Secure testing team - Mar 2009 - Bug#520920: texlive-base-bin: bibtex crashes on realloc (invalid next size)

Package: texlive-base-bin
Version: 2007.dfsg.2-5
Severity: grave
Tags: security
Justification: user security hole

(Note: I suppose that there''s some memory corruption, that can lead
to security problems, hence the severity.)

I''ve got the following error with bibtex (someone else here mentioned
the same problem on a different machine, but on the same set of files,
possibly a slightly different version). Unfortenately I don''t have a
simple testcase (I''ll try to make one, but this may be difficult), and
the files are private.

vin:~/private/fp_arith> pdfnlatex livre_fp.tex
Making backup of old .idx file: livre_fp.idx.bak. Then makeindex...
This is makeindex, version 2.14 [02-Oct-2002] (kpathsea + Thai support).
Scanning input file livre_fp.idx....done (651 entries accepted, 0 rejected).
Sorting entries........done (6772 comparisons).
Generating output file livre_fp.ind....done (493 lines written, 0 warnings).
Output written in livre_fp.ind.
Transcript written in livre_fp.ilg.
 
Making backup of old .aux file: livre_fp.aux.bak
Need bibtex run before first pass...
This is BibTeX, Version 0.99c (Web2C 7.5.6)
The top-level auxiliary file: livre_fp.aux
A level-1 auxiliary file: preface.aux
A level-1 auxiliary file: ch_introduction.aux
A level-1 auxiliary file: ch_definitions.aux
A level-1 auxiliary file: ch_formats.aux
A level-1 auxiliary file: ch_smallalgs.aux
A level-1 auxiliary file: ch_fma.aux
A level-1 auxiliary file: ch_summation.aux
A level-1 auxiliary file: ch_languages.aux
A level-1 auxiliary file: ch_algorithms.aux
A level-1 auxiliary file: ch_hard.aux
A level-1 auxiliary file: ch_soft.aux
A level-1 auxiliary file: ch_elemfun.aux
A level-1 auxiliary file: ch_correctrounding.aux
A level-1 auxiliary file: ch_certifying.aux
A level-1 auxiliary file: ch_extending.aux
A level-1 auxiliary file: perspectives.aux
A level-1 auxiliary file: ch_nttools.aux
The style file: plain.bst
Database file #1: biblio.bib
*** glibc detected *** bibtex: realloc(): invalid next size: 0x0000000001d47d90 
***
======= Backtrace: ========/lib64/libc.so.6[0x7f899a8c81b8]
/lib64/libc.so.6[0x7f899a8cc101]
/lib64/libc.so.6(realloc+0x12f)[0x7f899a8cce5f]
/usr/lib/libkpathsea.so.4(xrealloc+0xf)[0x7f899ae39d9f]
bibtex[0x40337a]
bibtex[0x40346d]
bibtex[0x40be45]
bibtex[0x40bb15]
bibtex[0x40bb15]
bibtex[0x40bb15]
bibtex[0x4109e2]
bibtex[0x412375]
bibtex[0x412676]
/lib64/libc.so.6(__libc_start_main+0xe6)[0x7f899a8745a6]
bibtex[0x401239]
======= Memory map: =======00400000-00417000 r-xp 00000000 08:01 5489883        
/usr/bi
n/bibtex
00617000-00618000 rw-p 00017000 08:01 5489883                            /usr/bi
n/bibtex
00618000-006e0000 rw-p 00618000 00:00 0 
01d3d000-01fdf000 rw-p 01d3d000 00:00 0                                  [heap]
7f8994000000-7f8994021000 rw-p 7f8994000000 00:00 0 
7f8994021000-7f8998000000 ---p 7f8994021000 00:00 0 
7f899a63f000-7f899a655000 r-xp 00000000 08:01 28082213                   /lib/li
bgcc_s.so.1
7f899a655000-7f899a855000 ---p 00016000 08:01 28082213                   /lib/li
bgcc_s.so.1
7f899a855000-7f899a856000 rw-p 00016000 08:01 28082213                   /lib/li
bgcc_s.so.1
7f899a856000-7f899a99f000 r-xp 00000000 08:01 28082578                   /lib/li
bc-2.9.so
7f899a99f000-7f899ab9f000 ---p 00149000 08:01 28082578                   /lib/li
bc-2.9.so
7f899ab9f000-7f899aba3000 r--p 00149000 08:01 28082578                   /lib/li
bc-2.9.so
7f899aba3000-7f899aba4000 rw-p 0014d000 08:01 28082578                   /lib/li
bc-2.9.so
7f899aba4000-7f899aba9000 rw-p 7f899aba4000 00:00 0 
7f899aba9000-7f899ac2b000 r-xp 00000000 08:01 28082575                   /lib/li
bm-2.9.so
7f899ac2b000-7f899ae2a000 ---p 00082000 08:01 28082575                   /lib/li
bm-2.9.so
7f899ae2a000-7f899ae2b000 r--p 00081000 08:01 28082575                   /lib/li
bm-2.9.so
7f899ae2b000-7f899ae2c000 rw-p 00082000 08:01 28082575                   /lib/li
bm-2.9.so
7f899ae2c000-7f899ae3d000 r-xp 00000000 08:01 5603886                    /usr/li
b/libkpathsea.so.4.0.0
7f899ae3d000-7f899b03d000 ---p 00011000 08:01 5603886                    /usr/li
b/libkpathsea.so.4.0.0
7f899b03d000-7f899b03e000 rw-p 00011000 08:01 5603886                    /usr/li
b/libkpathsea.so.4.0.0
7f899b03e000-7f899b041000 rw-p 7f899b03e000 00:00 0 
7f899b041000-7f899b05e000 r-xp 00000000 08:01 28082577                   /lib/ld
-2.9.so
7f899b17d000-7f899b237000 rw-p 7f899b17d000 00:00 0 
7f899b257000-7f899b25d000 rw-p 7f899b257000 00:00 0 
7f899b25d000-7f899b25e000 r--p 0001c000 08:01 28082577                   /lib/ld
-2.9.so
7f899b25e000-7f899b25f000 rw-p 0001d000 08:01 28082577                   /lib/ld
-2.9.so
7fffa3249000-7fffa325f000 rw-p 7ffffffe9000 00:00 0                      [stack]
7fffa33fe000-7fffa33ff000 r-xp 7fffa33fe000 00:00 0                      [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                  [vsysca
ll]
Abort (core dumped)

The backtrace:

vin:~/private/fp_arith> gdb =bibtex core
GNU gdb 6.8-debian
Copyright (C) 2008 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later
<http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show
copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu"...
(no debugging symbols found)

warning: Can''t read pathname for load map: Input/output error.
Reading symbols from /usr/lib/libkpathsea.so.4...(no debugging symbols
found)...done.
Loaded symbols for /usr/lib/libkpathsea.so.4
Reading symbols from /lib/libm.so.6...Reading symbols from
/usr/lib/debug/lib/libm-2.9.so...done.
done.
Loaded symbols for /lib64/libm.so.6
Reading symbols from /lib/libc.so.6...Reading symbols from
/usr/lib/debug/lib/libc-2.9.so...done.
done.
Loaded symbols for /lib64/libc.so.6
Reading symbols from /lib/ld-linux-x86-64.so.2...Reading symbols from
/usr/lib/debug/lib/ld-2.9.so...done.
done.
Loaded symbols for /lib64/ld-linux-x86-64.so.2
Reading symbols from /lib/libgcc_s.so.1...done.
Loaded symbols for /lib64/libgcc_s.so.1
Core was generated by `bibtex livre_fp''.
Program terminated with signal 6, Aborted.
[New process 784]
#0  0x00007f899a888105 in *__GI_raise (sig=<value optimized out>)
    at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
64      ../nptl/sysdeps/unix/sysv/linux/raise.c: No such file or directory.
        in ../nptl/sysdeps/unix/sysv/linux/raise.c
(gdb) bt
#0  0x00007f899a888105 in *__GI_raise (sig=<value optimized out>)
    at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
#1  0x00007f899a889623 in *__GI_abort () at abort.c:88
#2  0x00007f899a8c2b18 in __libc_message (do_abort=2, 
    fmt=0x7f899a972fa8 "*** glibc detected *** %s: %s: 0x%s ***\n")
    at ../sysdeps/unix/sysv/linux/libc_fatal.c:170
#3  0x00007f899a8c81b8 in malloc_printerr (action=2, 
    str=0x7f899a97061d "realloc(): invalid next size", 
    ptr=<value optimized out>) at malloc.c:5994
#4  0x00007f899a8cc101 in _int_realloc (av=0x0, oldmem=0x0, 
    bytes=<value optimized out>) at malloc.c:4983
#5  0x00007f899a8cce5f in *__GI___libc_realloc (oldmem=0x1d47d90, bytes=130001)
    at malloc.c:3708
#6  0x00007f899ae39d9f in xrealloc () from /usr/lib/libkpathsea.so.4
#7  0x000000000040337a in ?? ()
#8  0x000000000040346d in ?? ()
#9  0x000000000040be45 in ?? ()
#10 0x000000000040bb15 in ?? ()
#11 0x000000000040bb15 in ?? ()
#12 0x000000000040bb15 in ?? ()
#13 0x00000000004109e2 in ?? ()
#14 0x0000000000412375 in ?? ()
#15 0x0000000000412676 in ?? ()
#16 0x00007f899a8745a6 in __libc_start_main (
    main=0x412660 <_IO_putc at plt+70760>, argc=2, ubp_av=0x7fffa325cd38, 
    init=0x412e70 <_IO_putc at plt+72824>, fini=<value optimized
out>,
    rtld_fini=<value optimized out>, stack_end=0x7fffa325cd28)
    at libc-start.c:222
#17 0x0000000000401239 in ?? ()
#18 0x00007fffa325cd28 in ?? ()
#19 0x000000000000001c in ?? ()
#20 0x0000000000000002 in ?? ()
#21 0x00007fffa325df92 in ?? ()
#22 0x00007fffa325df99 in ?? ()
#23 0x0000000000000000 in ?? ()
(gdb) 

Note for my own use (to be able to reproduce this problem, as it is
reproduceable):
$ svn up -r1589
$ pdfnlatex livre_fp.tex
$ svn up -r1616
$ pdfnlatex livre_fp.tex

Any suggestion to identify the bug?

-- Package-specific info:
If you report an error when running one of the TeX-related binaries 
(latex, pdftex, metafont,...), or if the bug is related to bad or wrong
output, please include a MINIMAL example input file that produces the
error in your report. Don''t forget to also include minimal examples of
other files that are needed, e.g. bibtex databases. Often it also helps
to include the logfile. Please, never send included pictures!

If your example file isn''t short or produces more than one page of
output (except when multiple pages are needed to show the problem),
you can probably minimize it further. Instructions on how to do that
can be found at

http://www.latex-einfuehrung.de/mini-en.html (english)

or 

http://www.latex-einfuehrung.de/mini.html (german)

##################################
minimal input file


##################################
other files

######################################
 List of ls-R files

-rw-r--r-- 1 root root 1001 2009-03-23 00:51:03 /var/lib/texmf/ls-R
-rw-rw-r-- 1 root staff 79 2009-03-23 00:50:23 /usr/local/share/texmf/ls-R
lrwxrwxrwx 1 root root 29 2009-03-18 10:58:17 /usr/share/texmf/ls-R ->
/var/lib/texmf/ls-R-TEXMFMAIN
lrwxrwxrwx 1 root root 27 2009-03-18 10:58:18 /usr/share/texmf-texlive/ls-R
-> /var/lib/texmf/ls-R-TEXLIVE
lrwxrwxrwx 1 root root 27 2009-03-18 10:58:18 /usr/share/texmf-texlive/ls-R
-> /var/lib/texmf/ls-R-TEXLIVE
######################################
 Config files
lrwxrwxrwx 1 root root 20 2009-03-18 10:58:17 /usr/share/texmf/web2c/texmf.cnf
-> /etc/texmf/texmf.cnf
-rw-r--r-- 1 root root 6351 2009-03-18 11:00:39 /var/lib/texmf/web2c/fmtutil.cnf
-rw-r--r-- 1 root root 10349 2009-03-19 22:05:34 /var/lib/texmf/web2c/updmap.cfg
-rw-r--r-- 1 root root 5288 2009-03-18 11:00:39
/var/lib/texmf/tex/generic/config/language.dat
######################################
 Files in /etc/texmf/web2c/
total 4
-rw-r--r-- 1 root root 283 2006-12-11 19:48:14 mktex.cnf
######################################
 md5sums of texmf.d
42c20d7e8bd343542772b5a145bf8ad8  /etc/texmf/texmf.d/05TeXMF.cnf
5f7f6652cc8b8071c9e4ea6ba9e9f0a1  /etc/texmf/texmf.d/15Plain.cnf
d588a08518f705d06ac262acd78f2bc4  /etc/texmf/texmf.d/20xmltex.cnf
f68e5add6afd6585b982f2f78e2e6a92  /etc/texmf/texmf.d/45TeXinputs.cnf
ea33127256c6a9f37145ae5b16fdb80c  /etc/texmf/texmf.d/55Fonts.cnf
afccf1d3f87057411166a77c58e00bd1  /etc/texmf/texmf.d/65BibTeX.cnf
9da7c1c7b1eaf06f941af91f48a23068  /etc/texmf/texmf.d/75DviPS.cnf
7ae52efac46feb97010986e57877d12e  /etc/texmf/texmf.d/80DVIPDFMx.cnf
37329819f1109e8a457e64b8b58fecdb  /etc/texmf/texmf.d/85Misc.cnf
a8952d594677235951d447665ec46e9c  /etc/texmf/texmf.d/90TeXDoc.cnf
30f4f13357c2761ed01a6a15f28725a5  /etc/texmf/texmf.d/95NonPath.cnf

-- System Information:
Debian Release: squeeze/sid
  APT prefers oldstable
  APT policy: (500, ''oldstable''), (500,
''unstable''), (500, ''stable''), (1,
''experimental'')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.26.5-20080922 (SMP w/2 CPU cores; PREEMPT)
Locale: LANG=POSIX, LC_CTYPE=en_US.ISO8859-1 (charmap=ISO-8859-1)
Shell: /bin/sh linked to /bin/bash

Versions of packages texlive-base-bin depends on:
ii  dpkg                   1.14.25           Debian package management system
ii  ed                     0.7-3             The classic unix line editor
ii  libc6                  2.9-6             GNU C Library: Shared libraries
ii  libgcc1                1:4.3.3-5         GCC support library
ii  libkpathsea4           2007.dfsg.2-5     TeX Live: path search library for 
ii  libncurses5            5.7+20090314-1    shared libraries for terminal hand
ii  libpng12-0             1.2.35-1          PNG library - runtime
ii  libpoppler4            0.10.4-3          PDF rendering library
ii  libstdc++6             4.3.3-5           The GNU Standard C++ Library v3
ii  libx11-6               2:1.2-1           X11 client-side library
ii  libxaw7                2:1.0.5-2         X11 Athena Widget library
ii  libxmu6                2:1.0.4-1         X11 miscellaneous utility library
ii  libxpm4                1:3.5.7-1         X11 pixmap library
ii  libxt6                 1:1.0.5-3         X11 toolkit intrinsics library
ii  mime-support           3.44-1            MIME files
''mime.types'' & ''mailcap
ii  perl                   5.10.0-19         Larry Wall''s Practical
Extraction
ii  tex-common             1.17              common infrastructure for building
ii  texlive-common         2007.dfsg.2-2     TeX Live: Base component
ii  zlib1g                 1:1.2.3.3.dfsg-13 compression library - runtime

Versions of packages texlive-base-bin recommends:
ii  texlive-base-bin-doc       2007.dfsg.2-5 TeX Live: Documentation files for 

Versions of packages texlive-base-bin suggests:
ii  evince [postscript-viewer]  2.24.2-2     Document (postscript, pdf) viewer
ii  ghostscript [postscript-vie 8.64~dfsg-1  The GPL Ghostscript PostScript/PDF
ii  gv [postscript-viewer]      1:3.6.6.91-1 PostScript and PDF viewer for X
ii  perl-tk                     1:804.028-3  Perl module providing the Tk graph
ii  xpdf-reader [pdf-viewer]    3.02-1.4     Portable Document Format (PDF) sui
ii  xpdf-utils [pdf-viewer]     3.02-1.4     Portable Document Format (PDF) sui

Versions of packages tex-common depends on:
ii  debconf [debconf-2.0]         1.5.26     Debian configuration management sy
ii  dpkg                          1.14.25    Debian package management system
ii  ucf                           3.0018     Update Configuration File: preserv

Versions of packages texlive-base-bin is related to:
pn  tetex-base                    <none>     (no description available)
pn  tetex-bin                     <none>     (no description available)
pn  tetex-extra                   <none>     (no description available)
ii  tex-common                    1.17       common infrastructure for building

-- debconf information:
  tex-common/check_texmf_wrong:
  tex-common/check_texmf_missing: