t1utils 1.39 has been released, fixing a buffer overrun. Version 1.38 also fixed an infinite loop (possible DoS?). Updated packages uploaded for Mageia 4 and Cauldron. Advisory: ======================== The t1utils package has been updated to version 1.39, which fixes a buffer overrun. This update also fixes an infinite loop on some fonts which was fixed in version 1.38. References: https://github.com/kohler/t1utils/blob/master/NEWS ======================== Updated packages in core/updates_testing: ======================== t1utils-1.39-1.mga4 from t1utils-1.39-1.mga4.src.rpm Reproducible: Steps to Reproduce:
PoC for the buffer overrun is here: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=779274 I confirmed the segfault with t1disasm before the update and it works fine after the update (command was t1disasm crash.pfb /dev/null). The infinite loop bug was: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=772774 Finally, a stack overflow fixed in 1.38: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=724571 I confirmed the segfault before the update (t1disasm bkaiu67.pfb /dev/null) and it runs fine after the update. I confirmed that it just runs and runs (command was t1disasm hang.pfb /dev/null) before the update, but exits immediately with an appropriate error after it: t1disasm: hang.pfb corrupted: block short by 2147484812 bytes at position 6 t1disasm: hang.pfb corrupted: no end-of-file marker For general testing I also played with different conversions using t1binary, t1ascii, t1asm, and t1disasm with /usr/share/fonts/default/ghostscript/bchb.pfa and some other font files.
Whiteboard: (none) => has_procedure MGA4-32-OK
Better advisory now that I know what the issues fixed are. Advisory: ======================== Updated t1utils package fixes security vulnerabilities: The t1utils package has been updated to version 1.39, which fixes a buffer overrun, infinite loop, and stack overflow in t1disasm. References: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=724571 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=772774 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=779274 https://github.com/kohler/t1utils/blob/master/NEWS
Validating. Advisory uploaded. Please push to 4 updates Thanks
Keywords: (none) => validated_updateWhiteboard: has_procedure MGA4-32-OK => has_procedure MGA4-32-OK advisoryCC: (none) => sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0167.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
URL: (none) => http://lwn.net/Vulnerabilities/641767/
(In reply to David Walser from comment #1) > PoC for the buffer overrun is here: > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=779274 > > I confirmed the segfault with t1disasm before the update and it works fine > after the update (command was t1disasm crash.pfb /dev/null). CVE request for this one: http://openwall.com/lists/oss-security/2015/05/13/9
(In reply to David Walser from comment #5) > (In reply to David Walser from comment #1) > > PoC for the buffer overrun is here: > > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=779274 > > > > I confirmed the segfault with t1disasm before the update and it works fine > > after the update (command was t1disasm crash.pfb /dev/null). > > CVE request for this one: > http://openwall.com/lists/oss-security/2015/05/13/9 CVE-2015-3905 has been assigned: http://www.openwall.com/lists/oss-security/2015/05/22/10
Summary: t1utils new buffer overrun security issue => t1utils new buffer overrun security issue (CVE-2015-3905)
LWN reference with the CVE: http://lwn.net/Vulnerabilities/647209/