| Summary: | t1utils new buffer overrun security issue (CVE-2015-3905) | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | sysadmin-bugs |
| Version: | 4 | Keywords: | validated_update |
| Target Milestone: | --- | ||
| Hardware: | i586 | ||
| OS: | Linux | ||
| URL: | http://lwn.net/Vulnerabilities/641767/ | ||
| Whiteboard: | has_procedure MGA4-32-OK advisory | ||
| Source RPM: | t1utils-1.37-3.mga4.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2015-04-17 16:50:52 CEST
PoC for the buffer overrun is here: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=779274 I confirmed the segfault with t1disasm before the update and it works fine after the update (command was t1disasm crash.pfb /dev/null). The infinite loop bug was: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=772774 Finally, a stack overflow fixed in 1.38: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=724571 I confirmed the segfault before the update (t1disasm bkaiu67.pfb /dev/null) and it runs fine after the update. I confirmed that it just runs and runs (command was t1disasm hang.pfb /dev/null) before the update, but exits immediately with an appropriate error after it: t1disasm: hang.pfb corrupted: block short by 2147484812 bytes at position 6 t1disasm: hang.pfb corrupted: no end-of-file marker For general testing I also played with different conversions using t1binary, t1ascii, t1asm, and t1disasm with /usr/share/fonts/default/ghostscript/bchb.pfa and some other font files. Whiteboard:
(none) =>
has_procedure MGA4-32-OK Better advisory now that I know what the issues fixed are. Advisory: ======================== Updated t1utils package fixes security vulnerabilities: The t1utils package has been updated to version 1.39, which fixes a buffer overrun, infinite loop, and stack overflow in t1disasm. References: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=724571 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=772774 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=779274 https://github.com/kohler/t1utils/blob/master/NEWS Validating. Advisory uploaded. Please push to 4 updates Thanks Keywords:
(none) =>
validated_update An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0167.html Status:
NEW =>
RESOLVED
David Walser
2015-04-24 16:49:18 CEST
URL:
(none) =>
http://lwn.net/Vulnerabilities/641767/ (In reply to David Walser from comment #1) > PoC for the buffer overrun is here: > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=779274 > > I confirmed the segfault with t1disasm before the update and it works fine > after the update (command was t1disasm crash.pfb /dev/null). CVE request for this one: http://openwall.com/lists/oss-security/2015/05/13/9 (In reply to David Walser from comment #5) > (In reply to David Walser from comment #1) > > PoC for the buffer overrun is here: > > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=779274 > > > > I confirmed the segfault with t1disasm before the update and it works fine > > after the update (command was t1disasm crash.pfb /dev/null). > > CVE request for this one: > http://openwall.com/lists/oss-security/2015/05/13/9 CVE-2015-3905 has been assigned: http://www.openwall.com/lists/oss-security/2015/05/22/10 Summary:
t1utils new buffer overrun security issue =>
t1utils new buffer overrun security issue (CVE-2015-3905) LWN reference with the CVE: http://lwn.net/Vulnerabilities/647209/ |