

Best,
	Joachim

-- 
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Joachim Schrod				Email: jschrod at acm.org
Roedermark, Germany