| Summary: | t1lib missing security update for CVE-2010-2642 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | |
| Severity: | normal | ||
| Priority: | Normal | CC: | balcaen.john, davidwhodgins, fundawang, sysadmin-bugs, tmb |
| Version: | 1 | Keywords: | validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Source RPM: | t1lib-5.1.2-9.mga1.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2012-01-01 20:12:52 CET
Hi, thanks for reporting this bug. As there is no maintainer for this package I added the committers in CC. (Please set the status to 'assigned' if you are working on it) CC:
(none) =>
balcaen.john, fundawang Working on it for mageia 1 Status:
NEW =>
ASSIGNED Dear QA, Could you please test t1lib package : src.rpm t1lib-5.1.2-9.1.mga1.src.rpm x86_64: lib64t1lib5-5.1.2-9.1.mga1.x86_64.rpm lib64t1lib-devel-5.1.2-9.1.mga1.x86_64.rpm lib64t1lib-static-devel-5.1.2-9.1.mga1.x86_64.rpm t1lib-config-5.1.2-9.1.mga1.x86_64.rpm t1lib-progs-5.1.2-9.1.mga1.x86_64.rpm i586: lib64t1lib5-5.1.2-9.1.mga1.i586.rpm lib64t1lib-devel-5.1.2-9.1.mga1.i586.rpm lib64t1lib-static-devel-5.1.2-9.1.mga1.i586.rpm t1lib-config-5.1.2-9.1.mga1.i586.rpm t1lib-progs-5.1.2-9.1.mga1.i586.rpm Advisory : Heap-based buffer overflow in the AFM font parser in the dvi-backend component in t1lib 5.1.2 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted font in conjunction with a DVI file that is processed by the thumbnailer. This package provides a fix for this issue. Status:
ASSIGNED =>
NEW According to https://bugzilla.redhat.com/show_bug.cgi?id=666318 the exploit requires reading a .dvi file in evince with a malicious font installed, which doesn't seem to have been made publid. In trying to test evince with a .dvi file, I selected /usr/share/doc/iptraf/Documentation/manual.dvi from the iptraf package, but it doesn't display. Is that a badly formatted dvi file, or is support for dvi files a build time option that is disabled for the Mageia 1 version of evince? The evince program is working for pdf files. According to "urpmq --whatrequires libt1lib5", it isn't required by evince, but is by abiword. Creating a document with abiword, and then running abiword to read the document under strace does show that it's loading /usr/lib/libt1.so.5, so it seems to be working ok. CC:
(none) =>
davidwhodgins I just pushed another version with an additional CVE fix following oden's work. src.rpm t1lib-5.1.2-9.2.mga1.src.rpm x86_64: lib64t1lib5-5.1.2-9.2.mga1.x86_64.rpm lib64t1lib-devel-5.1.2-9.2.mga1.x86_64.rpm lib64t1lib-static-devel-5.1.2-9.2.mga1.x86_64.rpm t1lib-config-5.1.2-9.2.mga1.x86_64.rpm t1lib-progs-5.1.2-9.1.mga1.x86_64.rpm i586: lib64t1lib5-5.1.2-9.2.mga1.i586.rpm lib64t1lib-devel-5.1.2-9.2.mga1.i586.rpm lib64t1lib-static-devel-5.1.2-9.2.mga1.i586.rpm t1lib-config-5.1.2-9.2.mga1.i586.rpm t1lib-progs-5.1.2-9.2.mga1.i586.rpm New Advisory : « Heap-based buffer overflow in the AFM font parser in the dvi-backend component in t1lib 5.1.2 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted font in conjunction with a DVI file that is processed by the thumbnailer (CVE-2010-2642). An invalid pointer in conjunction with a dereference operation allows remote attackers to execute arbitrary code via a specially crafted Type 1 font in a PDF document(CVE-2011-0764). This package containes fixes for both issues. » Nice job catching the new CVE. I tested this on i586 with xpdf (looks like it's the only thing on my system that uses it). Created a doc in LibreOffice using Helvetica as the font (should be a URW Type 1 font), exported to PDF, and opened with xpdf. Looks fine. x86_64
The following 5 packages are going to be installed:
- lib64t1lib-devel-5.1.2-9.2.mga1.x86_64
- lib64t1lib-static-devel-5.1.2-9.2.mga1.x86_64
- lib64t1lib5-5.1.2-9.2.mga1.x86_64
- t1lib-config-5.1.2-9.2.mga1.x86_64
- t1lib-progs-5.1.2-9.2.mga1.x86_64
$ strace -o strace.out abiword
$ grep t1 strace.out
open("/usr/lib64/libt1.so.5", O_RDONLY) = 7
$ rpm -qif /usr/lib64/libt1.so.5
Name : lib64t1lib5 Relocations: (not relocatable)
Version : 5.1.2 Vendor: Mageia.Org
Release : 9.2.mga1 Build Date: Tue 03 Jan 2012 11:11:52 GMT
Install Date: Mon 09 Jan 2012 10:34:42 GMT Build Host: jonund
Group : System/Libraries Source RPM: t1lib-5.1.2-9.2.mga1.src.rpm
Testing complete x86_64
Update validated
Advisory
-----------------
Heap-based buffer overflow in the AFM font parser in the dvi-backend component
in t1lib 5.1.2 allows remote attackers to cause a denial of service
(application crash) or possibly execute arbitrary code via a crafted font in
conjunction with a DVI file that is processed by the thumbnailer
(CVE-2010-2642).
An invalid pointer in conjunction with a dereference operation allows remote
attackers to execute arbitrary code via a specially crafted Type 1 font in a
PDF document(CVE-2011-0764).
This package containes fixes for both issues.
-----------------
Source RPM: t1lib-5.1.2-9.2.mga1.src.rpm
Could sysadmin please push from core/updates_testing to core/updates
Thankyou!Keywords:
(none) =>
validated_update update pushed Status:
NEW =>
RESOLVED |